fix golang filter build (#1966 )

update default enable path suffix in model mapper&router plugin (#1962 )
feat: support nacos mcp registry (#1961 )
2026-02-25 21:21:01 +08:00 · 2025-03-27 16:43:06 +08:00 · 2025-03-27 14:15:11 +08:00 · 2025-03-27 09:41:22 +08:00 · 2025-03-27 00:49:19 +08:00 · 2025-03-27 00:48:24 +08:00
440 changed files with 31852 additions and 6871 deletions
--- a/.github/workflows/build-and-push-wasm-plugin-image.yaml
+++ b/.github/workflows/build-and-push-wasm-plugin-image.yaml
@@ -42,17 +42,19 @@ jobs:
            plugin_type="${{ github.event.inputs.plugin_type }}"
            plugin_name="${{ github.event.inputs.plugin_name }}"
            version="${{ github.event.inputs.version }}"
-            builder_image="higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-rust-builder:rust${{ env.RUST_VERSION }}-oras${{ env.ORAS_VERSION }}"
          else
            ref_name=${{ github.ref_name }}
            plugin_type=${ref_name#*-} # 删除插件类型前面的字段(wasm-)
-            plugin_type=${plugin_type%-*} # 删除插件类型后面的字段(-{plugin_name}-vX.Y.Z)
+            plugin_type=${plugin_type%%-*} # 删除插件类型后面的字段(-{plugin_name}-vX.Y.Z)
            plugin_name=${ref_name#*-*-} # 删除插件名前面的字段(wasm-go-)
            plugin_name=${plugin_name%-*} # 删除插件名后面的字段(-vX.Y.Z)
            version=$(echo "$ref_name" | awk -F'v' '{print $2}')
+          fi
+          if [[ "$plugin_type" == "rust" ]]; then
+            builder_image="higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-rust-builder:rust${{ env.RUST_VERSION }}-oras${{ env.ORAS_VERSION }}"
+          else
            builder_image="higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go${{ env.GO_VERSION }}-tinygo${{ env.TINYGO_VERSION }}-oras${{ env.ORAS_VERSION }}"
          fi
-
          echo "PLUGIN_TYPE=$plugin_type" >> $GITHUB_ENV
          echo "PLUGIN_NAME=$plugin_name" >> $GITHUB_ENV
          echo "VERSION=$version" >> $GITHUB_ENV
@@ -131,8 +133,13 @@ jobs:
          command="
          set -e
          cd /workspace/plugins/wasm-rust/extensions/${PLUGIN_NAME}
-          cargo build --target wasm32-wasi --release
-          cp target/wasm32-wasi/release/*.wasm plugin.wasm
+          if [ -f ./.prebuild ]; then
+            echo 'Found .prebuild file, sourcing it...'
+            . ./.prebuild
+          fi
+          rustup target add wasm32-wasip1
+          cargo build --target wasm32-wasip1 --release
+          cp target/wasm32-wasip1/release/*.wasm plugin.wasm
          tar czvf plugin.tar.gz plugin.wasm
          echo ${{ secrets.REGISTRY_PASSWORD }} | oras login -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin ${{ env.IMAGE_REGISTRY_SERVICE }}
          oras push ${target_image} ${push_command}
--- a/.github/workflows/build-and-test-plugin.yaml
+++ b/.github/workflows/build-and-test-plugin.yaml
@@ -6,11 +6,15 @@ on:
    paths:
      - 'plugins/**'
      - 'test/**'
+      - 'helm/**'
+      - 'Makefile.core.mk'
  pull_request:
    branches: [ "*" ]
    paths:
      - 'plugins/**'
      - 'test/**'
+      - 'helm/**'
+      - 'Makefile.core.mk'
  workflow_dispatch: ~      

 jobs:
@@ -20,7 +24,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version: 1.21.5
+          go-version: 1.22
    # There are too many lint errors in current code bases
    # uncomment when we decide what lint should be addressed or ignored.
    # - run: make lint
@@ -47,7 +51,7 @@ jobs:
      - name: "Setup Go"
        uses: actions/setup-go@v5
        with:
-          go-version: 1.21.5
+          go-version: 1.22

      - name: Setup Rust
        uses: actions-rs/toolchain@v1
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -13,7 +13,7 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22
    # There are too many lint errors in current code bases
    # uncomment when we decide what lint should be addressed or ignored.
    # - run: make lint
@@ -26,7 +26,7 @@ jobs:
    - name: "Setup Go"
      uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22

    - name: Setup Golang Caches
      uses: actions/cache@v4
@@ -64,7 +64,7 @@ jobs:
      - name: "Setup Go"
        uses: actions/setup-go@v5
        with:
-          go-version: 1.21.5
+          go-version: 1.22

      - name: Setup Golang Caches
        uses: actions/cache@v4
@@ -111,7 +111,7 @@ jobs:
    - name: "Setup Go"
      uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22

    - name: Setup Golang Caches
      uses: actions/cache@v4
--- a/.github/workflows/build-image-and-push.yaml
+++ b/.github/workflows/build-image-and-push.yaml
@@ -1,229 +1,258 @@
-name: Build Docker Images and Push to Image Registry
-
-on:
-  push:
-    tags:
-    - "v*.*.*"
-  workflow_dispatch: ~
-
-jobs:
-  build-controller-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-controller
-    env:
-      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build Docker Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make docker-buildx-push
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
-
-  build-pilot-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-pilot
-    env:
-      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build Pilot-Discovery Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make build-istio
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
-
-
-  build-gateway-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-pilot
-    env:
-      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}            
-          
-      - name: Build Gateway Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make build-gateway
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/proxyv2"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
+name: Build Docker Images and Push to Image Registry
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  build-controller-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-controller
+    env:
+      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Docker Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$image" make docker-buildx-push
+              BUILT_IMAGE="$image"
+            else
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
+
+  build-pilot-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v7.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Pilot-Discovery Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              TAG=${image#*:}
+              HUB=${image%:*}
+              HUB=${HUB%/*}
+              BUILT_IMAGE="$HUB/pilot:$TAG"
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$BUILT_IMAGE" make build-istio
+            fi
+            if [ "$BUILT_IMAGE" != "$image" ]; then
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
+
+  build-gateway-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-gateway
+    env:
+      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v7.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Gateway Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              TAG=${image#*:}
+              HUB=${image%:*}
+              HUB=${HUB%/*}
+              BUILT_IMAGE="$HUB/proxyv2:$TAG"
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$BUILT_IMAGE" make build-gateway
+            fi
+            if [ "$BUILT_IMAGE" != "$image" ]; then
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
--- a/.github/workflows/deploy-standalone-to-oss.yaml
+++ b/.github/workflows/deploy-standalone-to-oss.yaml
@@ -20,11 +20,11 @@ jobs:
        name: Prepare Standalone Package
        run: |
          mkdir ./artifact
-          cp ./tools/get-higress.sh ./artifact
          LOCAL_RELEASE_URL="https://github.com/higress-group/higress-standalone/releases"
          VERSION=$(curl -Ls $LOCAL_RELEASE_URL | grep 'href="/higress-group/higress-standalone/releases/tag/v[0-9]*.[0-9]*.[0-9]*\"' | sed -E 's/.*\/higress-group\/higress-standalone\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1)
          DOWNLOAD_URL="https://github.com/higress-group/higress-standalone/archive/refs/tags/${VERSION}.tar.gz"
          curl -SsL "$DOWNLOAD_URL" -o "./artifact/higress-${VERSION}.tar.gz"
+          curl -SsL "https://raw.githubusercontent.com/higress-group/higress-standalone/refs/heads/main/src/get-higress.sh" -o "./artifact/get-higress.sh"
          echo -n "$VERSION" > ./artifact/VERSION
          echo "Version=$VERSION"
      # Step 3
--- a/.github/workflows/deploy-to-oss.yaml
+++ b/.github/workflows/deploy-to-oss.yaml
@@ -19,7 +19,7 @@ jobs:
      - name: Download Helm Charts Index
        uses: doggycool/ossutil-github-action@master
        with:
-          ossArgs: 'cp -r -u oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
+          ossArgs: 'cp oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
          accessKey: ${{ secrets.ACCESS_KEYID }}
          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
          endpoint: oss-cn-hongkong.aliyuncs.com
--- a/.github/workflows/helm-docs.yaml
+++ b/.github/workflows/helm-docs.yaml
@@ -0,0 +1,115 @@
+name: "Helm Docs"
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - 'helm/**'
+  workflow_dispatch: ~      
+  push:
+    branches: [ main ]
+    paths:
+      - 'helm/**'
+
+jobs:
+  helm:
+    name: Helm Docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.9'
+
+      - name: Run helm-docs
+        run: |
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.14.2
+          ./helm-docs -c ${GITHUB_WORKSPACE}/helm/higress -f ../core/values.yaml
+          DIFF=$(git diff ${GITHUB_WORKSPACE}/helm/higress/*md)
+          if [ ! -z "$DIFF" ]; then
+            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart."
+          fi
+          git diff --exit-code
+          rm -f ./helm-docs
+
+  translate-readme:
+    if: ${{ ! always() }}
+    needs: helm
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+
+      - name: Translate README.md to Chinese
+        env:
+          API_URL: ${{ secrets.HIGRESS_OPENAI_API_URL }}
+          API_KEY: ${{ secrets.HIGRESS_OPENAI_API_KEY }}
+          API_MODEL: ${{ secrets.HIGRESS_OPENAI_API_MODEL }}
+        run: |
+          cd ./helm/higress
+          FILE_CONTENT=$(cat README.md)
+
+          PAYLOAD=$(jq -n \
+            --arg model "$API_MODEL" \
+            --arg content "$FILE_CONTENT" \
+            '{
+              model: $model,
+              messages: [
+                {"role": "system", "content": "You are a translation assistant that translates English Markdown text to Chinese."},
+                {"role": "user", "content": $content}
+              ],
+              temperature: 1.1,
+              stream: false
+            }')
+
+          RESPONSE=$(curl -s -X POST "$API_URL" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer $API_KEY" \
+            -d "$PAYLOAD")
+
+          echo "response: $RESPONSE"
+
+          TRANSLATED_CONTENT=$(echo "$RESPONSE" | jq -r '.choices[0].message.content')
+
+          if [ -z "$TRANSLATED_CONTENT" ]; then
+            echo "Translation failed! Response: $RESPONSE"
+            exit 1
+          fi
+
+          echo "$TRANSLATED_CONTENT" > README.zh.new.md
+          echo "Translation completed and saved to README.zh.new.md."
+
+      - name: Compare README.zh.md
+        id: compare
+        run: |
+          cd ./helm/higress
+          NEW_README_ZH="README.zh.new.md"
+          EXISTING_README_ZH="README.zh.md"
+
+          if [ ! -f "$EXISTING_README_ZH" ]; then
+            echo "Add README.zh.md."
+            mv "$NEW_README_ZH" "$EXISTING_README_ZH"
+            echo "updated=true" >> $GITHUB_ENV
+            exit 0
+          fi
+
+          if ! diff -q "$NEW_README_ZH" "$EXISTING_README_ZH"; then
+            echo "Files are different. Updating README.zh.md."
+            mv "$NEW_README_ZH" "$EXISTING_README_ZH"
+            echo "updated=true" >> $GITHUB_ENV
+          else
+            echo "Files are identical. No update needed."
+            echo "updated=false" >> $GITHUB_ENV
+          fi
--- a/.github/workflows/release-hgctl.yaml
+++ b/.github/workflows/release-hgctl.yaml
@@ -15,7 +15,7 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22

    - name: Build hgctl latest multiarch binaries
      run: |
@@ -43,7 +43,7 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22

    - name: Build hgctl latest macos binaries
      run: |
@@ -58,14 +58,14 @@ jobs:
          hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz

  release-hgctl-macos-amd64:
-    runs-on: macos-12
+    runs-on: macos-14
    env:
      HGCTL_VERSION: ${{github.ref_name}}
    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: 1.21.5
+        go-version: 1.22

    - name: Build hgctl latest macos binaries
      run: |
--- a/.gitignore
+++ b/.gitignore
@@ -16,4 +16,4 @@ helm/**/charts/**.tgz
 target/
 tools/hack/cluster.conf
 envoy/1.20
-istio/1.12
+istio/1.12
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -12,6 +12,7 @@ header:
    - 'LICENSE'
    - 'api/**'
    - 'samples/**'
+    - 'docs/**'
    - '.github/**'
    - '.licenserc.yaml'
    - 'helm/**'
--- a/3
+++ b/3
@@ -2,7 +2,8 @@
 /envoy @gengleilei @johnlanni
 /istio @SpecialYang @johnlanni
 /pkg @SpecialYang @johnlanni @CH3CHO
-/plugins @johnlanni @WeixinX @CH3CHO
+/plugins @johnlanni @CH3CHO @rinfx
+/plugins/wasm-go/extensions/ai-proxy @cr7258 @CH3CHO @rinfx
 /plugins/wasm-rust @007gzs @jizhuozhi
 /registry @NameHaibinZhang @2456868764 @johnlanni
 /test @Xunzhuo @2456868764 @CH3CHO
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -144,7 +144,7 @@ docker-buildx-push: clean-env docker.higress-buildx
 export PARENT_GIT_TAG:=$(shell cat VERSION)
 export PARENT_GIT_REVISION:=$(TAG)

-export ENVOY_PACKAGE_URL_PATTERN?=https://github.com/higress-group/proxy/releases/download/v2.0.0/envoy-symbol-ARCH.tar.gz
+export ENVOY_PACKAGE_URL_PATTERN?=https://github.com/higress-group/proxy/releases/download/v2.1.2/envoy-symbol-ARCH.tar.gz

 build-envoy: prebuild
 	./tools/hack/build-envoy.sh
@@ -159,16 +159,20 @@ build-pilot-local: prebuild
 buildx-prepare:
 	docker buildx inspect multi-arch >/dev/null 2>&1 || docker buildx create --name multi-arch --platform linux/amd64,linux/arm64 --use

-build-gateway: prebuild buildx-prepare
+build-gateway: prebuild buildx-prepare build-golang-filter
 	USE_REAL_USER=1 TARGET_ARCH=amd64 DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh init
 	USE_REAL_USER=1 TARGET_ARCH=arm64 DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh init
-	DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh docker.buildx
+	DOCKER_TARGETS="docker.proxyv2" IMG_URL="${IMG_URL}" ./tools/hack/build-istio-image.sh docker.buildx

-build-gateway-local: prebuild
+build-gateway-local: prebuild build-golang-filter
 	TARGET_ARCH=${TARGET_ARCH} DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh docker

+build-golang-filter:
+	TARGET_ARCH=amd64 ./tools/hack/build-golang-filters.sh
+	TARGET_ARCH=arm64 ./tools/hack/build-golang-filters.sh
+
 build-istio: prebuild buildx-prepare
-	DOCKER_TARGETS="docker.pilot" ./tools/hack/build-istio-image.sh docker.buildx
+	DOCKER_TARGETS="docker.pilot" IMG_URL="${IMG_URL}" ./tools/hack/build-istio-image.sh docker.buildx

 build-istio-local: prebuild
 	TARGET_ARCH=${TARGET_ARCH} DOCKER_TARGETS="docker.pilot" ./tools/hack/build-istio-image.sh docker
@@ -187,8 +191,8 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'

-ENVOY_LATEST_IMAGE_TAG ?= 2.0.1
-ISTIO_LATEST_IMAGE_TAG ?= 2.0.1
+ENVOY_LATEST_IMAGE_TAG ?= 958467a353d411ae3f06e03b096bfd342cddb2c6
+ISTIO_LATEST_IMAGE_TAG ?= d9c728d3b01f64855e012b08d136e306f1160397

 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
@@ -231,6 +235,8 @@ clean-gateway: clean-istio
 	rm -rf external/proxy
 	rm -rf external/go-control-plane
 	rm -rf external/package/envoy.tar.gz
+	rm -rf external/package/mcp-server_amd64.so
+	rm -rf external/package/mcp-server_arm64.so

 clean-env:
 	rm -rf out/
@@ -299,7 +305,7 @@ kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster us
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server 1.3.0
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server v1.0
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-body 1.0.0
-	tools/hack/docker-pull-image.sh openpolicyagent/opa latest
+	tools/hack/docker-pull-image.sh openpolicyagent/opa 0.61.0
 	tools/hack/docker-pull-image.sh curlimages/curl latest
 	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
 	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
@@ -312,7 +318,7 @@ kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster us
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server 1.3.0
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server v1.0
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-body 1.0.0
-	tools/hack/kind-load-image.sh openpolicyagent/opa latest
+	tools/hack/kind-load-image.sh openpolicyagent/opa 0.61.0
 	tools/hack/kind-load-image.sh curlimages/curl latest
 	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
 	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
--- a/README.md
+++ b/README.md
@@ -6,190 +6,143 @@
 </h1>
 <h4 align="center"> AI Native API Gateway </h4>

+<div align="center">
+    
 [![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)

-[**官网**](https://higress.cn/) &nbsp; |
-&nbsp; [**文档**](https://higress.cn/docs/latest/overview/what-is-higress/) &nbsp; |
-&nbsp; [**博客**](https://higress.cn/blog/) &nbsp; |
-&nbsp; [**电子书**](https://higress.cn/docs/ebook/wasm14/) &nbsp; |
-&nbsp; [**开发指引**](https://higress.cn/docs/latest/dev/architecture/) &nbsp; |
-&nbsp; [**AI插件**](https://higress.cn/plugin/) &nbsp;
+<a href="https://trendshift.io/repositories/10918" target="_blank"><img src="https://trendshift.io/api/badge/repositories/10918" alt="alibaba%2Fhigress | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+[**Official Site**](https://higress.io/en-us/) &nbsp; |
+&nbsp; [**Docs**](https://higress.io/en-us/docs/overview/what-is-higress) &nbsp; |
+&nbsp; [**Blog**](https://higress.io/en-us/blog) &nbsp; |
+&nbsp; [**Developer**](https://higress.io/en-us/docs/developers/developers_dev) &nbsp; |
+&nbsp; [**Higress in Cloud**](https://www.alibabacloud.com/product/microservices-engine?spm=higress-website.topbar.0.0.0) &nbsp;


 <p>
-   <a href="README_EN.md"> English <a/>| 中文 | <a href="README_JP.md"> 日本語 <a/> 
+   English | <a href="README_ZH.md">中文<a/> | <a href="README_JP.md">日本語<a/>
 </p>

+Higress is a cloud-native API gateway based on Istio and Envoy, which can be extended with Wasm plugins written in Go/Rust/JS. It provides dozens of ready-to-use general-purpose plugins and an out-of-the-box console (try the [demo here](http://demo.higress.io/)).

-Higress 是一款云原生 API 网关，内核基于 Istio 和 Envoy，可以用 Go/Rust/JS 等编写 Wasm 插件，提供了数十个现成的通用插件，以及开箱即用的控制台（demo 点[这里](http://demo.higress.io/)）
+Higress was born within Alibaba to solve the issues of Tengine reload affecting long-connection services and insufficient load balancing capabilities for gRPC/Dubbo.

-Higress 在阿里内部为解决 Tengine reload 对长连接业务有损，以及 gRPC/Dubbo 负载均衡能力不足而诞生。
-
-阿里云基于 Higress 构建了云原生 API 网关产品，为大量企业客户提供 99.99% 的网关高可用保障服务能力。
-
-Higress 基于 AI 网关能力，支撑了通义千问 APP、百炼大模型 API、机器学习 PAI 平台等 AI 业务。同时服务国内头部的 AIGC 企业（如零一万物），以及 AI 产品（如 FastGPT）
-
-![](https://img.alicdn.com/imgextra/i2/O1CN011AbR8023V8R5N0HcA_!!6000000007260-2-tps-1080-606.png)
+Alibaba Cloud has built its cloud-native API gateway product based on Higress, providing 99.99% gateway high availability guarantee service capabilities for a large number of enterprise customers.

+Higress's AI gateway capabilities support all [mainstream model providers](https://github.com/alibaba/higress/tree/main/plugins/wasm-go/extensions/ai-proxy/provider) both domestic and international, as well as self-built DeepSeek models based on vllm/ollama. Within Alibaba Cloud, it supports AI businesses such as Tongyi Qianwen APP, Bailian large model API, and machine learning PAI platform. It also serves leading AIGC enterprises (such as Zero One Infinite) and AI products (such as FastGPT).

 ## Summary

- [**快速开始**](#快速开始)    
- [**功能展示**](#功能展示)
- [**使用场景**](#使用场景)
- [**核心优势**](#核心优势)
- [**社区**](#社区)
+- [**Quick Start**](#quick-start)    
+- [**Feature Showcase**](#feature-showcase)
+- [**Use Cases**](#use-cases)
+- [**Core Advantages**](#core-advantages)
+- [**Community**](#community)

-## 快速开始
+## Quick Start

-Higress 只需 Docker 即可启动，方便个人开发者在本地搭建学习，或者用于搭建简易站点:
+Higress can be started with just Docker, making it convenient for individual developers to set up locally for learning or for building simple sites:

 ```bash
-# 创建一个工作目录
+# Create a working directory
 mkdir higress; cd higress
-# 启动 higress，配置文件会写到工作目录下
+# Start higress, configuration files will be written to the working directory
 docker run -d --rm --name higress-ai -v ${PWD}:/data \
        -p 8001:8001 -p 8080:8080 -p 8443:8443  \
        higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/all-in-one:latest
 ```

-监听端口说明如下：
+Port descriptions:

- 8001 端口：Higress UI 控制台入口
- 8080 端口：网关 HTTP 协议入口
- 8443 端口：网关 HTTPS 协议入口
+- Port 8001: Higress UI console entry
+- Port 8080: Gateway HTTP protocol entry
+- Port 8443: Gateway HTTPS protocol entry

-**Higress 的所有 Docker 镜像都一直使用自己独享的仓库，不受 Docker Hub 境内访问受限的影响**
+**All Higress Docker images use their own dedicated repository, unaffected by Docker Hub access restrictions in certain regions**

-K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start 文档](https://higress.cn/docs/latest/user/quickstart/)。
+For other installation methods such as Helm deployment under K8s, please refer to the official [Quick Start documentation](https://higress.io/en-us/docs/user/quickstart).

+## Use Cases

-## 使用场景
+- **AI Gateway**:

- **AI 网关**:
+  Higress can connect to all LLM model providers both domestic and international using a unified protocol, while also providing rich AI observability, multi-model load balancing/fallback, AI token rate limiting, AI caching, and other capabilities:

-  Higress 能够用统一的协议对接国内外所有 LLM 模型厂商，同时具备丰富的 AI 可观测、多模型负载均衡/fallback、AI token 流控、AI 缓存等能力：
+  ![](https://img.alicdn.com/imgextra/i2/O1CN01izmBNX1jbHT7lP3Yr_!!6000000004566-0-tps-1920-1080.jpg)

-  ![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)
+- **MCP Server Hosting**:

- **Kubernetes Ingress 网关**:
+  Higress, as an Envoy-based API gateway, supports hosting MCP Servers through its plugin mechanism. MCP (Model Context Protocol) is essentially an AI-friendly API that enables AI Agents to more easily call various tools and services. Higress provides unified capabilities for authentication, authorization, rate limiting, and observability for tool calls, simplifying the development and deployment of AI applications.

-  Higress 可以作为 K8s 集群的 Ingress 入口网关, 并且兼容了大量 K8s Nginx Ingress 的注解，可以从 K8s Nginx Ingress 快速平滑迁移到 Higress。
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01wv8H4g1mS4MUzC1QC_!!6000000004952-2-tps-1764-597.png)
+
+  By hosting MCP Servers with Higress, you can achieve:
+  - Unified authentication and authorization mechanisms, ensuring the security of AI tool calls
+  - Fine-grained rate limiting to prevent abuse and resource exhaustion
+  - Comprehensive audit logs recording all tool call behaviors
+  - Rich observability for monitoring the performance and health of tool calls
+  - Simplified deployment and management through Higress's plugin mechanism for quickly adding new MCP Servers
+  - Dynamic updates without disruption: Thanks to Envoy's friendly handling of long connections and Wasm plugin's dynamic update mechanism, MCP Server logic can be updated on-the-fly without any traffic disruption or connection drops
+
+- **Kubernetes ingress controller**:
+
+  Higress can function as a feature-rich ingress controller, which is compatible with many annotations of K8s' nginx ingress controller.
  
-  支持 [Gateway API](https://gateway-api.sigs.k8s.io/) 标准，支持用户从 Ingress API 平滑迁移到 Gateway API。
-
-  相比 ingress-nginx，资源开销大幅下降，路由变更生效速度有十倍提升：
-
-  ![](https://img.alicdn.com/imgextra/i1/O1CN01bhEtb229eeMNBWmdP_!!6000000008093-2-tps-750-547.png)
-  ![](https://img.alicdn.com/imgextra/i1/O1CN01bqRets1LsBGyitj4S_!!6000000001354-2-tps-887-489.png)
+  [Gateway API](https://gateway-api.sigs.k8s.io/) support is coming soon and will support smooth migration from Ingress API to Gateway API.
  
- **微服务网关**:
+- **Microservice gateway**:

-  Higress 可以作为微服务网关, 能够对接多种类型的注册中心发现服务配置路由，例如 Nacos, ZooKeeper, Consul, Eureka 等。
+  Higress can function as a microservice gateway, which can discovery microservices from various service registries, such as Nacos, ZooKeeper, Consul, Eureka, etc.
  
-  并且深度集成了 [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) 等微服务技术栈，基于 Envoy C++ 网关内核的出色性能，相比传统 Java 类微服务网关，可以显著降低资源使用率，减少成本。
-
-  ![](https://img.alicdn.com/imgextra/i4/O1CN01v4ZbCj1dBjePSMZ17_!!6000000003698-0-tps-1613-926.jpg)
+  It deeply integrates with [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) and other microservice technology stacks.
  
- **安全防护网关**:
+- **Security gateway**:

-  Higress 可以作为安全防护网关， 提供 WAF 的能力，并且支持多种认证鉴权策略，例如 key-auth, hmac-auth, jwt-auth, basic-auth, oidc 等。 
+  Higress can be used as a security gateway, supporting WAF and various authentication strategies, such as key-auth, hmac-auth, jwt-auth, basic-auth, oidc, etc.

-## 核心优势

- **生产等级**
+## Core Advantages

-  脱胎于阿里巴巴2年多生产验证的内部产品，支持每秒请求量达数十万级的大规模场景。
+- **Production Grade**

-  彻底摆脱 Nginx reload 引起的流量抖动，配置变更毫秒级生效且业务无感。对 AI 业务等长连接场景特别友好。
+  Born from Alibaba's internal product with over 2 years of production validation, supporting large-scale scenarios with hundreds of thousands of requests per second.

- **流式处理**
+  Completely eliminates traffic jitter caused by Nginx reload, configuration changes take effect in milliseconds and are transparent to business. Especially friendly to long-connection scenarios such as AI businesses.

-  支持真正的完全流式处理请求/响应 Body，Wasm 插件很方便地自定义处理 SSE （Server-Sent Events）等流式协议的报文。
+- **Streaming Processing**

-  在 AI 业务等大带宽场景下，可以显著降低内存开销。  
+  Supports true complete streaming processing of request/response bodies, Wasm plugins can easily customize the handling of streaming protocols such as SSE (Server-Sent Events).
+
+  In high-bandwidth scenarios such as AI businesses, it can significantly reduce memory overhead.
    
- **便于扩展**
+- **Easy to Extend**
  
-  提供丰富的官方插件库，涵盖 AI、流量管理、安全防护等常用功能，满足90%以上的业务场景需求。
+  Provides a rich official plugin library covering AI, traffic management, security protection and other common functions, meeting more than 90% of business scenario requirements.

-  主打 Wasm 插件扩展，通过沙箱隔离确保内存安全，支持多种编程语言，允许插件版本独立升级，实现流量无损热更新网关逻辑。
+  Focuses on Wasm plugin extensions, ensuring memory safety through sandbox isolation, supporting multiple programming languages, allowing plugin versions to be upgraded independently, and achieving traffic-lossless hot updates of gateway logic.

- **安全易用**
+- **Secure and Easy to Use**
  
-  基于 Ingress API 和 Gateway API 标准，提供开箱即用的 UI 控制台，WAF 防护插件、IP/Cookie CC 防护插件开箱即用。
+  Based on Ingress API and Gateway API standards, provides out-of-the-box UI console, WAF protection plugin, IP/Cookie CC protection plugin ready to use.

-  支持对接 Let's Encrypt 自动签发和续签免费证书，并且可以脱离 K8s 部署，一行 Docker 命令即可启动，方便个人开发者使用。
+  Supports connecting to Let's Encrypt for automatic issuance and renewal of free certificates, and can be deployed outside of K8s, started with a single Docker command, convenient for individual developers to use.

+## Community

-## 功能展示
+[Slack](https://w1689142780-euk177225.slack.com/archives/C05GEL4TGTG): to get invited go [here](https://communityinviter.com/apps/w1689142780-euk177225/higress).

-### AI 网关 Demo 展示
+### Thanks

-[从 OpenAI 到其他大模型，30 秒完成迁移
-](https://www.bilibili.com/video/BV1dT421a7w7/?spm_id_from=333.788.recommend_more_video.14)
+Higress would not be possible without the valuable open-source work of projects in the community. We would like to extend a special thank you to Envoy and Istio.

+### Related Repositories

-### Higress UI 控制台
-    
- **丰富的可观测**
+- Higress Console: https://github.com/higress-group/higress-console
+- Higress Standalone: https://github.com/higress-group/higress-standalone

-  提供开箱即用的可观测，Grafana&Prometheus 可以使用内置的也可对接自建的
-
-  ![](./docs/images/monitor.gif)
-    
-
- **插件扩展机制**
-
-  官方提供了多种插件，用户也可以[开发](./plugins/wasm-go)自己的插件，构建成 docker/oci 镜像后在控制台配置，可以实时变更插件逻辑，对流量完全无损。
-
-  ![](./docs/images/plugin.gif)
-
-
- **多种服务发现**
-
-  默认提供 K8s Service 服务发现，通过配置可以对接 Nacos/ZooKeeper 等注册中心实现服务发现，也可以基于静态 IP 或者 DNS 来发现
-
-  ![](./docs/images/service-source.gif)
-    
-
- **域名和证书**
-
-  可以创建管理 TLS 证书，并配置域名的 HTTP/HTTPS 行为，域名策略里支持对特定域名生效插件
-
-  ![](./docs/images/domain.gif)
-
-
- **丰富的路由能力**
-
-  通过上面定义的服务发现机制，发现的服务会出现在服务列表中；创建路由时，选择域名，定义路由匹配机制，再选择目标服务进行路由；路由策略里支持对特定路由生效插件
-
-  ![](./docs/images/route-service.gif)
-
-
-## 社区
-
-### 感谢
-
-如果没有 Envoy 和 Istio 的开源工作，Higress 就不可能实现，在这里向这两个项目献上最诚挚的敬意。
-
-### 交流群
-
-![image](https://img.alicdn.com/imgextra/i2/O1CN01BkopaB22ZsvamFftE_!!6000000007135-0-tps-720-405.jpg)
-
-### 技术分享
-
-微信公众号：
-
-![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)
-
-### 关联仓库
-
- Higress 控制台：https://github.com/higress-group/higress-console
- Higress（独立运行版）：https://github.com/higress-group/higress-standalone
-
-### 贡献者
+### Contributors

 <a href="https://github.com/alibaba/higress/graphs/contributors">
  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
@@ -197,10 +150,10 @@ K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start

 ### Star History

-[![Star History](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
+[![Star History Chart](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)

 <p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
-        ↑ 返回顶部 ↑
+        ↑ Back to Top ↑
    </a>
 </p>
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,106 +0,0 @@
-<a name="readme-top"></a>
-<h1 align="center">
-    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
-  <br>
-  Cloud Native API Gateway
-</h1>
-
-[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
-[![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
-
-[**Official Site**](https://higress.io/en-us/) &nbsp; |
-&nbsp; [**Docs**](https://higress.io/en-us/docs/overview/what-is-higress) &nbsp; |
-&nbsp; [**Blog**](https://higress.io/en-us/blog) &nbsp; |
-&nbsp; [**Developer**](https://higress.io/en-us/docs/developers/developers_dev) &nbsp; |
-&nbsp; [**Higress in Cloud**](https://www.alibabacloud.com/product/microservices-engine?spm=higress-website.topbar.0.0.0) &nbsp;
-
-
-<p>
-   English | <a href="README.md">中文<a/> | <a href="README_JP.md">日本語<a/>
-</p>
-
-Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. 
-
-Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.com/envoyproxy/envoy), Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
-
-<h1 align="center">
-  <img src="https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png" alt="Higress Architecture">
-</h1>
-
-
-## Summary
-
- [**Use Cases**](#use-cases)
- [**Higress Features**](#higress-features)
- [**Quick Start**](https://higress.io/en-us/docs/user/quickstart)
- [**Community**](#community)
- [**Thanks**](#thanks)
-
-## Use Cases
-
- **Kubernetes ingress controller**:
-
-  Higress can function as a feature-rich ingress controller, which is compatible with many annotations of K8s' nginx ingress controller.
-  
-  [Gateway API](https://gateway-api.sigs.k8s.io/) support is coming soon and will support smooth migration from Ingress API to Gateway API.
-  
- **Microservice gateway**:
-
-  Higress can function as a microservice gateway, which can discovery microservices from various service registries, such as Nacos, ZooKeeper, Consul, Eureka, etc.
-  
-  It deeply integrates with [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) and other microservice technology stacks.
-  
- **Security gateway**:
-
-  Higress can be used as a security gateway, supporting WAF and various authentication strategies, such as key-auth, hmac-auth, jwt-auth, basic-auth, oidc, etc.  
-
-## Higress Features
-
- **Easy to use**
-
-  Provides one-stop gateway solutions for traffic scheduling, service management, and security protection, support Console, K8s Ingress, and Gateway API configuration methods, and also support HTTP to Dubbo protocol conversion, and easily complete protocol mapping configuration.  
-  
- **Easy to expand**
-
-  Provides Wasm, Lua, and out-of-process plug-in extension mechanisms, so that multi-language plug-in writing is no longer an obstacle. The granularity of plug-in effectiveness supports not only the global level, domain name level, but also fine-grained routing level
-  
- **Dynamic hot update**
-  
-  Get rid of the traffic jitter caused by reload at the bottom, the configuration change takes effect in milliseconds and the business is not affected, the Wasm plug-in is hot updated and the traffic is not damaged
-  
- **Smooth upgrade**
-
-  Compatible with 80%+ usage scenarios of Nginx Ingress Annotation, and provides more feature-rich annotations, easy to handle Nginx Ingress migration in one step
-  
- **Security**
-
-  Provides JWT, OIDC, custom authentication and authentication, deeply integrates open-source web application firewall.
-
-## Community
-
-[Slack](https://w1689142780-euk177225.slack.com/archives/C05GEL4TGTG): to get invited go [here](https://communityinviter.com/apps/w1689142780-euk177225/higress).
-
-### Thanks
-
-Higress would not be possible without the valuable open-source work of projects in the community. We would like to extend a special thank you to Envoy and Istio.
-
-### Related Repositories
-
- Higress Console: https://github.com/higress-group/higress-console
- Higress Standalone: https://github.com/higress-group/higress-standalone
-
-### Contributors
-
-<a href="https://github.com/alibaba/higress/graphs/contributors">
-  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
-</a>
-
-### Star History
-
-[![Star History Chart](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
-
-<p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
-    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
-        ↑ Back to Top ↑
-    </a>
-</p>
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -0,0 +1,230 @@
+<a name="readme-top"></a>
+<h1 align="center">
+    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
+  <br>
+  AI Gateway
+</h1>
+<h4 align="center"> AI Native API Gateway </h4>
+
+<div align="center">
+    
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
+
+<a href="https://trendshift.io/repositories/10918" target="_blank"><img src="https://trendshift.io/api/badge/repositories/10918" alt="alibaba%2Fhigress | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+[**官网**](https://higress.cn/) &nbsp; |
+&nbsp; [**文档**](https://higress.cn/docs/latest/overview/what-is-higress/) &nbsp; |
+&nbsp; [**博客**](https://higress.cn/blog/) &nbsp; |
+&nbsp; [**电子书**](https://higress.cn/docs/ebook/wasm14/) &nbsp; |
+&nbsp; [**开发指引**](https://higress.cn/docs/latest/dev/architecture/) &nbsp; |
+&nbsp; [**AI插件**](https://higress.cn/plugin/) &nbsp;
+
+
+
+<p>
+   <a href="README.md"> English <a/>| 中文 | <a href="README_JP.md"> 日本語 <a/> 
+</p>
+
+
+Higress 是一款云原生 API 网关，内核基于 Istio 和 Envoy，可以用 Go/Rust/JS 等编写 Wasm 插件，提供了数十个现成的通用插件，以及开箱即用的控制台（demo 点[这里](http://demo.higress.io/)）
+
+Higress 在阿里内部为解决 Tengine reload 对长连接业务有损，以及 gRPC/Dubbo 负载均衡能力不足而诞生。
+
+阿里云基于 Higress 构建了云原生 API 网关产品，为大量企业客户提供 99.99% 的网关高可用保障服务能力。
+
+Higress 的 AI 网关能力支持国内外所有[主流模型供应商](https://github.com/alibaba/higress/tree/main/plugins/wasm-go/extensions/ai-proxy/provider)和基于 vllm/ollama 等自建的 DeepSeek 模型；在阿里云内部支撑了通义千问 APP、百炼大模型 API、机器学习 PAI 平台等 AI 业务。同时服务国内头部的 AIGC 企业（如零一万物），以及 AI 产品（如 FastGPT）
+
+![](https://img.alicdn.com/imgextra/i2/O1CN011AbR8023V8R5N0HcA_!!6000000007260-2-tps-1080-606.png)
+
+
+## Summary
+
+- [**快速开始**](#快速开始)    
+- [**功能展示**](#功能展示)
+- [**使用场景**](#使用场景)
+- [**核心优势**](#核心优势)
+- [**社区**](#社区)
+
+## 快速开始
+
+Higress 只需 Docker 即可启动，方便个人开发者在本地搭建学习，或者用于搭建简易站点:
+
+```bash
+# 创建一个工作目录
+mkdir higress; cd higress
+# 启动 higress，配置文件会写到工作目录下
+docker run -d --rm --name higress-ai -v ${PWD}:/data \
+        -p 8001:8001 -p 8080:8080 -p 8443:8443  \
+        higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/all-in-one:latest
+```
+
+监听端口说明如下：
+
+- 8001 端口：Higress UI 控制台入口
+- 8080 端口：网关 HTTP 协议入口
+- 8443 端口：网关 HTTPS 协议入口
+
+**Higress 的所有 Docker 镜像都一直使用自己独享的仓库，不受 Docker Hub 境内访问受限的影响**
+
+K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start 文档](https://higress.cn/docs/latest/user/quickstart/)。
+
+如果您是在云上部署，生产环境推荐使用[企业版](https://higress.io/cloud/)，开发测试可以使用下面一键部署社区版：
+
+[![Deploy on AlibabaCloud ComputeNest](https://service-info-public.oss-cn-hangzhou.aliyuncs.com/computenest.svg)](https://computenest.console.aliyun.com/service/instance/create/default?type=user&ServiceName=Higress社区版)
+
+
+## 使用场景
+
+- **AI 网关**:
+
+  Higress 能够用统一的协议对接国内外所有 LLM 模型厂商，同时具备丰富的 AI 可观测、多模型负载均衡/fallback、AI token 流控、AI 缓存等能力：
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)
+
+- **MCP Server 托管**:
+
+  Higress 作为基于 Envoy 的 API 网关，支持通过插件方式托管 MCP Server。MCP（Model Context Protocol）本质是面向 AI 更友好的 API，使 AI Agent 能够更容易地调用各种工具和服务。Higress 可以统一处理工具调用的认证/鉴权/限流/观测等能力，简化 AI 应用的开发和部署。
+
+  ![](https://img.alicdn.com/imgextra/i3/O1CN01K4qPUX1OliZa8KIPw_!!6000000001746-2-tps-1581-615.png)
+
+  通过 Higress 托管 MCP Server，可以实现：
+  - 统一的认证和鉴权机制，确保 AI 工具调用的安全性
+  - 精细化的速率限制，防止滥用和资源耗尽
+  - 完整的审计日志，记录所有工具调用行为
+  - 丰富的可观测性，监控工具调用的性能和健康状况
+  - 简化的部署和管理，通过 Higress 插件机制快速添加新的 MCP Server
+  - 动态更新无损：得益于 Envoy 对长连接保持的友好支持，以及 Wasm 插件的动态更新机制，MCP Server 逻辑可以实时更新，且对流量完全无损，不会导致任何连接断开
+
+- **Kubernetes Ingress 网关**:
+
+  Higress 可以作为 K8s 集群的 Ingress 入口网关, 并且兼容了大量 K8s Nginx Ingress 的注解，可以从 K8s Nginx Ingress 快速平滑迁移到 Higress。
+  
+  支持 [Gateway API](https://gateway-api.sigs.k8s.io/) 标准，支持用户从 Ingress API 平滑迁移到 Gateway API。
+
+  相比 ingress-nginx，资源开销大幅下降，路由变更生效速度有十倍提升：
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bhEtb229eeMNBWmdP_!!6000000008093-2-tps-750-547.png)
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bqRets1LsBGyitj4S_!!6000000001354-2-tps-887-489.png)
+  
+- **微服务网关**:
+
+  Higress 可以作为微服务网关, 能够对接多种类型的注册中心发现服务配置路由，例如 Nacos, ZooKeeper, Consul, Eureka 等。
+  
+  并且深度集成了 [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) 等微服务技术栈，基于 Envoy C++ 网关内核的出色性能，相比传统 Java 类微服务网关，可以显著降低资源使用率，减少成本。
+
+  ![](https://img.alicdn.com/imgextra/i4/O1CN01v4ZbCj1dBjePSMZ17_!!6000000003698-0-tps-1613-926.jpg)
+  
+- **安全防护网关**:
+
+  Higress 可以作为安全防护网关， 提供 WAF 的能力，并且支持多种认证鉴权策略，例如 key-auth, hmac-auth, jwt-auth, basic-auth, oidc 等。 
+
+## 核心优势
+
+- **生产等级**
+
+  脱胎于阿里巴巴2年多生产验证的内部产品，支持每秒请求量达数十万级的大规模场景。
+
+  彻底摆脱 Nginx reload 引起的流量抖动，配置变更毫秒级生效且业务无感。对 AI 业务等长连接场景特别友好。
+
+- **流式处理**
+
+  支持真正的完全流式处理请求/响应 Body，Wasm 插件很方便地自定义处理 SSE （Server-Sent Events）等流式协议的报文。
+
+  在 AI 业务等大带宽场景下，可以显著降低内存开销。  
+    
+- **便于扩展**
+  
+  提供丰富的官方插件库，涵盖 AI、流量管理、安全防护等常用功能，满足90%以上的业务场景需求。
+
+  主打 Wasm 插件扩展，通过沙箱隔离确保内存安全，支持多种编程语言，允许插件版本独立升级，实现流量无损热更新网关逻辑。
+
+- **安全易用**
+  
+  基于 Ingress API 和 Gateway API 标准，提供开箱即用的 UI 控制台，WAF 防护插件、IP/Cookie CC 防护插件开箱即用。
+
+  支持对接 Let's Encrypt 自动签发和续签免费证书，并且可以脱离 K8s 部署，一行 Docker 命令即可启动，方便个人开发者使用。
+
+
+## 功能展示
+
+### AI 网关 Demo 展示
+
+[从 OpenAI 到其他大模型，30 秒完成迁移
+](https://www.bilibili.com/video/BV1dT421a7w7/?spm_id_from=333.788.recommend_more_video.14)
+
+
+### Higress UI 控制台
+    
+- **丰富的可观测**
+
+  提供开箱即用的可观测，Grafana&Prometheus 可以使用内置的也可对接自建的
+
+  ![](./docs/images/monitor.gif)
+    
+
+- **插件扩展机制**
+
+  官方提供了多种插件，用户也可以[开发](./plugins/wasm-go)自己的插件，构建成 docker/oci 镜像后在控制台配置，可以实时变更插件逻辑，对流量完全无损。
+
+  ![](./docs/images/plugin.gif)
+
+
+- **多种服务发现**
+
+  默认提供 K8s Service 服务发现，通过配置可以对接 Nacos/ZooKeeper 等注册中心实现服务发现，也可以基于静态 IP 或者 DNS 来发现
+
+  ![](./docs/images/service-source.gif)
+    
+
+- **域名和证书**
+
+  可以创建管理 TLS 证书，并配置域名的 HTTP/HTTPS 行为，域名策略里支持对特定域名生效插件
+
+  ![](./docs/images/domain.gif)
+
+
+- **丰富的路由能力**
+
+  通过上面定义的服务发现机制，发现的服务会出现在服务列表中；创建路由时，选择域名，定义路由匹配机制，再选择目标服务进行路由；路由策略里支持对特定路由生效插件
+
+  ![](./docs/images/route-service.gif)
+
+
+## 社区
+
+### 感谢
+
+如果没有 Envoy 和 Istio 的开源工作，Higress 就不可能实现，在这里向这两个项目献上最诚挚的敬意。
+
+### 交流群
+
+![image](https://img.alicdn.com/imgextra/i2/O1CN01fZefEP1aPWkzG3A19_!!6000000003322-0-tps-720-405.jpg)
+
+### 技术分享
+
+微信公众号：
+
+![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)
+
+### 关联仓库
+
+- Higress 控制台：https://github.com/higress-group/higress-console
+- Higress（独立运行版）：https://github.com/higress-group/higress-standalone
+
+### 贡献者
+
+<a href="https://github.com/alibaba/higress/graphs/contributors">
+  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
+</a>
+
+### Star History
+
+[![Star History](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
+
+<p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
+    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
+        ↑ 返回顶部 ↑
+    </a>
+</p>
--- a/2
+++ b/2
@@ -1 +1 @@
-v2.0.3
+v2.1.0-rc.1
--- a/api/extensions/v1alpha1/wasmplugin.pb.go
+++ b/api/extensions/v1alpha1/wasmplugin.pb.go
@@ -341,7 +341,7 @@ type WasmPlugin struct {
 	// Extended by Higress, matching rules take effect
 	MatchRules []*MatchRule `protobuf:"bytes,102,rep,name=match_rules,json=matchRules,proto3" json:"match_rules,omitempty"`
 	// disable the default config
-	DefaultConfigDisable bool `protobuf:"varint,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
+	DefaultConfigDisable *wrappers.BoolValue `protobuf:"bytes,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
 }

 func (x *WasmPlugin) Reset() {
@@ -467,11 +467,11 @@ func (x *WasmPlugin) GetMatchRules() []*MatchRule {
 	return nil
 }

-func (x *WasmPlugin) GetDefaultConfigDisable() bool {
+func (x *WasmPlugin) GetDefaultConfigDisable() *wrappers.BoolValue {
 	if x != nil {
 		return x.DefaultConfigDisable
 	}
-	return false
+	return nil
 }

 // Extended by Higress
@@ -480,11 +480,11 @@ type MatchRule struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Ingress       []string        `protobuf:"bytes,1,rep,name=ingress,proto3" json:"ingress,omitempty"`
-	Domain        []string        `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
-	Config        *_struct.Struct `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
-	ConfigDisable bool            `protobuf:"varint,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
-	Service       []string        `protobuf:"bytes,5,rep,name=service,proto3" json:"service,omitempty"`
+	Ingress       []string            `protobuf:"bytes,1,rep,name=ingress,proto3" json:"ingress,omitempty"`
+	Domain        []string            `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+	Config        *_struct.Struct     `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
+	ConfigDisable *wrappers.BoolValue `protobuf:"bytes,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
+	Service       []string            `protobuf:"bytes,5,rep,name=service,proto3" json:"service,omitempty"`
 }

 func (x *MatchRule) Reset() {
@@ -540,11 +540,11 @@ func (x *MatchRule) GetConfig() *_struct.Struct {
 	return nil
 }

-func (x *MatchRule) GetConfigDisable() bool {
+func (x *MatchRule) GetConfigDisable() *wrappers.BoolValue {
 	if x != nil {
 		return x.ConfigDisable
 	}
-	return false
+	return nil
 }

 func (x *MatchRule) GetService() []string {
@@ -686,7 +686,7 @@ var file_extensions_v1alpha1_wasmplugin_proto_rawDesc = []byte{
 	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x22, 0x8d, 0x06, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x6f, 0x22, 0xa9, 0x06, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e,
 	0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75,
 	0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x18, 0x03, 0x20, 0x01,
 	0x28, 0x09, 0x52, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x12, 0x53, 0x0a, 0x11, 0x69, 0x6d,
@@ -731,52 +731,55 @@ var file_extensions_v1alpha1_wasmplugin_proto_rawDesc = []byte{
 	0x73, 0x18, 0x66, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73,
 	0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61,
 	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x52,
-	0x0a, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x34, 0x0a, 0x16, 0x64,
+	0x0a, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x50, 0x0a, 0x16, 0x64,
 	0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x67, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x64, 0x65, 0x66,
-	0x61, 0x75, 0x6c, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c,
-	0x65, 0x22, 0xaf, 0x01, 0x0a, 0x09, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x12,
-	0x18, 0x0a, 0x07, 0x69, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09,
-	0x52, 0x07, 0x69, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x12, 0x2f, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73,
-	0x61, 0x62, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76,
-	0x69, 0x63, 0x65, 0x22, 0x41, 0x0a, 0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
-	0x35, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x68,
-	0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61,
-	0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, 0x7e, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x4a, 0x0a, 0x0a, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72,
-	0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65,
-	0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x45, 0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e,
-	0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
-	0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41, 0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05,
-	0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a,
-	0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54, 0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a,
-	0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55,
-	0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43,
-	0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73,
-	0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10,
-	0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75,
-	0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12,
-	0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10, 0x01, 0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69,
-	0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49,
-	0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49,
-	0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e, 0x10, 0x01, 0x42, 0x34, 0x5a, 0x32, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68,
-	0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e,
-	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x67, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f,
+	0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x22, 0xcb, 0x01,
+	0x0a, 0x09, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x69,
+	0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x69, 0x6e,
+	0x67, 0x72, 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2f, 0x0a,
+	0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x41,
+	0x0a, 0x0e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c,
+	0x75, 0x65, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c,
+	0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x05, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0x41, 0x0a, 0x08, 0x56,
+	0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x35, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65,
+	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, 0x7e,
+	0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x4a, 0x0a, 0x0a,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x2b, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e,
+	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45,
+	0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x45,
+	0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a,
+	0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41,
+	0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12,
+	0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54,
+	0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
+	0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49,
+	0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a,
+	0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49,
+	0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10,
+	0x01, 0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67,
+	0x79, 0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10,
+	0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e, 0x10, 0x01,
+	0x42, 0x34, 0x5a, 0x32, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61,
+	0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31,
+	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -804,6 +807,7 @@ var file_extensions_v1alpha1_wasmplugin_proto_goTypes = []interface{}{
 	(*EnvVar)(nil),              // 7: higress.extensions.v1alpha1.EnvVar
 	(*_struct.Struct)(nil),      // 8: google.protobuf.Struct
 	(*wrappers.Int32Value)(nil), // 9: google.protobuf.Int32Value
+	(*wrappers.BoolValue)(nil),  // 10: google.protobuf.BoolValue
 }
 var file_extensions_v1alpha1_wasmplugin_proto_depIdxs = []int32{
 	1,  // 0: higress.extensions.v1alpha1.WasmPlugin.image_pull_policy:type_name -> higress.extensions.v1alpha1.PullPolicy
@@ -814,14 +818,16 @@ var file_extensions_v1alpha1_wasmplugin_proto_depIdxs = []int32{
 	6,  // 5: higress.extensions.v1alpha1.WasmPlugin.vm_config:type_name -> higress.extensions.v1alpha1.VmConfig
 	8,  // 6: higress.extensions.v1alpha1.WasmPlugin.default_config:type_name -> google.protobuf.Struct
 	5,  // 7: higress.extensions.v1alpha1.WasmPlugin.match_rules:type_name -> higress.extensions.v1alpha1.MatchRule
-	8,  // 8: higress.extensions.v1alpha1.MatchRule.config:type_name -> google.protobuf.Struct
-	7,  // 9: higress.extensions.v1alpha1.VmConfig.env:type_name -> higress.extensions.v1alpha1.EnvVar
-	2,  // 10: higress.extensions.v1alpha1.EnvVar.value_from:type_name -> higress.extensions.v1alpha1.EnvValueSource
-	11, // [11:11] is the sub-list for method output_type
-	11, // [11:11] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	10, // 8: higress.extensions.v1alpha1.WasmPlugin.default_config_disable:type_name -> google.protobuf.BoolValue
+	8,  // 9: higress.extensions.v1alpha1.MatchRule.config:type_name -> google.protobuf.Struct
+	10, // 10: higress.extensions.v1alpha1.MatchRule.config_disable:type_name -> google.protobuf.BoolValue
+	7,  // 11: higress.extensions.v1alpha1.VmConfig.env:type_name -> higress.extensions.v1alpha1.EnvVar
+	2,  // 12: higress.extensions.v1alpha1.EnvVar.value_from:type_name -> higress.extensions.v1alpha1.EnvValueSource
+	13, // [13:13] is the sub-list for method output_type
+	13, // [13:13] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }

 func init() { file_extensions_v1alpha1_wasmplugin_proto_init() }
--- a/api/extensions/v1alpha1/wasmplugin.proto
+++ b/api/extensions/v1alpha1/wasmplugin.proto
@@ -112,7 +112,7 @@ message WasmPlugin {
  // Extended by Higress, matching rules take effect
  repeated MatchRule match_rules = 102;
  // disable the default config
-  bool default_config_disable = 103;
+  google.protobuf.BoolValue default_config_disable = 103;
 }

 // Extended by Higress
@@ -120,7 +120,7 @@ message MatchRule {
  repeated string ingress = 1;
  repeated string domain = 2;
  google.protobuf.Struct config = 3;
-  bool config_disable = 4;
+  google.protobuf.BoolValue config_disable = 4;
  repeated string service = 5;
 }

--- a/docker/docker.mk
+++ b/docker/docker.mk
@@ -35,6 +35,8 @@ DOCKER_ALL_VARIANTS ?= debug distroless
 INCLUDE_UNTAGGED_DEFAULT ?= false
 DEFAULT_DISTRIBUTION=debug

-HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
-HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
+IMG ?= higress
+IMG_URL ?= $(HUB)/$(IMG):$(TAG)

+HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(IMG_URL)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
+HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(IMG_URL)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -0,0 +1,143 @@
+# Higress 核心组件和原理
+
+Higress 是基于 Envoy 和 Istio 进行二次定制化开发构建和功能增强，同时利用 Envoy 和 Istio 一些插件机制，实现了一个轻量级的网关服务。其包括 3 个核心组件：Higress Controller（控制器）、Higress Gateway（网关）和 Higress Console（控制台）。
+下图概况了其核心工作流程：
+
+![img](./images/img_02_01.png)
+
+本章将重点介绍 Higress 的两个核心组件：Higress Controller 和 Higress Gateway。
+
+## 1 Higress Console
+
+Higress Console 是 Higress 网关的管理控制台，主要功能是管理 Higress 网关的路由配置、插件配置等。
+
+### 1.1 Higress Admin SDK
+
+Higress Admin SDK 脱胎于 Higress Console。起初，它作为 Higress Console 的一部分，为前端界面提供实际的功能支持。后来考虑到对接外部系统等需求，将配置管理的部分剥离出来，形成一个独立的逻辑组件，便于和各个系统进行对接。目前支持服务来源管理、服务管理、路由管理、域名管理、证书管理、插件管理等功能。
+Higress Admin SDK 现在只提供 Java 版本，且要求 JDK 版本不低于 17。具体如何集成请参考 Higress 官方 BLOG [如何使用 Higress Admin SDK 进行配置管理](https://higress.io/zh-cn/blog/admin-sdk-intro)。
+
+## 2 Higress Controller
+
+Higress Controller（控制器） 是 Higress 的核心组件，其功能主要是实现 Higress 网关的服务发现、动态配置管理，以及动态下发配置给数据面。Higress Controller 内部包含两个子组件：Discovery 和  Higress Core。
+
+### 2.1 Discovery 组件
+
+Discovery 组件（Istio Pilot-Discovery）是 Istio 的核心组件，负责服务发现、配置管理、证书签发、控制面和数据面之间的通讯和配置下发等。Discovery 内部结构比较复杂，本文只介绍 Discovery 配置管理和服务发现的基本原理，其核心功能的详细介绍可以参考赵化冰老师的 BLOG [Istio Pilot 组件介绍](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)。
+Discovery 将 Kubernetes Service、Gateway API 配置等转换成 Istio 配置，然后将所有 Istio 配置合并转成符合 xDS 接口规范的数据结构，通过 GRPC 下发到数据面的 Envoy。其工作原理如下图：
+
+![img](./images/img_02_02.png)
+
+#### 2.1.1 Config Controller
+
+Discovery 为了更好管理 Istio 配置来源，提供 `Config Controller` 用于管理各种配置来源，目前支持 4 种类型的 `Config Controller`：
+
+- Kubernetes：使用 Kubernetes 作为配置信息来源，该方式的直接依赖 Kubernetes 强大的 CRD 机制来存储配置信息，简单方便，是 Istio 最开始使用的配置信息存储方案, 其中包括 `Kubernetes Controller` 和 `Gateway API Controller` 两个实现。
+- MCP（Mesh Configuration Protocol）：使用 Kubernetes 存储配置数据导致了 Istio 和 Kubernetes 的耦合，限制了 Istio 在非 Kubernetes 环境下的运用。为了解决该耦合，Istio 社区提出了 MCP。
+- Memory：一个基于内存的 Config Controller 实现，主要用于测试。
+- File：一个基于文件的 Config Controller 实现，主要用于测试。
+
+1. Istio 配置
+
+Istio 配置包括：`Gateway`、`VirtualService`、`DestinationRule`、`ServiceEntry`、`EnvoyFilter`、`WasmPlugin`、`WorkloadEntry`、`WorkloadGroup` 等，可以参考 Istio 官方文档[流量管理](https://istio.io/latest/zh/docs/reference/config/networking/)了解更多配置信息。
+
+2. Gateway API 配置
+
+Gateway API 配置包括：`GatewayClass`、`Gateway`、`HttpRoute`、`TCPRoute`、`GRPCRoute` 等, 可以参考 Gateway API 官方文档 [Gateway API](https://gateway-api.sigs.k8s.io/api-types/gateway/) 了解更多配置信息。
+
+3. MCP over xDS
+
+Discovery 作为 MCP Client，任何实现了 MCP 协议的 Server 都可以通过 MCP 协议向 Discovery 下发配置信息，从而消除了 Istio 和 Kubernetes 之间的耦合, 同时使 Istio 的配置信息处理更加灵活和可扩展。
+同时 MCP 是一种基于 xDS 协议的配置管理协议，Higress Core 通过实现 MCP 协议，使 Higress Core 成为 Discovery 的 Istio 配置来源。
+
+4. Config Controller 来源配置
+
+在 `higress-system` 命名空间中，名为 `higress-config` 的 Configmap 中，`mesh` 配置项包含一个 `configSources` 属性用于配置来源。其 Configmap 部分配置项如下：
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-config
+  namespace: higress-system
+data:
+  mesh: |-
+    accessLogEncoding: TEXT
+    ...
+    configSources:
+    - address: xds://127.0.0.1:15051
+    - address: k8s://
+    ...
+  meshNetworks: "networks: {}"
+```
+
+#### 2.1.2 Service Controller
+
+`Service Controller` 用于管理各种 `Service Registry`，提供服务发现数据，目前 Istio 支持的 `Service Registry` 主要包括：
+
+- Kubernetes：对接 Kubernetes Registry，可以将 Kubernetes 中定义的 Service 和 Endpoint 采集到 Istio 中。
+- Memory：一个基于内存的 Service Controller 实现，主要用于测试。
+
+### 2.2 Higress Core 组件
+
+Higress Core 核心逻辑如下图：
+
+![img](./images/img_02_03.png)
+
+
+Higress Core 内部包含两个核心子组件: Ingress Config 和 Cert Server。
+
+#### 2.2.1 Ingress Config
+
+Ingress Config 包含 6 个控制器，各自负责不同的功能：
+
+- Ingress Controller：监听 Ingress 资源，将 Ingress 转换为 Istio 的 Gateway、VirtualService、DestinationRule 等资源。
+- Gateway Controller：监听 Gateway、VirtualService、DestinationRule 等资源。
+- McpBridge Controller：根据 McpBridge 的配置，将来自 Nacos、Eureka、Consul、Zookeeper 等外部注册中心或 DNS 的服务信息转换成 Istio ServiceEntry 资源。
+- Http2Rpc Controller：监听 Http2Rpc 资源，实现 HTTP 协议到 RPC 协议的转换。用户可以通过配置协议转换，将 RPC 服务以 HTTP 接口的形式暴露，从而使用 HTTP 请求调用 RPC 接口。
+- WasmPlugin Controller：监听 WasmPlugin 资源，将 Higress WasmPlugin 转化为 Istio WasmPlugin。Higress WasmPlugin 在 Istio WasmPlugin 的基础上进行了扩展，支持全局、路由、域名、服务级别的配置。
+- ConfigmapMgr：监听 Higress 的全局配置 `higress-config` ConfigMap，可以根据 tracing、gzip 等配置构造 EnvoyFilter。
+
+#### 2.2.2 Cert Server
+
+Cert Server 管理 Secret 资源和证书自动签发。
+
+## 3 Higress Gateway
+
+Higress Gateway 内部包含两个子组件：Pilot Agent 和 Envoy。Pilot Agent 主要负责 Envoy 的启动和配置，同时代理 Envoy xDS 请求到 Discovery。 Envoy 作为数据面，负责接收控制面的配置下发，并代理请求到业务服务。 Pilot Agent 和 Envoy 之间通讯协议是使用 xDS 协议， 通过 Unix Domain Socket（UDS）进行通信。
+Envoy 核心架构如下图：
+
+![img](./images/img_02_04.png)
+
+### 1 Envoy 核心组件
+
+- 下游（Downstream）:
+  下游是 Envoy 的客户端，它们负责发起请求并接收 Envoy 的响应。下游通常是最终用户的设备或服务，它们通过 Envoy 代理与后端服务进行通信。
+
+- 上游（Upstream）:
+  上游是 Envoy 的后端服务器，它们接收 Envoy 代理的连接和请求。上游提供服务或数据，对来自下游客户端的请求进行处理并返回响应。
+
+- 监听器（Listener）:
+  监听器是可以接受来自下游客户端连接的网络地址（如 IP 地址和端口，Unix Domain Socket 等）。Envoy 支持在单个进程中配置任意数量的监听器。监听器可以通过 `Listener Discovery Service（LDS）`来动态发现和更新。
+
+- 路由（Router）:
+  路由器是 Envoy 中连接下游和上游的桥梁。它负责决定如何将监听器接收到的请求路由到适当的集群。路由器根据配置的路由规则，如路径、HTTP 标头 等，来确定请求的目标集群，从而实现精确的流量控制和路由。路由器可以通过 `Route Discovery Service（RDS）`来动态发现和更新。
+
+- 集群（Cluster）:
+  集群是一组逻辑上相似的服务提供者的集合。集群成员的选择由负载均衡策略决定，确保请求能够均匀或按需分配到不同的服务实例。集群可以通过 `Cluster Discovery Service（CDS）`来动态发现和更新。
+
+- 端点（Endpoint）:
+  端点是上游集群中的具体服务实例，可以是 IP 地址和端口号的组合。端点可以通过 `Endpoint Discovery Service（EDS）`来动态发现和更新。
+
+- SSL/TLS:
+  Envoy 可以通过 `Secret Discovery Service (SDS)` 动态获取监听器和集群所需的 TLS 证书、私钥以及信任的根证书和撤销机制等配置信息。
+
+通过这些组件的协同工作，Envoy 能够高效地处理网络请求，提供流量管理、负载均衡、服务发现和动态路由等关键功能。
+要详细了解 Envoy 的工作原理，可以参考[Envoy 官方文档](https://www.envoyproxy.io/docs/envoy/latest/intro/intro)，最佳的方式可以通过一个请求通过 [Envoy 代理的生命周期](https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request)事件的过程来理解 Envoy 的工作原理。
+
+
+## 参考
+
+- [1] [Istio Pilot 组件介绍](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)
+- [2] [Istio 服务注册插件机制代码解析](https://www.zhaohuabing.com/post/2019-02-18-pilot-service-registry-code-analysis/)
+- [3] [Istio Pilot代码深度解析](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)
+- [4] [Envoy 官方文档](https://www.envoyproxy.io/docs/envoy/latest/intro/intro)
--- a/docs/images/img_02_01.png
+++ b/docs/images/img_02_01.png
--- a/docs/images/img_02_02.png
+++ b/docs/images/img_02_02.png
--- a/docs/images/img_02_03.png
+++ b/docs/images/img_02_03.png
--- a/docs/images/img_02_04.png
+++ b/docs/images/img_02_04.png
--- a/envoy/envoy
+++ b/envoy/envoy
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/alibaba/higress

-go 1.21.0
-
-toolchain go1.22.2
+go 1.22.2

 replace github.com/spf13/viper => github.com/istio/viper v1.3.3-0.20190515210538-2789fed3109c

@@ -23,6 +21,7 @@ require (
 	github.com/dubbogo/go-zookeeper v1.0.4-0.20211212162352-f9d2183d89d5
 	github.com/dubbogo/gost v1.13.1
 	github.com/envoyproxy/go-control-plane v0.11.2-0.20230725211550-11bfe846bcd4
+	github.com/go-errors/errors v1.4.2
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.6.0
@@ -99,7 +98,6 @@ require (
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
--- a/helm/core/Chart.yaml
+++ b/helm/core/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.0.3
+appVersion: 2.1.0-rc.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 2.0.3
+version: 2.1.0-rc.1
--- a/helm/core/README.md
+++ b/helm/core/README.md
@@ -2,4 +2,4 @@

 Installs the core components of cloud-native gateway [Higress](http://higress.io/)

-**Note:** It is highly recommended to install the whole package of Higress. Please visit https://higress.io/docs/user/quickstart/ for details.
+**Note:** It is highly recommended to install the whole package of Higress. Please visit https://higress.io/docs/user/quickstart/ for details.
--- a/helm/core/templates/_pod.tpl
+++ b/helm/core/templates/_pod.tpl
@@ -7,9 +7,6 @@ Rendering the pod template of gateway component.
 template:
  metadata:
    annotations:
-    {{- if .Values.global.enableHigressIstio }}
-      "enableHigressIstio": "true"
-    {{- end }}
    {{- if .Values.gateway.podAnnotations }}
      {{- toYaml .Values.gateway.podAnnotations | nindent 6 }}
    {{- end }}
@@ -18,6 +15,9 @@ template:
      {{- with .Values.gateway.revision }}
      istio.io/rev: {{ . }}
      {{- end }}
+      {{- with .Values.gateway.podLabels }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
      {{- include "gateway.selectorLabels" . | nindent 6 }}
  spec:
    {{- with .Values.gateway.imagePullSecrets }}
@@ -45,9 +45,9 @@ template:
          - router
          - --domain
          - $(POD_NAMESPACE).svc.cluster.local
-          - --proxyLogLevel=warning
-          - --proxyComponentLogLevel=misc:error
-          - --log_output_level=all:info
+          - --proxyLogLevel={{- default "warning" .Values.global.proxy.logLevel }}
+          - --proxyComponentLogLevel={{- default "misc:error" .Values.global.proxy.componentLogLevel }}
+          - --log_output_level={{- default "default:info" .Values.global.logging.level }}
          - --serviceCluster=higress-gateway
        securityContext:
        {{- if .Values.gateway.containerSecurityContext }}
@@ -131,7 +131,7 @@ template:
        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
          value: "{{.}}"
        {{- end }}
-        {{- range $key, $val := .Values.env }}
+        {{- range $key, $val := .Values.gateway.env }}
        - name: {{ $key }}
          value: {{ $val | quote }}
        {{- end }}
@@ -268,11 +268,7 @@ template:
    {{- end }}
    - name: higress-ca-root-cert
      configMap:
-    {{- if .Values.global.enableHigressIstio }}
-        name: istio-ca-root-cert
-    {{- else }}
        name: higress-ca-root-cert
-    {{- end }}
    - name: config
      configMap:
        name: higress-config
--- a/helm/core/templates/configmap.yaml
+++ b/helm/core/templates/configmap.yaml
@@ -9,7 +9,7 @@
    accessLogFile: "/dev/stdout"
    {{- end }}
    ingressControllerMode: "OFF"
-    accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","response_code_details":"%RESPONSE_CODE_DETAILS%"}
+    accessLogFormat: '{"ai_log":"%FILTER_STATE(wasm.ai_log:PLAIN)%","authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","response_code_details":"%RESPONSE_CODE_DETAILS%"}

    '
    dnsRefreshRate: 200s
@@ -20,11 +20,7 @@
    # When processing a leaf namespace Istio will search for declarations in that namespace first
    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
    # is processed as if it were declared in the leaf namespace.
-    {{- if .Values.global.enableHigressIstio }}
-    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
-    {{- else }}
    rootNamespace: {{ .Release.Namespace }}
-    {{- end }}

    configSources:
      - address: "xds://127.0.0.1:15051"
@@ -85,12 +81,8 @@
      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
      {{- end }}
      {{- else }}
-      {{- if .Values.global.enableHigressIstio }}
-      discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
-      {{- else }}
      discoveryAddress: {{ include "controller.name" . }}.{{.Release.Namespace}}.svc:15012
      {{- end }}
-      {{- end }}
      proxyStatsMatcher:
        inclusionRegexps:
        - ".*"
--- a/helm/core/templates/controller-deployment.yaml
+++ b/helm/core/templates/controller-deployment.yaml
@@ -19,6 +19,9 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
+        {{- with .Values.controller.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
        {{- include "controller.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.controller.imagePullSecrets }}
@@ -96,7 +99,6 @@ spec:
          volumeMounts:
          - name: log
            mountPath: /var/log
-{{- if not .Values.global.enableHigressIstio }}
        - name: discovery
          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
 {{- if .Values.global.imagePullPolicy }}
@@ -137,6 +139,14 @@ spec:
            periodSeconds: 3
            timeoutSeconds: 5
          env:
+          {{- if .Values.global.watchNamespace }}
+          - name: ISTIO_WATCH_NAMESPACE
+            value: "{{ .Values.global.watchNamespace }}"
+          {{- end }}
+          - name: ENABLE_PUSH_ALL_MCP_CLUSTERS
+            value: "{{ .Values.global.enablePushAllMCPClusters }}"
+          - name: PILOT_ENABLE_LDS_CACHE
+            value: "{{ .Values.global.enableLDSCache }}"
          - name: PILOT_ENABLE_QUIC_LISTENERS
            value: "true"
          - name: VALIDATION_WEBHOOK_CONFIG_NAME
@@ -229,10 +239,8 @@ spec:
            value: "false"
          - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
            value: "false"
-          {{- if not .Values.global.enableHigressIstio }}
          - name: CUSTOM_CA_CERT_NAME
            value: "higress-ca-root-cert"
-          {{- end }}
          {{- if not (or .Values.global.local .Values.global.kind) }}
          resources:
 {{- if .Values.pilot.resources }}
@@ -269,7 +277,6 @@ spec:
          - name: extracacerts
            mountPath: /cacerts
          {{- end }}
-{{- end }}
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -285,7 +292,6 @@ spec:
      volumes:
      - name: log
        emptyDir: {}
-      {{- if not .Values.global.enableHigressIstio }}
      - name: config
        configMap:
          name: higress-config
@@ -317,4 +323,3 @@ spec:
        configMap:
          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- end }}
-      {{- end }}
--- a/helm/core/templates/controller-service.yaml
+++ b/helm/core/templates/controller-service.yaml
@@ -9,7 +9,6 @@ spec:
  type: {{ .Values.controller.service.type }}
  ports:
    {{- toYaml .Values.controller.ports | nindent 4 }}
-    {{- if not .Values.global.enableHigressIstio }}
    - port: 15010
      name: grpc-xds # plaintext
      protocol: TCP
@@ -23,6 +22,5 @@ spec:
    - port: 15014
      name: http-monitoring # prometheus stats
      protocol: TCP
-    {{- end }}
  selector:
    {{- include "controller.selectorLabels" . | nindent 4 }}
--- a/helm/core/templates/daemonset.yaml
+++ b/helm/core/templates/daemonset.yaml
@@ -1,7 +1,8 @@
 {{- if eq .Values.gateway.kind "DaemonSet" -}}
 {{- $o11y := .Values.global.o11y  }}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
    {{- if $kernelVersion }}
      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
@@ -9,8 +10,9 @@
      {{- $unprivilegedPortSupported = false }}
      {{- end }}
    {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
-{{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}

 apiVersion: apps/v1
 kind: DaemonSet
--- a/helm/core/templates/deployment.yaml
+++ b/helm/core/templates/deployment.yaml
@@ -1,6 +1,7 @@
 {{- if eq .Values.gateway.kind "Deployment" -}}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
    {{- if $kernelVersion }}
      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
@@ -8,8 +9,9 @@
      {{- $unprivilegedPortSupported = false }}
      {{- end }}
    {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
-{{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}

 apiVersion: apps/v1
 kind: Deployment
--- a/helm/core/values.yaml
+++ b/helm/core/values.yaml
@@ -3,14 +3,16 @@ global:
  enableH3: false
  enableIPv6: false
  enableProxyProtocol: false
-  liteMetrics: true
+  enableLDSCache: false
+  enablePushAllMCPClusters: true
+  liteMetrics: false
  xdsMaxRecvMsgSize: "104857600"
  defaultUpstreamConcurrencyThreshold: 10000
  enableSRDS: true
  onDemandRDS: false
  hostRDSMergeSubset: false
  onlyPushRouteCluster: true
-  # IngressClass filters which ingress resources the higress controller watches.
+  # -- IngressClass filters which ingress resources the higress controller watches.
  # The default ingress class is higress.
  # There are some special cases for special ingress class.
  # 1. When the ingress class is set as nginx, the higress controller will watch ingress
@@ -18,28 +20,38 @@ global:
  # 2. When the ingress class is set empty, the higress controller will watch all ingress
  # resources in the k8s cluster.
  ingressClass: "higress"
+  # -- If not empty, Higress Controller will only watch resources in the specified namespace.
+  # When isolating different business systems using K8s namespace,
+  # if each namespace requires a standalone gateway instance,
+  # this parameter can be used to confine the Ingress watching of Higress within the given namespace.
  watchNamespace: ""
+  # -- Whether to disable HTTP/2 in ALPN
  disableAlpnH2: false
+  # -- If true, Higress Controller will update the status field of Ingress resources.
+  # When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten,
+  # this parameter needs to be set to false,
+  # so Higress won't write the entry IP to the status field of the corresponding Ingress object.
  enableStatus: true
-  # whether to use autoscaling/v2 template for HPA settings
+  # -- whether to use autoscaling/v2 template for HPA settings
  # for internal usage only, not to be configured by users.
  autoscalingv2API: true
-  local: false # When deploying to a local cluster (e.g.: kind cluster), set this to true.
+  # -- When deploying to a local cluster (e.g.: kind cluster), set this to true.
+  local: false
  kind: false # Deprecated. Please use "global.local" instead. Will be removed later.
+  # -- If true, Higress Controller will monitor istio resources as well
  enableIstioAPI: true
+  # -- If true, Higress Controller will monitor Gateway API resources as well
  enableGatewayAPI: false
-  # Deprecated
-  enableHigressIstio: false
-  # Used to locate istiod.
+  # -- Used to locate istiod.
  istioNamespace: istio-system
-  # enable pod disruption budget for the control plane, which is used to
+  # -- enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: false
    # The values aren't mutable due to a current PodDisruptionBudget limitation
    # minAvailable: 1

-  # A minimal set of requested resources to applied to all deployments so that
+  # -- A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
@@ -51,16 +63,16 @@ global:
    #   cpu: 100m
    #   memory: 128Mi

-  # Default hub for Istio images.
+  # -- Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress

-  # Specify image pull policy if default behavior isn't desired.
+  # -- Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
  imagePullPolicy: ""

-  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+  # -- ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
@@ -68,14 +80,14 @@ global:
  imagePullSecrets: []
  # - private-registry-key

-  # Enabled by default in master for maximising testing.
+  # -- Enabled by default in master for maximising testing.
  istiod:
    enableAnalysis: false

-  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+  # -- To output all istio components logs in json format by adding --log_as_json argument to each container argument
  logAsJson: false

-  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+  # -- Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
@@ -83,11 +95,11 @@ global:

  omitSidecarInjectorConfigMap: false

-  # Whether to restrict the applications namespace the controller manages;
+  # -- Whether to restrict the applications namespace the controller manages;
  # If not set, controller watches all namespaces
  oneNamespace: false

-  # Configure whether Operator manages webhook configurations. The current behavior
+  # -- Configure whether Operator manages webhook configurations. The current behavior
  # of Istiod is to manage its own webhook configurations.
  # When this option is set as true, Istio Operator, instead of webhooks, manages the
  # webhook configurations. When this option is set as false, webhooks manage their
@@ -106,7 +118,7 @@ global:
  #- global
  #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"

-  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+  # -- Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
@@ -116,18 +128,18 @@ global:
  proxy:
    image: proxyv2

-    # This controls the 'policy' in the sidecar injector.
+    # -- This controls the 'policy' in the sidecar injector.
    autoInject: enabled

-    # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+    # -- CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"

-    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+    # -- Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used.
    componentLogLevel: "misc:error"

-    # If set, newly injected sidecars will have core dumps enabled.
+    # -- If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false

    # istio ingress capture allowlist
@@ -136,7 +148,7 @@ global:
    excludeInboundPorts: ""
    includeInboundPorts: "*"

-    # istio egress capture allowlist
+    # -- istio egress capture allowlist
    # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
    # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
    # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
@@ -146,29 +158,29 @@ global:
    includeOutboundPorts: ""
    excludeOutboundPorts: ""

-    # Log level for proxy, applies to gateways and sidecars.
+    # -- Log level for proxy, applies to gateways and sidecars.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: warning

-    #If set to true, istio-proxy container will have privileged securityContext
+    # -- If set to true, istio-proxy container will have privileged securityContext
    privileged: false

-    # The number of successive failed probes before indicating readiness failure.
+    # -- The number of successive failed probes before indicating readiness failure.
    readinessFailureThreshold: 30

-    # The number of successive successed probes before indicating readiness success.
+    # -- The number of successive successed probes before indicating readiness success.
    readinessSuccessThreshold: 30

-    # The initial delay for readiness probes in seconds.
+    # -- The initial delay for readiness probes in seconds.
    readinessInitialDelaySeconds: 1

-    # The period between readiness probes.
+    # -- The period between readiness probes.
    readinessPeriodSeconds: 2

-    # The readiness timeout seconds
+    # -- The readiness timeout seconds
    readinessTimeoutSeconds: 3

-    # Resources for the sidecar.
+    # -- Resources for the sidecar.
    resources:
      requests:
        cpu: 100m
@@ -177,18 +189,18 @@ global:
        cpu: 2000m
        memory: 1024Mi

-    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+    # -- Default port for Pilot agent health checks. A value of 0 will disable health checking.
    statusPort: 15020

-    # Specify which tracer to use. One of: lightstep, datadog, stackdriver.
+    # -- Specify which tracer to use. One of: lightstep, datadog, stackdriver.
    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
    tracer: ""

-    # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
+    # -- Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
    holdApplicationUntilProxyStarts: false

  proxy_init:
-    # Base name for the proxy_init container, used to configure iptables.
+    # -- Base name for the proxy_init container, used to configure iptables.
    image: proxyv2
    resources:
      limits:
@@ -198,7 +210,7 @@ global:
        cpu: 10m
        memory: 10Mi

-  # configure remote pilot and istiod service and endpoint
+  # -- configure remote pilot and istiod service and endpoint
  remotePilotAddress: ""

  ##############################################################################################
@@ -206,20 +218,20 @@ global:
  # make sure they are consistent across your Istio helm charts                                #
  ##############################################################################################

-  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # -- The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  # If not set explicitly, default to the Istio discovery address.
  caAddress: ""

-  # Configure a remote cluster data plane controlled by an external istiod.
+  # -- Configure a remote cluster data plane controlled by an external istiod.
  # When set to true, istiod is not deployed locally and only a subset of the other
  # discovery charts are enabled.
  externalIstiod: false

-  #  Configure a remote cluster as the config cluster for an external istiod.
+  # -- Configure a remote cluster as the config cluster for an external istiod.
  configCluster: false

-  # Configure the policy for validating JWT.
+  # -- Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"

@@ -241,7 +253,7 @@ global:
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
-  # If the mesh admin does not specify a value, Istio will use the value of the
+  # -- If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""
@@ -275,68 +287,69 @@ global:
  #
  meshNetworks: {}

-  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+  # -- Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
  mountMtlsCerts: false

  multiCluster:
-    # Set to true to connect two kubernetes clusters via their respective
+    # -- Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: true
-    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+    # -- Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""

-  # Network defines the network this cluster belong to. This name
+  # -- Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""

-  # Configure the certificate provider for control plane communication.
+  # -- Configure the certificate provider for control plane communication.
  # Currently, two providers are supported: "kubernetes" and "istiod".
  # As some platforms may not have kubernetes signing APIs,
  # Istiod is the default
  pilotCertProvider: istiod

  sds:
-    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+    # -- The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca

  sts:
-    # The service port used by Security Token Service (STS) server to handle token exchange requests.
+    # -- The service port used by Security Token Service (STS) server to handle token exchange requests.
    # Setting this port to a non-zero value enables STS server.
    servicePort: 0

-  # Configuration for each of the supported tracers
+  # -- Configuration for each of the supported tracers
  tracer:
-    # Configuration for envoy to send trace data to LightStep.
+    # -- Configuration for envoy to send trace data to LightStep.
    # Disabled by default.
    # address: the <host>:<port> of the satellite pool
    # accessToken: required for sending data to the pool
    #
    datadog:
-      # Host:Port for submitting traces to the Datadog agent.
+      # -- Host:Port for submitting traces to the Datadog agent.
      address: "$(HOST_IP):8126"
    lightstep:
-      address: "" # example: lightstep-satellite:443
-      accessToken: "" # example: abcdefg1234567
+      # -- example: lightstep-satellite:443
+      address: ""
+      # -- example: abcdefg1234567
+      accessToken: ""
    stackdriver:
-      # enables trace output to stdout.
+      # -- enables trace output to stdout.
      debug: false
-      # The global default max number of message events per span.
+      # -- The global default max number of message events per span.
      maxNumberOfMessageEvents: 200
-      # The global default max number of annotation events per span.
+      # -- The global default max number of annotation events per span.
      maxNumberOfAnnotations: 200
-      # The global default max number of attributes per span.
+      # -- The global default max number of attributes per span.
      maxNumberOfAttributes: 200
-  # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
-
+  # -- Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
  useMCP: false

-  # Observability (o11y) configurations
+  # -- Observability (o11y) configurations
  o11y:
    enabled: false
    promtail:
@@ -350,7 +363,7 @@ global:
          memory: 2Gi
      securityContext: {}

-  # The name of the CA for workload certificates.
+  # -- The name of the CA for workload certificates.
  # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
  # will be used as the certificates for workloads.
  # The default value is "" and when caName="", the CA will be configured by other
@@ -359,7 +372,7 @@ global:
 hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress

 clusterName: ""
-# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+# -- meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
 meshConfig:
  enablePrometheusMerge: true
@@ -370,14 +383,13 @@ meshConfig:
  # and gradual adoption by setting capture only on specific workloads. It also allows
  # VMs to use other DNS options, like dnsmasq or unbound.

-  # The namespace to treat as the administrative root namespace for Istio configuration.
+  # -- The namespace to treat as the administrative root namespace for Istio configuration.
  # When processing a leaf namespace Istio will search for declarations in that namespace first
  # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
  # is processed as if it were declared in the leaf namespace.
-
  rootNamespace:

-  # The trust domain corresponds to the trust root of a system
+  # -- The trust domain corresponds to the trust root of a system
  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
  trustDomain: "cluster.local"

@@ -391,56 +403,57 @@ meshConfig:

 gateway:
  name: "higress-gateway"
+  # -- Number of Higress Gateway pods
  replicas: 2
  image: gateway

  # -- Use a `DaemonSet` or `Deployment`
  kind: Deployment

-  # The number of successive failed probes before indicating readiness failure.
+  # -- The number of successive failed probes before indicating readiness failure.
  readinessFailureThreshold: 30

-  # The number of successive successed probes before indicating readiness success.
+  # -- The number of successive successed probes before indicating readiness success.
  readinessSuccessThreshold: 1

-  # The initial delay for readiness probes in seconds.
+  # -- The initial delay for readiness probes in seconds.
  readinessInitialDelaySeconds: 1

-  # The period between readiness probes.
+  # -- The period between readiness probes.
  readinessPeriodSeconds: 2

-  # The readiness timeout seconds
+  # -- The readiness timeout seconds
  readinessTimeoutSeconds: 3

  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""
-  # revision declares which revision this gateway is a part of
+  # -- revision declares which revision this gateway is a part of
  revision: ""

  rbac:
-    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # -- If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
    # when using http://gateway-api.org/.
    enabled: true

  serviceAccount:
-    # If set, a service account will be created. Otherwise, the default is used
+    # -- If set, a service account will be created. Otherwise, the default is used
    create: true
-    # Annotations to add to the service account
+    # -- Annotations to add to the service account
    annotations: {}
-    # The name of the service account to use.
+    # -- The name of the service account to use.
    # If not set, the release name is used
    name: ""

-  # Pod environment variables
+  # -- Pod environment variables
  env: {}
  httpPort: 80
  httpsPort: 443
  hostNetwork: false

-  # Labels to apply to all resources
+  # -- Labels to apply to all resources
  labels: {}

-  # Annotations to apply to all resources
+  # -- Annotations to apply to all resources
  annotations: {}

  podAnnotations:
@@ -449,14 +462,18 @@ gateway:
    prometheus.io/path: "/stats/prometheus"
    sidecar.istio.io/inject: "false"

-  # Define the security context for the pod.
+  # -- Labels to apply to the pod
+  podLabels: {}
+
+  # -- Define the security context for the pod.
  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
  securityContext: ~
  containerSecurityContext: ~
+  unprivilegedPortSupported: ~

  service:
-    # Type of service. Set to "None" to disable the service entirely
+    # -- Type of service. Set to "None" to disable the service entirely
    type: LoadBalancer
    ports:
      - name: http2
@@ -474,6 +491,7 @@ gateway:
    externalTrafficPolicy: ""

  rollingMaxSurge: 100%
+  # -- If global.local is true, the default value is 100%, otherwise it is 25%
  rollingMaxUnavailable: 25%

  resources:
@@ -496,28 +514,29 @@ gateway:

  affinity: {}

-  # If specified, the gateway will act as a network gateway for the given network.
+  # -- If specified, the gateway will act as a network gateway for the given network.
  networkGateway: ""

  metrics:
-    # If true, create PodMonitor or VMPodScrape for gateway
+    # -- If true, create PodMonitor or VMPodScrape for gateway
    enabled: false
-    # provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com
+    # -- provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com
    provider: monitoring.coreos.com
    interval: ""
    scrapeTimeout: ""
    honorLabels: false
-    # for monitoring.coreos.com/v1.PodMonitor
+    # -- for monitoring.coreos.com/v1.PodMonitor
    metricRelabelings: []
    relabelings: []
-    # for operator.victoriametrics.com/v1beta1.VMPodScrape
+    # -- for operator.victoriametrics.com/v1beta1.VMPodScrape
    metricRelabelConfigs: []
    relabelConfigs: []
-    # some more raw podMetricsEndpoints spec
+    # -- some more raw podMetricsEndpoints spec
    rawSpec: {}

 controller:
  name: "higress-controller"
+  # -- Number of Higress Controller pods
  replicas: 1
  image: higress

@@ -528,12 +547,12 @@ controller:
  labels: {}

  probe:
-    {
-      httpGet: { path: /ready, port: 8888 },
-      initialDelaySeconds: 1,
-      periodSeconds: 3,
-      timeoutSeconds: 5,
-    }
+    httpGet:
+      path: /ready
+      port: 8888
+    initialDelaySeconds: 1
+    periodSeconds: 3
+    timeoutSeconds: 5

  imagePullSecrets: []

@@ -541,31 +560,36 @@ controller:
    create: true

  serviceAccount:
-    # Specifies whether a service account should be created
+    # -- Specifies whether a service account should be created
    create: true
-    # Annotations to add to the service account
+    # -- Annotations to add to the service account
    annotations: {}
-    # The name of the service account to use.
-    # If not set and create is true, a name is generated using the fullname template
+    # -- The name of the service account to use.
+    # -- If not set and create is true, a name is generated using the fullname template
    name: ""

  podAnnotations: {}

+  # -- Labels to apply to the pod
+  podLabels: {}
+
  podSecurityContext:
    {}
    # fsGroup: 2000

  ports:
-    [
-      { "name": "http", "protocol": "TCP", "port": 8888, "targetPort": 8888 },
-      {
-        "name": "http-solver",
-        "protocol": "TCP",
-        "port": 8889,
-        "targetPort": 8889,
-      },
-      { "name": "grpc", "protocol": "TCP", "port": 15051, "targetPort": 15051 },
-    ]
+    - name: http
+      protocol: TCP
+      port: 8888
+      targetPort: 8888
+    - name: http-solver
+      protocol: TCP
+      port: 8889
+      targetPort: 8889
+    - name: grpc
+      protocol: TCP
+      port: 15051
+      targetPort: 15051

  service:
    type: ClusterIP
@@ -602,7 +626,7 @@ controller:
    enabled: true
    email: ""

-## Discovery Settings
+## -- Discovery Settings
 pilot:
  autoscaleEnabled: false
  autoscaleMin: 1
@@ -614,11 +638,11 @@ pilot:
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""

-  # Can be a full hub/image:tag
+  # -- Can be a full hub/image:tag
  image: pilot
  traceSampling: 1.0

-  # Resources for a small pilot install
+  # -- Resources for a small pilot install
  resources:
    requests:
      cpu: 500m
@@ -633,21 +657,21 @@ pilot:
  cpu:
    targetAverageUtilization: 80

-  # if protocol sniffing is enabled for outbound
+  # -- if protocol sniffing is enabled for outbound
  enableProtocolSniffingForOutbound: true
-  # if protocol sniffing is enabled for inbound
+  # -- if protocol sniffing is enabled for inbound
  enableProtocolSniffingForInbound: true

  nodeSelector: {}
  podAnnotations: {}
  serviceAnnotations: {}

-  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # -- You can use jwksResolverExtraRootCA to provide a root certificate
  # in PEM format. This will then be trusted by pilot when resolving
  # JWKS URIs.
  jwksResolverExtraRootCA: ""

-  # This is used to set the source of configuration for
+  # -- This is used to set the source of configuration for
  # the associated address in configSource, if nothing is specified
  # the default MCP is assumed.
  configSource:
@@ -655,21 +679,21 @@ pilot:

  plugins: []

-  # The following is used to limit how long a sidecar can be connected
+  # -- The following is used to limit how long a sidecar can be connected
  # to a pilot. It balances out load across pilot instances at the cost of
  # increasing system churn.
  keepaliveMaxServerConnectionAge: 30m

-  # Additional labels to apply to the deployment.
+  # -- Additional labels to apply to the deployment.
  deploymentLabels: {}

  ## Mesh config settings

-  # Install the mesh config map, generated from values.yaml.
+  # -- Install the mesh config map, generated from values.yaml.
  # If false, pilot wil use default values (by default) or user-supplied values.
  configMap: true

-  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  # -- Additional labels to apply on the pod level for monitoring and logging configuration.
  podLabels: {}

 # Tracing config settings
@@ -685,7 +709,7 @@ tracing:
  # service: ""
  # port: 9411

-# Downstream config settings
+# -- Downstream config settings
 downstream:
  idleTimeout: 180
  maxRequestHeadersKb: 60
@@ -696,7 +720,7 @@ downstream:
    initialConnectionWindowSize: 1048576
  routeTimeout: 0

-# Upstream config settings
+# -- Upstream config settings
 upstream:
  idleTimeout: 10
  connectionBufferLimits: 10485760
--- a/helm/higress/Chart.lock
+++ b/helm/higress/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
  repository: file://../core
-  version: 2.0.3
+  version: 2.1.0-rc.1
 - name: higress-console
  repository: https://higress.io/helm-charts/
-  version: 1.4.5
-digest: sha256:74b772113264168483961f5d0424459fd7359adc509a4b50400229581d7cddbf
-generated: "2024-11-08T14:06:51.871719+08:00"
+  version: 2.0.4
+digest: sha256:9341e3c410e41bcb681e63c8ff60361af46a22a34463bfb919d2e062b47ad072
+generated: "2025-03-26T21:02:19.645626545+08:00"
--- a/helm/higress/Chart.yaml
+++ b/helm/higress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.0.3
+appVersion: 2.1.0-rc.1
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
  repository: "file://../core"
-  version: 2.0.3
+  version: 2.1.0-rc.1
 - name: higress-console
  repository: "https://higress.io/helm-charts/"
-  version: 1.4.5
+  version: 2.0.4
 type: application
-version: 2.0.3
+version: 2.1.0-rc.1
--- a/helm/higress/README.md
+++ b/helm/higress/README.md
@@ -1,57 +1,280 @@
-# Higress Helm Chart
-
-Installs the cloud-native gateway [Higress](http://higress.io/)
-
-## Get Repo Info
-
-```console
-helm repo add higress.io https://higress.io/helm-charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart with the release name `higress`:
-
-```console
-helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
-```
-
-## Uninstalling the Chart
-
-To uninstall/delete the higress deployment:
-
-```console
-helm delete higress -n higress-system
-```
-
-The command removes all the Kubernetes components associated with the chart and deletes the release.
-
-## Configuration
-
-| **Parameter** | **Description** | **Default** |
-|---|---|---|
-| **Global Parameters** |  |  |
-| global.local | Set to `true` if installing to a local K8s cluster (e.g.: Kind, Rancher Desktop, etc.) | false |
-| global.ingressClass | [IngressClass](https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#ingress-class) which is used to filter Ingress resources Higress Controller watches.<br />If there are multiple gateway instances deployed in the cluster, this parameter can be used to distinguish the scope of each gateway instance.<br />There are some special cases for special IngressClass values:<br />1. If set to "nginx", Higress Controller will watch Ingress resources with the `nginx` IngressClass or without any Ingress class.<br />2. If set to empty, Higress Controller will watch all Ingress resources in the K8s cluster. | higress |
-| global.watchNamespace | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. | "" |
-| global.disableAlpnH2 | Whether to disable HTTP/2 in ALPN | true |
-| global.enableStatus | If `true`, Higress Controller will update the `status` field of Ingress resources.<br />When migrating from Nginx Ingress, in order to avoid `status` field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the `status` field of the corresponding Ingress object. | true |
-| global.enableIstioAPI | If `true`, Higress Controller will monitor istio resources as well | false |
-| global.enableGatewayAPI | If `true`, Higress Controller will monitor Gateway API resources as well | false |
-| global.istioNamespace | The namespace istio is installed to | istio-system |
-| **Core Paramters** |  |  |
-| higress-core.gateway.replicas | Number of Higress Gateway pods | 2 |
-| higress-core.controller.replicas | Number of Higress Controller pods | 1 |
-| **Console Paramters** |  |  |
-| higress-console.replicaCount | Number of Higress Console pods | 1 |
-| higress-console.service.type | K8s service type used by Higress Console | ClusterIP |
-| higress-console.domain | Domain used to access Higress Console | console.higress.io |
-| higress-console.tlsSecretName | Name of Secret resource used by TLS connections. | "" |
-| higress-console.web.login.prompt | Prompt message to be displayed on the login page | "" |
-| higress-console.admin.password.value | If not empty, the admin password will be configured to the specified value. | "" |
-| higress-console.admin.password.length | The length of random admin password generated during installation. Only works when `higress-console.admin.password.value` is not set. | 8 |
-| higress-console.o11y.enabled | If `true`, o11y suite (Grafana + Promethues) will be installed. | false |
-| higress-console.pvc.rwxSupported | Set to `false` when installing to a standard K8s cluster and the target cluster doesn't support the ReadWriteMany access mode of PersistentVolumeClaim. | true |
+## Higress for Kubernetes
+
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices.
+
+Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
+
+## Setup Repo Info
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## Install
+
+To install the chart with the release name `higress`:
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## Uninstall
+
+To uninstall/delete the higress deployment:
+
+```console
+helm delete higress -n higress-system
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusterName | string | `""` |  |
+| controller.affinity | object | `{}` |  |
+| controller.automaticHttps.email | string | `""` |  |
+| controller.automaticHttps.enabled | bool | `true` |  |
+| controller.autoscaling.enabled | bool | `false` |  |
+| controller.autoscaling.maxReplicas | int | `5` |  |
+| controller.autoscaling.minReplicas | int | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| controller.env | object | `{}` |  |
+| controller.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| controller.image | string | `"higress"` |  |
+| controller.imagePullSecrets | list | `[]` |  |
+| controller.labels | object | `{}` |  |
+| controller.name | string | `"higress-controller"` |  |
+| controller.nodeSelector | object | `{}` |  |
+| controller.podAnnotations | object | `{}` |  |
+| controller.podLabels | object | `{}` | Labels to apply to the pod |
+| controller.podSecurityContext | object | `{}` |  |
+| controller.ports[0].name | string | `"http"` |  |
+| controller.ports[0].port | int | `8888` |  |
+| controller.ports[0].protocol | string | `"TCP"` |  |
+| controller.ports[0].targetPort | int | `8888` |  |
+| controller.ports[1].name | string | `"http-solver"` |  |
+| controller.ports[1].port | int | `8889` |  |
+| controller.ports[1].protocol | string | `"TCP"` |  |
+| controller.ports[1].targetPort | int | `8889` |  |
+| controller.ports[2].name | string | `"grpc"` |  |
+| controller.ports[2].port | int | `15051` |  |
+| controller.ports[2].protocol | string | `"TCP"` |  |
+| controller.ports[2].targetPort | int | `15051` |  |
+| controller.probe.httpGet.path | string | `"/ready"` |  |
+| controller.probe.httpGet.port | int | `8888` |  |
+| controller.probe.initialDelaySeconds | int | `1` |  |
+| controller.probe.periodSeconds | int | `3` |  |
+| controller.probe.timeoutSeconds | int | `5` |  |
+| controller.rbac.create | bool | `true` |  |
+| controller.replicas | int | `1` | Number of Higress Controller pods |
+| controller.resources.limits.cpu | string | `"1000m"` |  |
+| controller.resources.limits.memory | string | `"2048Mi"` |  |
+| controller.resources.requests.cpu | string | `"500m"` |  |
+| controller.resources.requests.memory | string | `"2048Mi"` |  |
+| controller.securityContext | object | `{}` |  |
+| controller.service.type | string | `"ClusterIP"` |  |
+| controller.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| controller.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| controller.serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template |
+| controller.tag | string | `""` |  |
+| controller.tolerations | list | `[]` |  |
+| downstream | object | `{"connectionBufferLimits":32768,"http2":{"initialConnectionWindowSize":1048576,"initialStreamWindowSize":65535,"maxConcurrentStreams":100},"idleTimeout":180,"maxRequestHeadersKb":60,"routeTimeout":0}` | Downstream config settings |
+| gateway.affinity | object | `{}` |  |
+| gateway.annotations | object | `{}` | Annotations to apply to all resources |
+| gateway.autoscaling.enabled | bool | `false` |  |
+| gateway.autoscaling.maxReplicas | int | `5` |  |
+| gateway.autoscaling.minReplicas | int | `1` |  |
+| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| gateway.containerSecurityContext | string | `nil` |  |
+| gateway.env | object | `{}` | Pod environment variables |
+| gateway.hostNetwork | bool | `false` |  |
+| gateway.httpPort | int | `80` |  |
+| gateway.httpsPort | int | `443` |  |
+| gateway.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| gateway.image | string | `"gateway"` |  |
+| gateway.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
+| gateway.labels | object | `{}` | Labels to apply to all resources |
+| gateway.metrics.enabled | bool | `false` | If true, create PodMonitor or VMPodScrape for gateway |
+| gateway.metrics.honorLabels | bool | `false` |  |
+| gateway.metrics.interval | string | `""` |  |
+| gateway.metrics.metricRelabelConfigs | list | `[]` | for operator.victoriametrics.com/v1beta1.VMPodScrape |
+| gateway.metrics.metricRelabelings | list | `[]` | for monitoring.coreos.com/v1.PodMonitor |
+| gateway.metrics.provider | string | `"monitoring.coreos.com"` | provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com |
+| gateway.metrics.rawSpec | object | `{}` | some more raw podMetricsEndpoints spec |
+| gateway.metrics.relabelConfigs | list | `[]` |  |
+| gateway.metrics.relabelings | list | `[]` |  |
+| gateway.metrics.scrapeTimeout | string | `""` |  |
+| gateway.name | string | `"higress-gateway"` |  |
+| gateway.networkGateway | string | `""` | If specified, the gateway will act as a network gateway for the given network. |
+| gateway.nodeSelector | object | `{}` |  |
+| gateway.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` |  |
+| gateway.podAnnotations."prometheus.io/port" | string | `"15020"` |  |
+| gateway.podAnnotations."prometheus.io/scrape" | string | `"true"` |  |
+| gateway.podAnnotations."sidecar.istio.io/inject" | string | `"false"` |  |
+| gateway.podLabels | object | `{}` | Labels to apply to the pod |
+| gateway.rbac.enabled | bool | `true` | If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed when using http://gateway-api.org/. |
+| gateway.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. |
+| gateway.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. |
+| gateway.readinessPeriodSeconds | int | `2` | The period between readiness probes. |
+| gateway.readinessSuccessThreshold | int | `1` | The number of successive successed probes before indicating readiness success. |
+| gateway.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds |
+| gateway.replicas | int | `2` | Number of Higress Gateway pods |
+| gateway.resources.limits.cpu | string | `"2000m"` |  |
+| gateway.resources.limits.memory | string | `"2048Mi"` |  |
+| gateway.resources.requests.cpu | string | `"2000m"` |  |
+| gateway.resources.requests.memory | string | `"2048Mi"` |  |
+| gateway.revision | string | `""` | revision declares which revision this gateway is a part of |
+| gateway.rollingMaxSurge | string | `"100%"` |  |
+| gateway.rollingMaxUnavailable | string | `"25%"` | If global.local is true, the default value is 100%, otherwise it is 25% |
+| gateway.securityContext | string | `nil` | Define the security context for the pod. If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. |
+| gateway.service.annotations | object | `{}` |  |
+| gateway.service.externalTrafficPolicy | string | `""` |  |
+| gateway.service.loadBalancerClass | string | `""` |  |
+| gateway.service.loadBalancerIP | string | `""` |  |
+| gateway.service.loadBalancerSourceRanges | list | `[]` |  |
+| gateway.service.ports[0].name | string | `"http2"` |  |
+| gateway.service.ports[0].port | int | `80` |  |
+| gateway.service.ports[0].protocol | string | `"TCP"` |  |
+| gateway.service.ports[0].targetPort | int | `80` |  |
+| gateway.service.ports[1].name | string | `"https"` |  |
+| gateway.service.ports[1].port | int | `443` |  |
+| gateway.service.ports[1].protocol | string | `"TCP"` |  |
+| gateway.service.ports[1].targetPort | int | `443` |  |
+| gateway.service.type | string | `"LoadBalancer"` | Type of service. Set to "None" to disable the service entirely |
+| gateway.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| gateway.serviceAccount.create | bool | `true` | If set, a service account will be created. Otherwise, the default is used |
+| gateway.serviceAccount.name | string | `""` | The name of the service account to use. If not set, the release name is used |
+| gateway.tag | string | `""` |  |
+| gateway.tolerations | list | `[]` |  |
+| gateway.unprivilegedPortSupported | string | `nil` |  |
+| global.autoscalingv2API | bool | `true` | whether to use autoscaling/v2 template for HPA settings for internal usage only, not to be configured by users. |
+| global.caAddress | string | `""` | The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. If not set explicitly, default to the Istio discovery address. |
+| global.caName | string | `""` | The name of the CA for workload certificates. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER). |
+| global.configCluster | bool | `false` | Configure a remote cluster as the config cluster for an external istiod. |
+| global.defaultPodDisruptionBudget | object | `{"enabled":false}` | enable pod disruption budget for the control plane, which is used to ensure Istio control plane components are gradually upgraded or recovered. |
+| global.defaultResources | object | `{"requests":{"cpu":"10m"}}` | A minimal set of requested resources to applied to all deployments so that Horizontal Pod Autoscaler will be able to function (if set). Each component can overwrite these default values by adding its own resources block in the relevant section below and setting the desired resources values. |
+| global.defaultUpstreamConcurrencyThreshold | int | `10000` |  |
+| global.disableAlpnH2 | bool | `false` | Whether to disable HTTP/2 in ALPN |
+| global.enableGatewayAPI | bool | `false` | If true, Higress Controller will monitor Gateway API resources as well |
+| global.enableH3 | bool | `false` |  |
+| global.enableIPv6 | bool | `false` |  |
+| global.enableIstioAPI | bool | `true` | If true, Higress Controller will monitor istio resources as well |
+| global.enableLDSCache | bool | `false` |  |
+| global.enableProxyProtocol | bool | `false` |  |
+| global.enablePushAllMCPClusters | bool | `true` |  |
+| global.enableSRDS | bool | `true` |  |
+| global.enableStatus | bool | `true` | If true, Higress Controller will update the status field of Ingress resources. When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the status field of the corresponding Ingress object. |
+| global.externalIstiod | bool | `false` | Configure a remote cluster data plane controlled by an external istiod. When set to true, istiod is not deployed locally and only a subset of the other discovery charts are enabled. |
+| global.hostRDSMergeSubset | bool | `false` |  |
+| global.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | Default hub for Istio images. Releases are published to docker hub under 'istio' project. Dev builds from prow are on gcr.io |
+| global.imagePullPolicy | string | `""` | Specify image pull policy if default behavior isn't desired. Default behavior: latest images will be Always else IfNotPresent. |
+| global.imagePullSecrets | list | `[]` | ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. Must be set for any cluster configured with private docker registry. |
+| global.ingressClass | string | `"higress"` | IngressClass filters which ingress resources the higress controller watches. The default ingress class is higress. There are some special cases for special ingress class. 1. When the ingress class is set as nginx, the higress controller will watch ingress resources with the nginx ingress class or without any ingress class. 2. When the ingress class is set empty, the higress controller will watch all ingress resources in the k8s cluster. |
+| global.istioNamespace | string | `"istio-system"` | Used to locate istiod. |
+| global.istiod | object | `{"enableAnalysis":false}` | Enabled by default in master for maximising testing. |
+| global.jwtPolicy | string | `"third-party-jwt"` | Configure the policy for validating JWT. Currently, two options are supported: "third-party-jwt" and "first-party-jwt". |
+| global.kind | bool | `false` |  |
+| global.liteMetrics | bool | `false` |  |
+| global.local | bool | `false` | When deploying to a local cluster (e.g.: kind cluster), set this to true. |
+| global.logAsJson | bool | `false` |  |
+| global.logging | object | `{"level":"default:info"}` | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level> The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code |
+| global.meshID | string | `""` | If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value. |
+| global.meshNetworks | object | `{}` |  |
+| global.mountMtlsCerts | bool | `false` | Use the user-specified, secret volume mounted key and certs for Pilot and workloads. |
+| global.multiCluster.clusterName | string | `""` | Should be set to the name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies |
+| global.multiCluster.enabled | bool | `true` | Set to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work. |
+| global.network | string | `""` | Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks. |
+| global.o11y | object | `{"enabled":false,"promtail":{"image":{"repository":"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/promtail","tag":"2.9.4"},"port":3101,"resources":{"limits":{"cpu":"500m","memory":"2Gi"}},"securityContext":{}}}` | Observability (o11y) configurations |
+| global.omitSidecarInjectorConfigMap | bool | `false` |  |
+| global.onDemandRDS | bool | `false` |  |
+| global.oneNamespace | bool | `false` | Whether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces |
+| global.onlyPushRouteCluster | bool | `true` |  |
+| global.operatorManageWebhooks | bool | `false` | Configure whether Operator manages webhook configurations. The current behavior of Istiod is to manage its own webhook configurations. When this option is set as true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. |
+| global.pilotCertProvider | string | `"istiod"` | Configure the certificate provider for control plane communication. Currently, two providers are supported: "kubernetes" and "istiod". As some platforms may not have kubernetes signing APIs, Istiod is the default |
+| global.priorityClassName | string | `""` | Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and system-node-critical, it is better to configure this in order to make sure your Istio pods will not be killed because of low priority class. Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass for more detail. |
+| global.proxy.autoInject | string | `"enabled"` | This controls the 'policy' in the sidecar injector. |
+| global.proxy.clusterDomain | string | `"cluster.local"` | CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value cluster domain. Default value is "cluster.local". |
+| global.proxy.componentLogLevel | string | `"misc:error"` | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. |
+| global.proxy.enableCoreDump | bool | `false` | If set, newly injected sidecars will have core dumps enabled. |
+| global.proxy.excludeIPRanges | string | `""` |  |
+| global.proxy.excludeInboundPorts | string | `""` |  |
+| global.proxy.excludeOutboundPorts | string | `""` |  |
+| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready |
+| global.proxy.image | string | `"proxyv2"` |  |
+| global.proxy.includeIPRanges | string | `"*"` | istio egress capture allowlist https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" would only capture egress traffic on those two IP Ranges, all other outbound traffic would be allowed by the sidecar |
+| global.proxy.includeInboundPorts | string | `"*"` |  |
+| global.proxy.includeOutboundPorts | string | `""` |  |
+| global.proxy.logLevel | string | `"warning"` | Log level for proxy, applies to gateways and sidecars. Expected values are: trace|debug|info|warning|error|critical|off |
+| global.proxy.privileged | bool | `false` | If set to true, istio-proxy container will have privileged securityContext |
+| global.proxy.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. |
+| global.proxy.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. |
+| global.proxy.readinessPeriodSeconds | int | `2` | The period between readiness probes. |
+| global.proxy.readinessSuccessThreshold | int | `30` | The number of successive successed probes before indicating readiness success. |
+| global.proxy.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds |
+| global.proxy.resources | object | `{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resources for the sidecar. |
+| global.proxy.statusPort | int | `15020` | Default port for Pilot agent health checks. A value of 0 will disable health checking. |
+| global.proxy.tracer | string | `""` | Specify which tracer to use. One of: lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. |
+| global.proxy_init.image | string | `"proxyv2"` | Base name for the proxy_init container, used to configure iptables. |
+| global.proxy_init.resources.limits.cpu | string | `"2000m"` |  |
+| global.proxy_init.resources.limits.memory | string | `"1024Mi"` |  |
+| global.proxy_init.resources.requests.cpu | string | `"10m"` |  |
+| global.proxy_init.resources.requests.memory | string | `"10Mi"` |  |
+| global.remotePilotAddress | string | `""` | configure remote pilot and istiod service and endpoint |
+| global.sds.token | object | `{"aud":"istio-ca"}` | The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the JWT is intended for the CA. |
+| global.sts.servicePort | int | `0` | The service port used by Security Token Service (STS) server to handle token exchange requests. Setting this port to a non-zero value enables STS server. |
+| global.tracer | object | `{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":""},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200}}` | Configuration for each of the supported tracers |
+| global.tracer.datadog | object | `{"address":"$(HOST_IP):8126"}` | Configuration for envoy to send trace data to LightStep. Disabled by default. address: the <host>:<port> of the satellite pool accessToken: required for sending data to the pool  |
+| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | Host:Port for submitting traces to the Datadog agent. |
+| global.tracer.lightstep.accessToken | string | `""` | example: abcdefg1234567 |
+| global.tracer.lightstep.address | string | `""` | example: lightstep-satellite:443 |
+| global.tracer.stackdriver.debug | bool | `false` | enables trace output to stdout. |
+| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | The global default max number of annotation events per span. |
+| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | The global default max number of attributes per span. |
+| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | The global default max number of message events per span. |
+| global.useMCP | bool | `false` | Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. |
+| global.watchNamespace | string | `""` | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. |
+| global.xdsMaxRecvMsgSize | string | `"104857600"` |  |
+| hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| meshConfig | object | `{"enablePrometheusMerge":true,"rootNamespace":null,"trustDomain":"cluster.local"}` | meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options |
+| meshConfig.rootNamespace | string | `nil` | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. |
+| meshConfig.trustDomain | string | `"cluster.local"` | The trust domain corresponds to the trust root of a system Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain |
+| pilot.autoscaleEnabled | bool | `false` |  |
+| pilot.autoscaleMax | int | `5` |  |
+| pilot.autoscaleMin | int | `1` |  |
+| pilot.configMap | bool | `true` | Install the mesh config map, generated from values.yaml. If false, pilot wil use default values (by default) or user-supplied values. |
+| pilot.configSource | object | `{"subscribedResources":[]}` | This is used to set the source of configuration for the associated address in configSource, if nothing is specified the default MCP is assumed. |
+| pilot.cpu.targetAverageUtilization | int | `80` |  |
+| pilot.deploymentLabels | object | `{}` | Additional labels to apply to the deployment. |
+| pilot.enableProtocolSniffingForInbound | bool | `true` | if protocol sniffing is enabled for inbound |
+| pilot.enableProtocolSniffingForOutbound | bool | `true` | if protocol sniffing is enabled for outbound |
+| pilot.env.PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | string | `"false"` |  |
+| pilot.env.PILOT_ENABLE_METADATA_EXCHANGE | string | `"false"` |  |
+| pilot.env.PILOT_SCOPE_GATEWAY_TO_NAMESPACE | string | `"false"` |  |
+| pilot.env.VALIDATION_ENABLED | string | `"false"` |  |
+| pilot.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| pilot.image | string | `"pilot"` | Can be a full hub/image:tag |
+| pilot.jwksResolverExtraRootCA | string | `""` | You can use jwksResolverExtraRootCA to provide a root certificate in PEM format. This will then be trusted by pilot when resolving JWKS URIs. |
+| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | The following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn. |
+| pilot.nodeSelector | object | `{}` |  |
+| pilot.plugins | list | `[]` |  |
+| pilot.podAnnotations | object | `{}` |  |
+| pilot.podLabels | object | `{}` | Additional labels to apply on the pod level for monitoring and logging configuration. |
+| pilot.replicaCount | int | `1` |  |
+| pilot.resources | object | `{"requests":{"cpu":"500m","memory":"2048Mi"}}` | Resources for a small pilot install |
+| pilot.rollingMaxSurge | string | `"100%"` |  |
+| pilot.rollingMaxUnavailable | string | `"25%"` |  |
+| pilot.serviceAnnotations | object | `{}` |  |
+| pilot.tag | string | `""` |  |
+| pilot.traceSampling | float | `1` |  |
+| revision | string | `""` |  |
+| tracing.enable | bool | `false` |  |
+| tracing.sampling | int | `100` |  |
+| tracing.skywalking.port | int | `11800` |  |
+| tracing.skywalking.service | string | `""` |  |
+| tracing.timeout | int | `500` |  |
+| upstream | object | `{"connectionBufferLimits":10485760,"idleTimeout":10}` | Upstream config settings |
--- a/helm/higress/README.md.gotmpl
+++ b/helm/higress/README.md.gotmpl
@@ -0,0 +1,34 @@
+## Higress for Kubernetes
+
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices.
+
+Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
+
+## Setup Repo Info
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## Install
+
+To install the chart with the release name `higress`:
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## Uninstall
+
+To uninstall/delete the higress deployment:
+
+```console
+helm delete higress -n higress-system
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+{{ template "chart.valuesSection" . }}
--- a/helm/higress/README.zh.md
+++ b/helm/higress/README.zh.md
@@ -0,0 +1,188 @@
+## Higress for Kubernetes
+
+Higress 是基于阿里巴巴内部网关实践构建的云原生 API 网关。
+
+依托 Istio 和 Envoy，Higress 实现了流量网关、微服务网关和安全网关三重架构的融合，从而大幅降低了部署、运维成本。
+
+## 设置仓库信息
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## 安装
+
+以 `higress` 为发布名称安装 chart：
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## 卸载
+
+要卸载/删除 higress 部署：
+
+```console
+helm delete higress -n higress-system
+```
+
+该命令会移除与 chart 相关的所有 Kubernetes 组件，并删除发布。
+
+## 参数
+
+## 值
+
+| 键 | 类型 | 默认值 | 描述 |
+|-----|------|---------|-------------|
+| clusterName | 字符串 | `""` |  |
+| controller.affinity | 对象 | `{}` |  |
+| controller.automaticHttps.email | 字符串 | `""` |  |
+| controller.automaticHttps.enabled | 布尔值 | `true` |  |
+| controller.autoscaling.enabled | 布尔值 | `false` |  |
+| controller.autoscaling.maxReplicas | 整数 | `5` |  |
+| controller.autoscaling.minReplicas | 整数 | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | 整数 | `80` |  |
+| controller.env | 对象 | `{}` |  |
+| controller.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| controller.image | 字符串 | `"higress"` |  |
+| controller.imagePullSecrets | 列表 | `[]` |  |
+| controller.labels | 对象 | `{}` |  |
+| controller.name | 字符串 | `"higress-controller"` |  |
+| controller.nodeSelector | 对象 | `{}` |  |
+| controller.podAnnotations | 对象 | `{}` |  |
+| controller.podSecurityContext | 对象 | `{}` |  |
+| controller.ports[0].name | 字符串 | `"http"` |  |
+| controller.ports[0].port | 整数 | `8888` |  |
+| controller.ports[0].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[0].targetPort | 整数 | `8888` |  |
+| controller.ports[1].name | 字符串 | `"http-solver"` |  |
+| controller.ports[1].port | 整数 | `8889` |  |
+| controller.ports[1].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[1].targetPort | 整数 | `8889` |  |
+| controller.ports[2].name | 字符串 | `"grpc"` |  |
+| controller.ports[2].port | 整数 | `15051` |  |
+| controller.ports[2].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[2].targetPort | 整数 | `15051` |  |
+| controller.probe.httpGet.path | 字符串 | `"/ready"` |  |
+| controller.probe.httpGet.port | 整数 | `8888` |  |
+| controller.probe.initialDelaySeconds | 整数 | `1` |  |
+| controller.probe.periodSeconds | 整数 | `3` |  |
+| controller.probe.timeoutSeconds | 整数 | `5` |  |
+| controller.rbac.create | 布尔值 | `true` |  |
+| controller.replicas | 整数 | `1` | Higress Controller 的 Pod 数量 |
+| controller.resources.limits.cpu | 字符串 | `"1000m"` |  |
+| controller.resources.limits.memory | 字符串 | `"2048Mi"` |  |
+| controller.resources.requests.cpu | 字符串 | `"500m"` |  |
+| controller.resources.requests.memory | 字符串 | `"2048Mi"` |  |
+| controller.securityContext | 对象 | `{}` |  |
+| controller.service.type | 字符串 | `"ClusterIP"` |  |
+| controller.serviceAccount.annotations | 对象 | `{}` | 添加到服务账户的注解 |
+| controller.serviceAccount.create | 布尔值 | `true` | 指定是否创建服务账户 |
+| controller.serviceAccount.name | 字符串 | `""` | 如果未设置且 create 为 true，则使用 fullname 模板生成名称 |
+| controller.tag | 字符串 | `""` |  |
+| controller.tolerations | 列表 | `[]` |  |
+| downstream | 对象 | `{"connectionBufferLimits":32768,"http2":{"initialConnectionWindowSize":1048576,"initialStreamWindowSize":65535,"maxConcurrentStreams":100},"idleTimeout":180,"maxRequestHeadersKb":60,"routeTimeout":0}` | 下游配置设置 |
+| gateway.affinity | 对象 | `{}` |  |
+| gateway.annotations | 对象 | `{}` | 应用到所有资源的注解 |
+| gateway.autoscaling.enabled | 布尔值 | `false` |  |
+| gateway.autoscaling.maxReplicas | 整数 | `5` |  |
+| gateway.autoscaling.minReplicas | 整数 | `1` |  |
+| gateway.autoscaling.targetCPUUtilizationPercentage | 整数 | `80` |  |
+| gateway.containerSecurityContext | 字符串 | `nil` |  |
+| gateway.env | 对象 | `{}` | Pod 环境变量 |
+| gateway.hostNetwork | 布尔值 | `false` |  |
+| gateway.httpPort | 整数 | `80` |  |
+| gateway.httpsPort | 整数 | `443` |  |
+| gateway.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| gateway.image | 字符串 | `"gateway"` |  |
+| gateway.kind | 字符串 | `"Deployment"` | 使用 `DaemonSet` 或 `Deployment` |
+| gateway.labels | 对象 | `{}` | 应用到所有资源的标签 |
+| gateway.metrics.enabled | 布尔值 | `false` | 如果为 true，则为网关创建 PodMonitor 或 VMPodScrape |
+| gateway.metrics.honorLabels | 布尔值 | `false` |  |
+| gateway.metrics.interval | 字符串 | `""` |  |
+| gateway.metrics.metricRelabelConfigs | 列表 | `[]` | 用于 operator.victoriametrics.com/v1beta1.VMPodScrape |
+| gateway.metrics.metricRelabelings | 列表 | `[]` | 用于 monitoring.coreos.com/v1.PodMonitor |
+| gateway.metrics.provider | 字符串 | `"monitoring.coreos.com"` | CustomResourceDefinition 的提供者组名，可以是 monitoring.coreos.com 或 operator.victoriametrics.com |
+| gateway.metrics.rawSpec | 对象 | `{}` | 更多原始的 podMetricsEndpoints 规范 |
+| gateway.metrics.relabelConfigs | 列表 | `[]` |  |
+| gateway.metrics.relabelings | 列表 | `[]` |  |
+| gateway.metrics.scrapeTimeout | 字符串 | `""` |  |
+| gateway.name | 字符串 | `"higress-gateway"` |  |
+| gateway.networkGateway | 字符串 | `""` | 如果指定，网关将作为给定网络的网络网关。 |
+| gateway.nodeSelector | 对象 | `{}` |  |
+| gateway.podAnnotations."prometheus.io/path" | 字符串 | `"/stats/prometheus"` |  |
+| gateway.podAnnotations."prometheus.io/port" | 字符串 | `"15020"` |  |
+| gateway.podAnnotations."prometheus.io/scrape" | 字符串 | `"true"` |  |
+| gateway.podAnnotations."sidecar.istio.io/inject" | 字符串 | `"false"` |  |
+| gateway.rbac.enabled | 布尔值 | `true` | 如果启用，将创建角色以启用从网关访问证书。当使用 http://gateway-api.org/ 时不需要。 |
+| gateway.readinessFailureThreshold | 整数 | `30` | 指示准备失败前的连续失败探测次数。 |
+| gateway.readinessInitialDelaySeconds | 整数 | `1` | 准备探测的初始延迟秒数。 |
+| gateway.readinessPeriodSeconds | 整数 | `2` | 准备探测之间的间隔。 |
+| gateway.readinessSuccessThreshold | 整数 | `1` | 指示准备成功前的连续成功探测次数。 |
+| gateway.readinessTimeoutSeconds | 整数 | `3` | 准备探测的超时秒数 |
+| gateway.replicas | 整数 | `2` | Higress Gateway 的 Pod 数量 |
+| gateway.resources.limits.cpu | 字符串 | `"2000m"` |  |
+| gateway.resources.limits.memory | 字符串 | `"2048Mi"` |  |
+| gateway.resources.requests.cpu | 字符串 | `"2000m"` |  |
+| gateway.resources.requests.memory | 字符串 | `"2048Mi"` |  |
+| gateway.revision | 字符串 | `""` | 修订声明此网关属于哪个修订 |
+| gateway.rollingMaxSurge | 字符串 | `"100%"` |  |
+| gateway.rollingMaxUnavailable | 字符串 | `"25%"` |  |
+| gateway.securityContext | 字符串 | `nil` | 定义 Pod 的安全上下文。如果未设置，将自动设置为绑定到端口 80 和 443 所需的最小权限。在 Kubernetes 1.22+ 上，这只需要 `net.ipv4.ip_unprivileged_port_start` 系统调用。 |
+| gateway.service.annotations | 对象 | `{}` |  |
+| gateway.service.externalTrafficPolicy | 字符串 | `""` |  |
+| gateway.service.loadBalancerClass | 字符串 | `""` |  |
+| gateway.service.loadBalancerIP | 字符串 | `""` |  |
+| gateway.service.loadBalancerSourceRanges | 列表 | `[]` |  |
+| gateway.service.ports[0].name | 字符串 | `"http2"` |  |
+| gateway.service.ports[0].port | 整数 | `80` |  |
+| gateway.service.ports[0].protocol | 字符串 | `"TCP"` |  |
+| gateway.service.ports[0].targetPort | 整数 | `80` |  |
+| gateway.service.ports[1].name | 字符串 | `"https"` |  |
+| gateway.service.ports[1].port | 整数 | `443` |  |
+| gateway.service.ports[1].protocol | 字符串 | `"TCP"` |  |
+| gateway.service.ports[1].targetPort | 整数 | `443` |  |
+| gateway.service.type | 字符串 | `"LoadBalancer"` | 服务类型。设置为 "None" 以完全禁用服务 |
+| gateway.serviceAccount.annotations | 对象 | `{}` | 添加到服务账户的注解 |
+| gateway.serviceAccount.create | 布尔值 | `true` | 如果设置，将创建服务账户。否则，使用默认值 |
+| gateway.serviceAccount.name | 字符串 | `""` | 要使用的服务账户名称。如果未设置，则使用发布名称 |
+| gateway.tag | 字符串 | `""` |  |
+| gateway.tolerations | 列表 | `[]` |  |
+| gateway.unprivilegedPortSupported | 字符串 | `nil` |  |
+| global.autoscalingv2API | 布尔值 | `true` | 是否使用 autoscaling/v2 模板进行 HPA 设置，仅供内部使用，用户不应配置。 |
+| global.caAddress | 字符串 | `""` | 自定义的 CA 地址，用于为集群中的 Pod 检索证书。CSR 客户端（如 Istio Agent 和 ingress gateways）可以使用此地址指定 CA 端点。如果未明确设置，则默认为 Istio 发现地址。 |
+| global.caName | 字符串 | `""` | 工作负载证书的 CA 名称。例如，当 caName=GkeWorkloadCertificate 时，GKE 工作负载证书将用作工作负载的证书。默认值为 ""，当 caName="" 时，CA 将通过其他机制（如环境变量 CA_PROVIDER）配置。 |
+| global.configCluster | 布尔值 | `false` | 将远程集群配置为外部 istiod 的配置集群。 |
+| global.defaultPodDisruptionBudget | 对象 | `{"enabled":false}` | 为控制平面启用 Pod 中断预算，用于确保 Istio 控制平面组件逐步升级或恢复。 |
+| global.defaultResources | 对象 | `{"requests":{"cpu":"10m"}}` | 应用于所有部署的最小请求资源集，以便 Horizontal Pod Autoscaler 能够正常工作（如果设置）。每个组件可以通过在相关部分添加自己的资源块并设置所需的资源值来覆盖这些默认值。 |
+| global.defaultUpstreamConcurrencyThreshold | 整数 | `10000` |  |
+| global.disableAlpnH2 | 布尔值 | `false` | 是否在 ALPN 中禁用 HTTP/2 |
+| global.enableGatewayAPI | 布尔值 | `false` | 如果为 true，Higress Controller 还将监控 Gateway API 资源 |
+| global.enableH3 | 布尔值 | `false` |  |
+| global.enableIPv6 | 布尔值 | `false` |  |
+| global.enableIstioAPI | 布尔值 | `true` | 如果为 true，Higress Controller 还将监控 istio 资源 |
+| global.enableLDSCache | 布尔值 | `true` |  |
+| global.enableProxyProtocol | 布尔值 | `false` |  |
+| global.enablePushAllMCPClusters | 布尔值 | `true` |  |
+| global.enableSRDS | 布尔值 | `true` |  |
+| global.enableStatus | 布尔值 | `true` | 如果为 true，Higress Controller 将更新 Ingress 资源的状态字段。从 Nginx Ingress 迁移时，为了避免 Ingress 对象的状态字段被覆盖，需要将此参数设置为 false，以便 Higress 不会将入口 IP 写入相应 Ingress 对象的状态字段。 |
+| global.externalIstiod | 布尔值 | `false` | 配置由外部 istiod 控制的远程集群数据平面。当设置为 true 时，本地不部署 istiod，仅启用其他发现 chart 的子集。 |
+| global.hostRDSMergeSubset | 布尔值 | `false` |  |
+| global.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | Istio 镜像的默认仓库。发布版本发布到 docker hub 的 'istio' 项目下。来自 prow 的开发构建位于 gcr.io |
+| global.imagePullPolicy | 字符串 | `""` | 如果不需要默认行为，则指定镜像拉取策略。默认行为：最新镜像将始终拉取，否则 IfNotPresent。 |
+| global.imagePullSecrets | 列表 | `[]` | 所有 ServiceAccount 的 ImagePullSecrets，用于引用此 ServiceAccount 的 Pod 拉取任何镜像的同一命名空间中的秘密列表。对于不使用 ServiceAccount 的组件（即 grafana、servicegraph、tracing），ImagePullSecrets 将添加到相应的 Deployment(StatefulSet) 对象中。对于配置了私有 docker 注册表的任何集群，必须设置。 |
+| global.ingressClass | 字符串 | `"higress"` | IngressClass 过滤 higress controller 监听的 ingress 资源。默认的 ingress class 是 higress。有一些特殊情况用于特殊的 ingress class。1. 当 ingress class 设置为 nginx 时，higress controller 将监听带有 nginx ingress class 或没有任何 ingress class 的 ingress 资源。2. 当 ingress class 设置为空时，higress controller 将监听 k8s 集群中的所有 ingress 资源。 |
+| global.istioNamespace | 字符串 | `"istio-system"` | 用于定位 istiod。 |
+| global.istiod | 对象 | `{"enableAnalysis":false}` | 默认在主分支中启用以最大化测试。 |
+| global.jwtPolicy | 字符串 | `"third-party-jwt"` | 配置验证 JWT 的策略。目前支持两个选项："third-party-jwt" 和 "first-party-jwt"。 |
+| global.kind | 布尔值 | `false` |  |
+| global.liteMetrics | 布尔值 | `false` |  |
+| global.local | 布尔值 | `false` | 当部署到本地集群（如：kind 集群）时，将此设置为 true。 |
+| global.logAsJson | 布尔值 | `false` |  |
+| global.logging | 对象 | `{"level":"default:info"}` | 以逗号分隔的每个范围的最小日志级别，格式为 <scope>:<level>,<scope>:<level> 控制平面根据组件不同有不同的范围，但可以配置所有组件的默认日志级别 如果为空，将使用代码中配置的默认范围和级别 |
+| global.meshID | 字符串 | `""` | 如果网格管理员未指定值，Istio 将使用网格的信任域的值。最佳实践是选择一个合适的信任域值。 |
+| global.meshNetworks | 对象 | `{}` |  |
+| global.mountMtlsCerts | 布尔值 | `false` | 使用用户指定的、挂载的密钥和证书用于 Pilot 和工作负载。 |
+| global.multiCluster.clusterName | 字符串 | `""` | 应设置为此安装运行的集群的名称。这是为了正确标记代理的 sidecar 注入所必需的 |
+| global.multiCluster.enabled | 布尔值 | `true` | 设置为 true 以通过各自的 ingressgateway 服务连接两个 kubernetes 集群，当每个集群中的 Pod 无法直接相互通信时。
--- a/hgctl/go.mod
+++ b/hgctl/go.mod
@@ -1,9 +1,8 @@
 module github.com/alibaba/higress/hgctl

-go 1.21.0
-
-toolchain go1.22.2
+go 1.22.2

+toolchain go1.23.7

 replace github.com/spf13/viper => github.com/istio/viper v1.3.3-0.20190515210538-2789fed3109c

--- a/istio/istio
+++ b/istio/istio
--- a/istio/proxy
+++ b/istio/proxy
--- a/pkg/bootstrap/server.go
+++ b/pkg/bootstrap/server.go
@@ -41,11 +41,11 @@ import (
 	"istio.io/istio/pkg/config/schema/kind"
 	"istio.io/istio/pkg/keepalive"
 	istiokube "istio.io/istio/pkg/kube"
+	"istio.io/istio/pkg/log"
 	"istio.io/istio/pkg/security"
 	"istio.io/istio/security/pkg/server/ca/authenticate"
 	"istio.io/istio/security/pkg/server/ca/authenticate/kubeauth"
 	"istio.io/pkg/ledger"
-	"istio.io/pkg/log"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"

@@ -235,7 +235,7 @@ func (s *Server) initConfigController() error {
 		options.ClusterId = ""
 	}

-	ingressConfig := translation.NewIngressTranslation(s.kubeClient, s.xdsServer, ns, options.ClusterId)
+	ingressConfig := translation.NewIngressTranslation(s.kubeClient, s.xdsServer, ns, options)
 	ingressConfig.AddLocalCluster(options)

 	s.configStores = append(s.configStores, ingressConfig)
--- a/pkg/cert/certmgr.go
+++ b/pkg/cert/certmgr.go
@@ -173,7 +173,7 @@ func (s *CertMgr) Reconcile(ctx context.Context, oldConfig *Config, newConfig *C
 		s.cache.Start()
 		// sync domains
 		s.configMgr.SetConfig(newConfig)
-		CertLog.Infof("certMgr start to manageSync domains:+v%", newDomains)
+		CertLog.Infof("certMgr start to manageSync domains: %+v", newDomains)
 		s.manageSync(context.Background(), newDomains)
 		CertLog.Infof("certMgr manageSync domains done")
 	} else {
--- a/pkg/cert/log.go
+++ b/pkg/cert/log.go
@@ -14,6 +14,6 @@

 package cert

-import "istio.io/pkg/log"
+import "istio.io/istio/pkg/log"

-var CertLog = log.RegisterScope("cert", "Higress Cert process.", 0)
+var CertLog = log.RegisterScope("cert", "Higress Cert process.")
--- a/pkg/cmd/server.go
+++ b/pkg/cmd/server.go
@@ -25,7 +25,7 @@ import (
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/env"
 	"istio.io/istio/pkg/keepalive"
-	"istio.io/pkg/log"
+	"istio.io/istio/pkg/log"
 )

 var (
--- a/pkg/ingress/config/ingress_config.go
+++ b/pkg/ingress/config/ingress_config.go
@@ -151,9 +151,37 @@ type IngressConfig struct {
 	clusterId cluster.ID

 	httpsConfigMgr *cert.ConfigMgr
+
+	// templateProcessor processes template variables in config
+	templateProcessor *TemplateProcessor
+
+	// secretConfigMgr manages secret dependencies
+	secretConfigMgr *SecretConfigMgr
 }

-func NewIngressConfig(localKubeClient kube.Client, xdsUpdater istiomodel.XDSUpdater, namespace string, clusterId cluster.ID) *IngressConfig {
+// getSecretValue implements the getValue function for secret references
+func (m *IngressConfig) getSecretValue(valueType, namespace, name, key string) (string, error) {
+	if valueType != "secret" {
+		return "", fmt.Errorf("unsupported value type: %s", valueType)
+	}
+
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	for _, controller := range m.remoteIngressControllers {
+		secret, err := controller.SecretLister().Secrets(namespace).Get(name)
+		if err == nil {
+			if value, exists := secret.Data[key]; exists {
+				return string(value), nil
+			}
+			return "", fmt.Errorf("key %s not found in secret %s/%s", key, namespace, name)
+		}
+	}
+	return "", fmt.Errorf("secret %s/%s not found", namespace, name)
+}
+
+func NewIngressConfig(localKubeClient kube.Client, xdsUpdater istiomodel.XDSUpdater, namespace string, options common.Options) *IngressConfig {
+	clusterId := options.ClusterId
 	if clusterId == "Kubernetes" {
 		clusterId = ""
 	}
@@ -170,17 +198,24 @@ func NewIngressConfig(localKubeClient kube.Client, xdsUpdater istiomodel.XDSUpda
 		wasmPlugins:              make(map[string]*extensions.WasmPlugin),
 		http2rpcs:                make(map[string]*higressv1.Http2Rpc),
 	}
-	mcpbridgeController := mcpbridge.NewController(localKubeClient, clusterId)
+
+	// Initialize secret config manager
+	config.secretConfigMgr = NewSecretConfigMgr(xdsUpdater)
+
+	// Initialize template processor with value getter function
+	config.templateProcessor = NewTemplateProcessor(config.getSecretValue, namespace, config.secretConfigMgr)
+
+	mcpbridgeController := mcpbridge.NewController(localKubeClient, options)
 	mcpbridgeController.AddEventHandler(config.AddOrUpdateMcpBridge, config.DeleteMcpBridge)
 	config.mcpbridgeController = mcpbridgeController
 	config.mcpbridgeLister = mcpbridgeController.Lister()

-	wasmPluginController := wasmplugin.NewController(localKubeClient, clusterId)
+	wasmPluginController := wasmplugin.NewController(localKubeClient, options)
 	wasmPluginController.AddEventHandler(config.AddOrUpdateWasmPlugin, config.DeleteWasmPlugin)
 	config.wasmPluginController = wasmPluginController
 	config.wasmPluginLister = wasmPluginController.Lister()

-	http2rpcController := http2rpc.NewController(localKubeClient, clusterId)
+	http2rpcController := http2rpc.NewController(localKubeClient, options)
 	http2rpcController.AddEventHandler(config.AddOrUpdateHttp2Rpc, config.DeleteHttp2Rpc)
 	config.http2rpcController = http2rpcController
 	config.http2rpcLister = http2rpcController.Lister()
@@ -225,8 +260,9 @@ func (m *IngressConfig) RegisterEventHandler(kind config.GroupVersionKind, f ist
 }

 func (m *IngressConfig) AddLocalCluster(options common.Options) {
-	secretController := secret.NewController(m.localKubeClient, options.ClusterId)
+	secretController := secret.NewController(m.localKubeClient, options)
 	secretController.AddEventHandler(m.ReflectSecretChanges)
+	secretController.AddEventHandler(m.secretConfigMgr.HandleSecretChange)

 	var ingressController common.IngressController
 	v1 := common.V1Available(m.localKubeClient)
@@ -253,10 +289,24 @@ func (m *IngressConfig) List(typ config.GroupVersionKind, namespace string) []co
 	var configs = make([]config.Config, 0)

 	if configsFromIngress := m.listFromIngressControllers(typ, namespace); configsFromIngress != nil {
+		// Process templates for ingress configs
+		for i := range configsFromIngress {
+			if err := m.templateProcessor.ProcessConfig(&configsFromIngress[i]); err != nil {
+				IngressLog.Errorf("Failed to process template for config %s/%s: %v",
+					configsFromIngress[i].Namespace, configsFromIngress[i].Name, err)
+			}
+		}
 		configs = append(configs, configsFromIngress...)
 	}

 	if configsFromGateway := m.listFromGatewayControllers(typ, namespace); configsFromGateway != nil {
+		// Process templates for gateway configs
+		for i := range configsFromGateway {
+			if err := m.templateProcessor.ProcessConfig(&configsFromGateway[i]); err != nil {
+				IngressLog.Errorf("Failed to process template for config %s/%s: %v",
+					configsFromGateway[i].Namespace, configsFromGateway[i].Name, err)
+			}
+		}
 		configs = append(configs, configsFromGateway...)
 	}

@@ -303,21 +353,21 @@ func (m *IngressConfig) listFromIngressControllers(typ config.GroupVersionKind,
 	common.SortIngressByCreationTime(configs)
 	wrapperConfigs := m.createWrapperConfigs(configs)

-	IngressLog.Infof("resource type %s, configs number %d", typ, len(wrapperConfigs))
+	var result []config.Config
 	switch typ {
 	case gvk.Gateway:
-		return m.convertGateways(wrapperConfigs)
+		result = m.convertGateways(wrapperConfigs)
 	case gvk.VirtualService:
-		return m.convertVirtualService(wrapperConfigs)
+		result = m.convertVirtualService(wrapperConfigs)
 	case gvk.DestinationRule:
-		return m.convertDestinationRule(wrapperConfigs)
+		result = m.convertDestinationRule(wrapperConfigs)
 	case gvk.ServiceEntry:
-		return m.convertServiceEntry(wrapperConfigs)
+		result = m.convertServiceEntry(wrapperConfigs)
 	case gvk.WasmPlugin:
-		return m.convertWasmPlugin(wrapperConfigs)
+		result = m.convertWasmPlugin(wrapperConfigs)
 	}
-
-	return nil
+	IngressLog.Infof("resource type %s, ingress number %d, convert configs number %d", typ, len(configs), len(result))
+	return result
 }

 func (m *IngressConfig) listFromGatewayControllers(typ config.GroupVersionKind, namespace string) []config.Config {
@@ -712,7 +762,6 @@ func (m *IngressConfig) convertDestinationRule(configs []common.WrapperConfig) [

 	if m.RegistryReconciler != nil {
 		drws := m.RegistryReconciler.GetAllDestinationRuleWrapper()
-		IngressLog.Infof("Found mcp destinationRules: %v", drws)
 		for _, destinationRuleWrapper := range drws {
 			serviceName := destinationRuleWrapper.ServiceKey.ServiceFQDN
 			dr, exist := destinationRules[serviceName]
@@ -882,7 +931,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 	if result.PluginConfig != nil {
 		return result, nil
 	}
-	if !obj.DefaultConfigDisable {
+	if !isBoolValueTrue(obj.DefaultConfigDisable) {
 		result.PluginConfig = obj.DefaultConfig
 	}
 	hasValidRule := false
@@ -894,7 +943,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 		}
 		var ruleValues []*_struct.Value
 		for _, rule := range obj.MatchRules {
-			if rule.ConfigDisable {
+			if isBoolValueTrue(rule.ConfigDisable) {
 				continue
 			}
 			if rule.Config == nil {
@@ -906,6 +955,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				StructValue: rule.Config,
 			}

+			validRule := false
 			var matchItems []*_struct.Value
 			// match ingress
 			for _, ing := range rule.Ingress {
@@ -916,6 +966,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				})
 			}
 			if len(matchItems) > 0 {
+				validRule = true
 				v.StructValue.Fields["_match_route_"] = &_struct.Value{
 					Kind: &_struct.Value_ListValue{
 						ListValue: &_struct.ListValue{
@@ -923,12 +974,9 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 						},
 					},
 				}
-				ruleValues = append(ruleValues, &_struct.Value{
-					Kind: v,
-				})
-				continue
 			}
 			// match service
+			matchItems = nil
 			for _, service := range rule.Service {
 				matchItems = append(matchItems, &_struct.Value{
 					Kind: &_struct.Value_StringValue{
@@ -937,6 +985,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				})
 			}
 			if len(matchItems) > 0 {
+				validRule = true
 				v.StructValue.Fields["_match_service_"] = &_struct.Value{
 					Kind: &_struct.Value_ListValue{
 						ListValue: &_struct.ListValue{
@@ -944,12 +993,9 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 						},
 					},
 				}
-				ruleValues = append(ruleValues, &_struct.Value{
-					Kind: v,
-				})
-				continue
 			}
 			// match domain
+			matchItems = nil
 			for _, domain := range rule.Domain {
 				matchItems = append(matchItems, &_struct.Value{
 					Kind: &_struct.Value_StringValue{
@@ -957,19 +1003,23 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 					},
 				})
 			}
-			if len(matchItems) == 0 {
+			if len(matchItems) > 0 {
+				validRule = true
+				v.StructValue.Fields["_match_domain_"] = &_struct.Value{
+					Kind: &_struct.Value_ListValue{
+						ListValue: &_struct.ListValue{
+							Values: matchItems,
+						},
+					},
+				}
+			}
+			if validRule {
+				ruleValues = append(ruleValues, &_struct.Value{
+					Kind: v,
+				})
+			} else {
 				return nil, fmt.Errorf("invalid match rule has no match condition, rule:%v", rule)
 			}
-			v.StructValue.Fields["_match_domain_"] = &_struct.Value{
-				Kind: &_struct.Value_ListValue{
-					ListValue: &_struct.ListValue{
-						Values: matchItems,
-					},
-				},
-			}
-			ruleValues = append(ruleValues, &_struct.Value{
-				Kind: v,
-			})
 		}
 		if len(ruleValues) > 0 {
 			hasValidRule = true
@@ -982,11 +1032,14 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 			}
 		}
 	}
-	if !hasValidRule && obj.DefaultConfigDisable {
+	if !hasValidRule && isBoolValueTrue(obj.DefaultConfigDisable) {
 		return nil, nil
 	}
 	return result, nil
+}

+func isBoolValueTrue(b *wrappers.BoolValue) bool {
+	return b != nil && b.Value
 }

 func (m *IngressConfig) AddOrUpdateWasmPlugin(clusterNamespacedName util.ClusterNamespacedName) {
--- a/pkg/ingress/config/ingress_config_test.go
+++ b/pkg/ingress/config/ingress_config_test.go
@@ -127,7 +127,14 @@ func TestConvertGatewaysForIngress(t *testing.T) {
 	}
 	ingressV1Beta1Controller := controllerv1beta1.NewController(fake, fake, v1Beta1Options, nil)
 	ingressV1Controller := controllerv1.NewController(fake, fake, v1Options, nil)
-	m := NewIngressConfig(fake, nil, "wakanda", "gw-123-istio")
+	options := common.Options{
+		Enable:           true,
+		ClusterId:        "gw-123-istio",
+		RawClusterId:     "gw-123-istio__",
+		GatewayHttpPort:  80,
+		GatewayHttpsPort: 443,
+	}
+	m := NewIngressConfig(fake, nil, "wakanda", options)
 	m.remoteIngressControllers = map[cluster.ID]common.IngressController{
 		"ingress-v1beta1": ingressV1Beta1Controller,
 		"ingress-v1":      ingressV1Controller,
--- a/pkg/ingress/config/ingress_template.go
+++ b/pkg/ingress/config/ingress_template.go
@@ -0,0 +1,119 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	"google.golang.org/protobuf/proto"
+	"istio.io/istio/pkg/config"
+)
+
+// TemplateProcessor handles template substitution in configs
+type TemplateProcessor struct {
+	// getValue is a function that retrieves values by type, namespace, name and key
+	getValue        func(valueType, namespace, name, key string) (string, error)
+	namespace       string
+	secretConfigMgr *SecretConfigMgr
+}
+
+// NewTemplateProcessor creates a new TemplateProcessor with the given value getter function
+func NewTemplateProcessor(getValue func(valueType, namespace, name, key string) (string, error), namespace string, secretConfigMgr *SecretConfigMgr) *TemplateProcessor {
+	return &TemplateProcessor{
+		getValue:        getValue,
+		namespace:       namespace,
+		secretConfigMgr: secretConfigMgr,
+	}
+}
+
+// ProcessConfig processes a config and substitutes any template variables
+func (p *TemplateProcessor) ProcessConfig(cfg *config.Config) error {
+	// Convert spec to JSON string to process substitutions
+	jsonBytes, err := json.Marshal(cfg.Spec)
+	if err != nil {
+		return fmt.Errorf("failed to marshal config spec: %v", err)
+	}
+
+	configStr := string(jsonBytes)
+	// Find all value references in format:
+	// ${type.name.key} or ${type.namespace/name.key}
+	valueRegex := regexp.MustCompile(`\$\{([^.}]+)\.(?:([^/]+)/)?([^.}]+)\.([^}]+)\}`)
+	matches := valueRegex.FindAllStringSubmatch(configStr, -1)
+	// If there are no value references, return immediately
+	if len(matches) == 0 {
+		if p.secretConfigMgr != nil {
+			if err := p.secretConfigMgr.DeleteConfig(cfg); err != nil {
+				IngressLog.Errorf("failed to delete secret dependency: %v", err)
+			}
+		}
+		return nil
+	}
+
+	foundSecretSource := false
+	IngressLog.Infof("start to apply config %s/%s with %d variables", cfg.Namespace, cfg.Name, len(matches))
+	for _, match := range matches {
+		valueType := match[1]
+		var namespace, name, key string
+		if match[2] != "" {
+			// Format: ${type.namespace/name.key}
+			namespace = match[2]
+		} else {
+			// Format: ${type.name.key} - use default namespace
+			namespace = p.namespace
+		}
+		name = match[3]
+		key = match[4]
+
+		// Get value using the provided getter function
+		value, err := p.getValue(valueType, namespace, name, key)
+		if err != nil {
+			return fmt.Errorf("failed to get %s value for %s/%s.%s: %v", valueType, namespace, name, key, err)
+		}
+
+		// Add secret dependency if this is a secret reference
+		if valueType == "secret" && p.secretConfigMgr != nil {
+			foundSecretSource = true
+			secretKey := fmt.Sprintf("%s/%s", namespace, name)
+			if err := p.secretConfigMgr.AddConfig(secretKey, cfg); err != nil {
+				IngressLog.Errorf("failed to add secret dependency: %v", err)
+			}
+		}
+		// Replace placeholder with actual value
+		configStr = strings.Replace(configStr, match[0], value, 1)
+	}
+
+	// Create a new instance of the same type as cfg.Spec
+	newSpec := proto.Clone(cfg.Spec.(proto.Message))
+	if err := json.Unmarshal([]byte(configStr), newSpec); err != nil {
+		return fmt.Errorf("failed to unmarshal substituted config: %v", err)
+	}
+	cfg.Spec = newSpec
+
+	// Delete secret dependency if no secret reference is found
+	if !foundSecretSource {
+		if p.secretConfigMgr != nil {
+			if err := p.secretConfigMgr.DeleteConfig(cfg); err != nil {
+				IngressLog.Errorf("failed to delete secret dependency: %v", err)
+			}
+		}
+	}
+
+	IngressLog.Infof("end to process config %s/%s", cfg.Namespace, cfg.Name)
+	return nil
+}
--- a/pkg/ingress/config/ingress_template_test.go
+++ b/pkg/ingress/config/ingress_template_test.go
@@ -0,0 +1,166 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/structpb"
+	extensions "istio.io/api/extensions/v1alpha1"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+)
+
+func TestTemplateProcessor_ProcessConfig(t *testing.T) {
+	// Create test values map
+	values := map[string]string{
+		"secret.default/test-secret.api_key":                        "test-api-key",
+		"secret.default/test-secret.plugin_conf.timeout":            "5000",
+		"secret.default/test-secret.plugin_conf.max_retries":        "3",
+		"secret.higress-system/auth-secret.auth_config.type":        "basic",
+		"secret.higress-system/auth-secret.auth_config.credentials": "base64-encoded",
+	}
+
+	// Mock value getter function
+	getValue := func(valueType, namespace, name, key string) (string, error) {
+		fullKey := fmt.Sprintf("%s.%s/%s.%s", valueType, namespace, name, key)
+		fmt.Printf("Getting value for %s", fullKey)
+		if value, exists := values[fullKey]; exists {
+			return value, nil
+		}
+		return "", fmt.Errorf("value not found for %s", fullKey)
+	}
+
+	// Create template processor
+	processor := NewTemplateProcessor(getValue, "higress-system", nil)
+
+	tests := []struct {
+		name        string
+		wasmPlugin  *extensions.WasmPlugin
+		expected    *extensions.WasmPlugin
+		expectError bool
+	}{
+		{
+			name: "simple api key reference",
+			wasmPlugin: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"api_key": "${secret.default/test-secret.api_key}",
+				}),
+			},
+			expected: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"api_key": "test-api-key",
+				}),
+			},
+			expectError: false,
+		},
+		{
+			name: "config with multiple fields",
+			wasmPlugin: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"config": map[string]interface{}{
+						"timeout":     "${secret.default/test-secret.plugin_conf.timeout}",
+						"max_retries": "${secret.default/test-secret.plugin_conf.max_retries}",
+					},
+				}),
+			},
+			expected: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"config": map[string]interface{}{
+						"timeout":     "5000",
+						"max_retries": "3",
+					},
+				}),
+			},
+			expectError: false,
+		},
+		{
+			name: "auth config with default namespace",
+			wasmPlugin: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"auth": map[string]interface{}{
+						"type":        "${secret.auth-secret.auth_config.type}",
+						"credentials": "${secret.auth-secret.auth_config.credentials}",
+					},
+				}),
+			},
+			expected: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"auth": map[string]interface{}{
+						"type":        "basic",
+						"credentials": "base64-encoded",
+					},
+				}),
+			},
+			expectError: false,
+		},
+		{
+			name: "non-existent secret",
+			wasmPlugin: &extensions.WasmPlugin{
+				PluginName: "test-plugin",
+				PluginConfig: makeStructValue(t, map[string]interface{}{
+					"api_key": "${secret.default/non-existent.api_key}",
+				}),
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &config.Config{
+				Meta: config.Meta{
+					GroupVersionKind: gvk.WasmPlugin,
+					Name:             "test-plugin",
+					Namespace:        "default",
+				},
+				Spec: tt.wasmPlugin,
+			}
+
+			err := processor.ProcessConfig(cfg)
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+			processedPlugin := cfg.Spec.(*extensions.WasmPlugin)
+
+			// Compare plugin name
+			assert.Equal(t, tt.expected.PluginName, processedPlugin.PluginName)
+
+			// Compare plugin configs
+			if tt.expected.PluginConfig != nil {
+				assert.NotNil(t, processedPlugin.PluginConfig)
+				assert.Equal(t, tt.expected.PluginConfig.AsMap(), processedPlugin.PluginConfig.AsMap())
+			}
+		})
+	}
+}
+
+// Helper function to create structpb.Struct from map
+func makeStructValue(t *testing.T, m map[string]interface{}) *structpb.Struct {
+	s, err := structpb.NewStruct(m)
+	assert.NoError(t, err, "Failed to create struct value")
+	return s
+}
--- a/pkg/ingress/config/kingress_config.go
+++ b/pkg/ingress/config/kingress_config.go
@@ -75,10 +75,11 @@ type KIngressConfig struct {
 	clusterId cluster.ID
 }

-func NewKIngressConfig(localKubeClient kube.Client, XDSUpdater istiomodel.XDSUpdater, namespace string, clusterId cluster.ID) *KIngressConfig {
+func NewKIngressConfig(localKubeClient kube.Client, XDSUpdater istiomodel.XDSUpdater, namespace string, options common.Options) *KIngressConfig {
 	if localKubeClient.KIngressInformer() == nil {
 		return nil
 	}
+	clusterId := options.ClusterId
 	if clusterId == "Kubernetes" {
 		clusterId = ""
 	}
@@ -114,7 +115,7 @@ func (m *KIngressConfig) RegisterEventHandler(kind config.GroupVersionKind, f is
 }

 func (m *KIngressConfig) AddLocalCluster(options common.Options) common.KIngressController {
-	secretController := secret.NewController(m.localKubeClient, options.ClusterId)
+	secretController := secret.NewController(m.localKubeClient, options)
 	secretController.AddEventHandler(m.ReflectSecretChanges)

 	var ingressController common.KIngressController
@@ -493,7 +494,7 @@ func (m *KIngressConfig) HasSynced() bool {
 	defer m.mutex.RUnlock()

 	for _, remoteIngressController := range m.remoteIngressControllers {
-		IngressLog.Info("In Kingress Synced.", remoteIngressController)
+		IngressLog.Info("In Kingress Synced.")
 		if !remoteIngressController.HasSynced() {
 			return false
 		}
--- a/pkg/ingress/config/kingress_config_test.go
+++ b/pkg/ingress/config/kingress_config_test.go
@@ -118,7 +118,14 @@ func TestConvertGatewaysForKIngress(t *testing.T) {
 		RawClusterId: "kingress__",
 	}
 	kingressV1Controller := kcontrollerv1.NewController(fake, fake, v1Options, nil)
-	m := NewKIngressConfig(fake, nil, "wakanda", "gw-123-istio")
+	options := common.Options{
+		Enable:           true,
+		ClusterId:        "gw-123-istio",
+		RawClusterId:     "gw-123-istio__",
+		GatewayHttpPort:  80,
+		GatewayHttpsPort: 443,
+	}
+	m := NewKIngressConfig(fake, nil, "wakanda", options)
 	m.remoteIngressControllers = map[cluster.ID]common.KIngressController{
 		"kingress": kingressV1Controller,
 	}
--- a/pkg/ingress/config/secret_config_mgr.go
+++ b/pkg/ingress/config/secret_config_mgr.go
@@ -0,0 +1,157 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	istiomodel "istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/kind"
+	"istio.io/istio/pkg/util/sets"
+)
+
+// toConfigKey converts config.Config to istiomodel.ConfigKey
+func toConfigKey(cfg *config.Config) (istiomodel.ConfigKey, error) {
+	return istiomodel.ConfigKey{
+		Kind:      kind.MustFromGVK(cfg.GroupVersionKind),
+		Name:      cfg.Name,
+		Namespace: cfg.Namespace,
+	}, nil
+}
+
+// SecretConfigMgr maintains the mapping between secrets and configs
+type SecretConfigMgr struct {
+	mutex sync.RWMutex
+
+	// configSet tracks all configs that have been added
+	// key format: namespace/name
+	configSet sets.Set[string]
+
+	// secretToConfigs maps secret key to dependent configs
+	// key format: namespace/name
+	secretToConfigs map[string]sets.Set[istiomodel.ConfigKey]
+
+	// watchedSecrets tracks which secrets are being watched
+	watchedSecrets sets.Set[string]
+
+	// xdsUpdater is used to push config updates
+	xdsUpdater istiomodel.XDSUpdater
+}
+
+// NewSecretConfigMgr creates a new SecretConfigMgr
+func NewSecretConfigMgr(xdsUpdater istiomodel.XDSUpdater) *SecretConfigMgr {
+	return &SecretConfigMgr{
+		secretToConfigs: make(map[string]sets.Set[istiomodel.ConfigKey]),
+		watchedSecrets:  sets.New[string](),
+		configSet:       sets.New[string](),
+		xdsUpdater:      xdsUpdater,
+	}
+}
+
+// AddConfig adds a config and its secret dependencies
+func (m *SecretConfigMgr) AddConfig(secretKey string, cfg *config.Config) error {
+	configKey, _ := toConfigKey(cfg)
+
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	configId := fmt.Sprintf("%s/%s", cfg.Namespace, cfg.Name)
+	m.configSet.Insert(configId)
+
+	if configs, exists := m.secretToConfigs[secretKey]; exists {
+		configs.Insert(configKey)
+	} else {
+		m.secretToConfigs[secretKey] = sets.New(configKey)
+	}
+
+	// Add to watched secrets
+	m.watchedSecrets.Insert(secretKey)
+	return nil
+}
+
+// DeleteConfig removes a config from all secret dependencies
+func (m *SecretConfigMgr) DeleteConfig(cfg *config.Config) error {
+	configKey, _ := toConfigKey(cfg)
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	configId := fmt.Sprintf("%s/%s", cfg.Namespace, cfg.Name)
+	if !m.configSet.Contains(configId) {
+		return nil
+	}
+
+	removeKeys := make([]string, 0)
+	// Find and remove the config from all secrets
+	for secretKey, configs := range m.secretToConfigs {
+		if configs.Contains(configKey) {
+			configs.Delete(configKey)
+			// If no more configs depend on this secret, remove it
+			if configs.Len() == 0 {
+				removeKeys = append(removeKeys, secretKey)
+			}
+		}
+	}
+
+	//  Remove the secrets from the secretToConfigs map
+	for _, secretKey := range removeKeys {
+		delete(m.secretToConfigs, secretKey)
+		m.watchedSecrets.Delete(secretKey)
+	}
+	// Remove the config from the config set
+	m.configSet.Delete(configId)
+	return nil
+}
+
+// GetConfigsForSecret returns all configs that depend on the given secret
+func (m *SecretConfigMgr) GetConfigsForSecret(secretKey string) []istiomodel.ConfigKey {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	if configs, exists := m.secretToConfigs[secretKey]; exists {
+		return configs.UnsortedList()
+	}
+	return nil
+}
+
+// IsSecretWatched checks if a secret is being watched
+func (m *SecretConfigMgr) IsSecretWatched(secretKey string) bool {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+	return m.watchedSecrets.Contains(secretKey)
+}
+
+// HandleSecretChange handles secret changes and updates affected configs
+func (m *SecretConfigMgr) HandleSecretChange(name util.ClusterNamespacedName) {
+	secretKey := fmt.Sprintf("%s/%s", name.Namespace, name.Name)
+	// Check if this secret is being watched
+	if !m.IsSecretWatched(secretKey) {
+		return
+	}
+
+	// Get affected configs
+	configKeys := m.GetConfigsForSecret(secretKey)
+	if len(configKeys) == 0 {
+		return
+	}
+	IngressLog.Infof("SecretConfigMgr Secret %s changed, updating %d dependent configs and push", secretKey, len(configKeys))
+	m.xdsUpdater.ConfigUpdate(&istiomodel.PushRequest{
+		Full:   true,
+		Reason: istiomodel.NewReasonStats(istiomodel.SecretTrigger),
+	})
+}
--- a/pkg/ingress/config/secret_config_mgr_test.go
+++ b/pkg/ingress/config/secret_config_mgr_test.go
@@ -0,0 +1,155 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"k8s.io/apimachinery/pkg/types"
+	"testing"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	"github.com/stretchr/testify/assert"
+	istiomodel "istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/cluster"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/schema/kind"
+)
+
+type mockXdsUpdater struct {
+	lastPushRequest *istiomodel.PushRequest
+}
+
+func (m *mockXdsUpdater) EDSUpdate(shard istiomodel.ShardKey, hostname string, namespace string, entry []*istiomodel.IstioEndpoint) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *mockXdsUpdater) EDSCacheUpdate(shard istiomodel.ShardKey, hostname string, namespace string, entry []*istiomodel.IstioEndpoint) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *mockXdsUpdater) SvcUpdate(shard istiomodel.ShardKey, hostname string, namespace string, event istiomodel.Event) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *mockXdsUpdater) ProxyUpdate(clusterID cluster.ID, ip string) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *mockXdsUpdater) RemoveShard(shardKey istiomodel.ShardKey) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *mockXdsUpdater) ConfigUpdate(req *istiomodel.PushRequest) {
+	m.lastPushRequest = req
+}
+
+func TestSecretConfigMgr(t *testing.T) {
+	updater := &mockXdsUpdater{}
+	mgr := NewSecretConfigMgr(updater)
+
+	// Test AddConfig
+	t.Run("AddConfig", func(t *testing.T) {
+		wasmPlugin := &config.Config{
+			Meta: config.Meta{
+				GroupVersionKind: gvk.WasmPlugin,
+				Name:             "test-plugin",
+				Namespace:        "default",
+			},
+		}
+
+		err := mgr.AddConfig("default/test-secret", wasmPlugin)
+		assert.NoError(t, err)
+		assert.True(t, mgr.IsSecretWatched("default/test-secret"))
+
+		configs := mgr.GetConfigsForSecret("default/test-secret")
+		assert.Len(t, configs, 1)
+		assert.Equal(t, kind.WasmPlugin, configs[0].Kind)
+		assert.Equal(t, "test-plugin", configs[0].Name)
+		assert.Equal(t, "default", configs[0].Namespace)
+	})
+
+	// Test DeleteConfig
+	t.Run("DeleteConfig", func(t *testing.T) {
+		wasmPlugin := &config.Config{
+			Meta: config.Meta{
+				GroupVersionKind: gvk.WasmPlugin,
+				Name:             "test-plugin",
+				Namespace:        "default",
+			},
+		}
+
+		err := mgr.DeleteConfig(wasmPlugin)
+		assert.NoError(t, err)
+		assert.False(t, mgr.IsSecretWatched("default/test-secret"))
+		assert.Empty(t, mgr.GetConfigsForSecret("default/test-secret"))
+	})
+
+	// Test HandleSecretChange
+	t.Run("HandleSecretChange", func(t *testing.T) {
+		// Add a config first
+		wasmPlugin := &config.Config{
+			Meta: config.Meta{
+				GroupVersionKind: gvk.WasmPlugin,
+				Name:             "test-plugin",
+				Namespace:        "default",
+			},
+		}
+		err := mgr.AddConfig("default/test-secret", wasmPlugin)
+		assert.NoError(t, err)
+
+		// Test secret change
+		secretName := util.ClusterNamespacedName{
+			NamespacedName: types.NamespacedName{
+				Name:      "test-secret",
+				Namespace: "default",
+			},
+		}
+
+		mgr.HandleSecretChange(secretName)
+		assert.NotNil(t, updater.lastPushRequest)
+		assert.True(t, updater.lastPushRequest.Full)
+	})
+
+	// Test full push for secret update
+	t.Run("FullPushForSecretUpdate", func(t *testing.T) {
+		// Add a secret config
+		secretConfig := &config.Config{
+			Meta: config.Meta{
+				GroupVersionKind: gvk.Secret,
+				Name:             "test-secret",
+				Namespace:        "default",
+			},
+		}
+		err := mgr.AddConfig("default/test-secret", secretConfig)
+		assert.NoError(t, err)
+
+		// Update the secret
+		secretName := util.ClusterNamespacedName{
+			NamespacedName: types.NamespacedName{
+				Name:      "test-secret",
+				Namespace: "default",
+			},
+		}
+
+		mgr.HandleSecretChange(secretName)
+		assert.NotNil(t, updater.lastPushRequest)
+		assert.True(t, updater.lastPushRequest.Full)
+	})
+}
--- a/pkg/ingress/kube/annotations/auth.go
+++ b/pkg/ingress/kube/annotations/auth.go
@@ -15,12 +15,6 @@
 package annotations

 import (
-	"errors"
-	"sort"
-	"strings"
-
-	corev1 "k8s.io/api/core/v1"
-
 	"github.com/alibaba/higress/pkg/ingress/kube/util"
 	. "github.com/alibaba/higress/pkg/ingress/log"
 )
@@ -57,101 +51,10 @@ func (a auth) Parse(annotations Annotations, config *Ingress, globalContext *Glo
 	if !needAuthConfig(annotations) {
 		return nil
 	}
-
-	authConfig := &AuthConfig{
-		AuthType: defaultAuthType,
-	}
-
-	// Check auth type
-	authType, err := annotations.ParseStringASAP(authType)
-	if err != nil {
-		IngressLog.Errorf("Parse auth type error %v within ingress %/%s", err, config.Namespace, config.Name)
-		return nil
-	}
-	if authType != defaultAuthType {
-		IngressLog.Errorf("Auth type %s within ingress %/%s is not supported yet.", authType, config.Namespace, config.Name)
-		return nil
-	}
-
-	secretName, _ := annotations.ParseStringASAP(authSecretAnn)
-	namespaced := util.SplitNamespacedName(secretName)
-	if namespaced.Name == "" {
-		IngressLog.Errorf("Auth secret name within ingress %s/%s is invalid", config.Namespace, config.Name)
-		return nil
-	}
-	if namespaced.Namespace == "" {
-		namespaced.Namespace = config.Namespace
-	}
-
-	configKey := util.ClusterNamespacedName{
-		NamespacedName: namespaced,
-		ClusterId:      config.ClusterId,
-	}
-	authConfig.AuthSecret = configKey
-
-	// Subscribe secret
-	globalContext.WatchedSecrets.Insert(configKey.String())
-
-	secretType := authFileAuthSecretType
-	if rawSecretType, err := annotations.ParseStringASAP(authSecretTypeAnn); err == nil {
-		resultAuthSecretType := authSecretType(rawSecretType)
-		if resultAuthSecretType == authFileAuthSecretType || resultAuthSecretType == authMapAuthSecretType {
-			secretType = resultAuthSecretType
-		}
-	}
-
-	authConfig.AuthRealm, _ = annotations.ParseStringASAP(authRealm)
-
-	// Process credentials.
-	secretLister, exist := globalContext.ClusterSecretLister[config.ClusterId]
-	if !exist {
-		IngressLog.Errorf("secret lister of cluster %s doesn't exist", config.ClusterId)
-		return nil
-	}
-	authSecret, err := secretLister.Secrets(namespaced.Namespace).Get(namespaced.Name)
-	if err != nil {
-		IngressLog.Errorf("Secret %s within ingress %s/%s is not found",
-			namespaced.String(), config.Namespace, config.Name)
-		return nil
-	}
-	credentials, err := convertCredentials(secretType, authSecret)
-	if err != nil {
-		IngressLog.Errorf("Parse auth secret fail, err %v", err)
-		return nil
-	}
-	authConfig.Credentials = credentials
-
-	config.Auth = authConfig
+	IngressLog.Error("The annotation nginx.ingress.kubernetes.io/auth-type is no longer supported after version 2.0.0, please use the higress wasm plugin (e.g., basic-auth) as an alternative.")
 	return nil
 }

-func convertCredentials(secretType authSecretType, secret *corev1.Secret) ([]string, error) {
-	var result []string
-	switch secretType {
-	case authFileAuthSecretType:
-		users, exist := secret.Data[authFileKey]
-		if !exist {
-			return nil, errors.New("the auth file type must has auth key in secret data")
-		}
-		userList := strings.Split(string(users), "\n")
-		for _, item := range userList {
-			if !strings.Contains(item, ":") {
-				continue
-			}
-			result = append(result, item)
-		}
-	case authMapAuthSecretType:
-		for name, password := range secret.Data {
-			result = append(result, name+":"+string(password))
-		}
-	}
-	sort.SliceStable(result, func(i, j int) bool {
-		return result[i] < result[j]
-	})
-
-	return result, nil
-}
-
 func needAuthConfig(annotations Annotations) bool {
 	return annotations.HasASAP(authType) &&
 		annotations.HasASAP(authSecretAnn)
--- a/pkg/ingress/kube/annotations/auth_test.go
+++ b/pkg/ingress/kube/annotations/auth_test.go
@@ -1,197 +0,0 @@
-// Copyright (c) 2022 Alibaba Group Holding Ltd.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package annotations
-
-import (
-	"context"
-	"reflect"
-	"testing"
-	"time"
-
-	"istio.io/istio/pkg/cluster"
-	"istio.io/istio/pkg/util/sets"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes/fake"
-	listerv1 "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/cache"
-
-	"github.com/alibaba/higress/pkg/ingress/kube/util"
-)
-
-func TestAuthParse(t *testing.T) {
-	auth := auth{}
-	inputCases := []struct {
-		input         map[string]string
-		secret        *v1.Secret
-		expect        *AuthConfig
-		watchedSecret string
-	}{
-		{
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType): "digest",
-			},
-			expect: nil,
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):        defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn): "foo/bar",
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/foo/bar",
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):          defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn):   "foo/bar",
-				buildNginxAnnotationKey(authSecretTypeAnn): string(authMapAuthSecretType),
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"A": []byte("a"),
-					"B": []byte("b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/foo/bar",
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):          defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn):   "bar",
-				buildNginxAnnotationKey(authSecretTypeAnn): string(authFileAuthSecretType),
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "default",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "default",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/default/bar",
-		},
-	}
-
-	for _, inputCase := range inputCases {
-		t.Run("", func(t *testing.T) {
-			config := &Ingress{
-				Meta: Meta{
-					Namespace: "default",
-					ClusterId: "cluster",
-				},
-			}
-
-			globalContext, cancel := initGlobalContext(inputCase.secret)
-			defer cancel()
-
-			_ = auth.Parse(inputCase.input, config, globalContext)
-			if !reflect.DeepEqual(inputCase.expect, config.Auth) {
-				t.Fatal("Should be equal")
-			}
-
-			if inputCase.watchedSecret != "" {
-				if !globalContext.WatchedSecrets.Contains(inputCase.watchedSecret) {
-					t.Fatalf("Should watch secret %s", inputCase.watchedSecret)
-				}
-			}
-		})
-	}
-}
-
-func initGlobalContext(secret *v1.Secret) (*GlobalContext, context.CancelFunc) {
-	ctx, cancel := context.WithCancel(context.Background())
-
-	client := fake.NewSimpleClientset(secret)
-	informerFactory := informers.NewSharedInformerFactory(client, time.Hour)
-	secretInformer := informerFactory.Core().V1().Secrets()
-	go secretInformer.Informer().Run(ctx.Done())
-	cache.WaitForCacheSync(ctx.Done(), secretInformer.Informer().HasSynced)
-
-	return &GlobalContext{
-		WatchedSecrets: sets.New[string](),
-		ClusterSecretLister: map[cluster.ID]listerv1.SecretLister{
-			"cluster": secretInformer.Lister(),
-		},
-	}, cancel
-}
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -15,6 +15,7 @@
 package annotations

 import (
+	"fmt"
 	"strings"

 	networking "istio.io/api/networking/v1alpha3"
@@ -27,9 +28,11 @@ import (
 )

 const (
-	authTLSSecret      = "auth-tls-secret"
-	sslCipher          = "ssl-cipher"
-	gatewaySdsCaSuffix = "-cacert"
+	authTLSSecret           = "auth-tls-secret"
+	sslCipher               = "ssl-cipher"
+	gatewaySdsCaSuffix      = "-cacert"
+	annotationMinTLSVersion = "tls-min-protocol-version"
+	annotationMaxTLSVersion = "tls-max-protocol-version"
 )

 var (
@@ -41,6 +44,8 @@ type DownstreamTLSConfig struct {
 	CipherSuites []string
 	Mode         networking.ServerTLSSettings_TLSmode
 	CASecretName types.NamespacedName
+	MinVersion   string
+	MaxVersion   string
 }

 type downstreamTLS struct{}
@@ -82,6 +87,14 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global
 		downstreamTLSConfig.CipherSuites = validCipherSuite
 	}

+	if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
+		downstreamTLSConfig.MinVersion = minVersion
+	}
+
+	if maxVersion, err := annotations.ParseStringASAP(annotationMaxTLSVersion); err == nil {
+		downstreamTLSConfig.MaxVersion = maxVersion
+	}
+
 	return nil
 }

@@ -107,11 +120,44 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
 			if len(downstreamTLSConfig.CipherSuites) != 0 {
 				server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
 			}
+
+			if downstreamTLSConfig.MinVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
+					IngressLog.Errorf("Invalid minimum TLS version: %v", err)
+				} else {
+					server.Tls.MinProtocolVersion = version
+				}
+			}
+
+			if downstreamTLSConfig.MaxVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
+					IngressLog.Errorf("Invalid maximum TLS version: %v", err)
+				} else {
+					server.Tls.MaxProtocolVersion = version
+				}
+			}
+
 		}
 	}
 }

 func needDownstreamTLS(annotations Annotations) bool {
 	return annotations.HasASAP(sslCipher) ||
-		annotations.HasASAP(authTLSSecret)
+		annotations.HasASAP(authTLSSecret) ||
+		annotations.HasASAP(annotationMinTLSVersion) ||
+		annotations.HasASAP(annotationMaxTLSVersion)
+}
+
+func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) {
+	switch version {
+	case "TLSv1.0":
+		return networking.ServerTLSSettings_TLSV1_0, nil
+	case "TLSv1.1":
+		return networking.ServerTLSSettings_TLSV1_1, nil
+	case "TLSv1.2":
+		return networking.ServerTLSSettings_TLSV1_2, nil
+	case "TLSv1.3":
+		return networking.ServerTLSSettings_TLSV1_3, nil
+	}
+	return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
 }
--- a/pkg/ingress/kube/annotations/downstreamtls_test.go
+++ b/pkg/ingress/kube/annotations/downstreamtls_test.go
@@ -26,11 +26,15 @@ var parser = downstreamTLS{}

 func TestParse(t *testing.T) {
 	testCases := []struct {
+		name   string
 		input  map[string]string
 		expect *DownstreamTLSConfig
 	}{
-		{},
 		{
+			name: "empty config",
+		},
+		{
+			name: "ssl cipher only",
 			input: map[string]string{
 				buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
 			},
@@ -40,9 +44,24 @@ func TestParse(t *testing.T) {
 			},
 		},
 		{
+			name: "with TLS version config",
 			input: map[string]string{
-				buildNginxAnnotationKey(authTLSSecret): "test",
-				buildNginxAnnotationKey(sslCipher):     "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
+			},
+			expect: &DownstreamTLSConfig{
+				Mode:       networking.ServerTLSSettings_SIMPLE,
+				MinVersion: "TLSv1.2",
+				MaxVersion: "TLSv1.3",
+			},
+		},
+		{
+			name: "complete config",
+			input: map[string]string{
+				buildNginxAnnotationKey(authTLSSecret):           "test",
+				buildNginxAnnotationKey(sslCipher):               "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
 			},
 			expect: &DownstreamTLSConfig{
 				CASecretName: types.NamespacedName{
@@ -51,34 +70,79 @@ func TestParse(t *testing.T) {
 				},
 				Mode:         networking.ServerTLSSettings_MUTUAL,
 				CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
-			},
-		},
-		{
-			input: map[string]string{
-				buildHigressAnnotationKey(authTLSSecret):   "test/foo",
-				DefaultAnnotationsPrefix + "/" + sslCipher: "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
-			},
-			expect: &DownstreamTLSConfig{
-				CASecretName: types.NamespacedName{
-					Namespace: "test",
-					Name:      "foo",
-				},
-				Mode:         networking.ServerTLSSettings_MUTUAL,
-				CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
+				MinVersion:   "TLSv1.2",
+				MaxVersion:   "TLSv1.3",
 			},
 		},
 	}

-	for _, testCase := range testCases {
-		t.Run("", func(t *testing.T) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
 			config := &Ingress{
 				Meta: Meta{
 					Namespace: "foo",
 				},
 			}
-			_ = parser.Parse(testCase.input, config, nil)
-			if !reflect.DeepEqual(testCase.expect, config.DownstreamTLS) {
-				t.Fatalf("Should be equal")
+			err := parser.Parse(tc.input, config, nil)
+			if err != nil {
+				t.Fatalf("Parse failed: %v", err)
+			}
+			if !reflect.DeepEqual(tc.expect, config.DownstreamTLS) {
+				t.Fatalf("Parse result mismatch:\nExpect: %+v\nGot: %+v", tc.expect, config.DownstreamTLS)
+			}
+		})
+	}
+}
+
+func TestConvertTLSVersion(t *testing.T) {
+	testCases := []struct {
+		name    string
+		version string
+		expect  networking.ServerTLSSettings_TLSProtocol
+		wantErr bool
+	}{
+		{
+			name:    "TLS 1.0",
+			version: "TLSv1.0",
+			expect:  networking.ServerTLSSettings_TLSV1_0,
+		},
+		{
+			name:    "TLS 1.1",
+			version: "TLSv1.1",
+			expect:  networking.ServerTLSSettings_TLSV1_1,
+		},
+		{
+			name:    "TLS 1.2",
+			version: "TLSv1.2",
+			expect:  networking.ServerTLSSettings_TLSV1_2,
+		},
+		{
+			name:    "TLS 1.3",
+			version: "TLSv1.3",
+			expect:  networking.ServerTLSSettings_TLSV1_3,
+		},
+		{
+			name:    "invalid version",
+			version: "invalid",
+			expect:  networking.ServerTLSSettings_TLS_AUTO,
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := convertTLSVersion(tc.version)
+			if tc.wantErr {
+				if err == nil {
+					t.Error("Expected error but got none")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+				if result != tc.expect {
+					t.Errorf("Expected %v but got %v", tc.expect, result)
+				}
 			}
 		})
 	}
@@ -86,11 +150,13 @@ func TestParse(t *testing.T) {

 func TestApplyGateway(t *testing.T) {
 	testCases := []struct {
+		name   string
 		input  *networking.Gateway
 		config *Ingress
 		expect *networking.Gateway
 	}{
 		{
+			name: "apply TLS version",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -105,7 +171,8 @@ func TestApplyGateway(t *testing.T) {
 			},
 			config: &Ingress{
 				DownstreamTLS: &DownstreamTLSConfig{
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion: "TLSv1.2",
+					MaxVersion: "TLSv1.3",
 				},
 			},
 			expect: &networking.Gateway{
@@ -115,14 +182,16 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							Mode:         networking.ServerTLSSettings_SIMPLE,
-							CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							Mode:               networking.ServerTLSSettings_SIMPLE,
+							MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
 						},
 					},
 				},
 			},
 		},
 		{
+			name: "complete config",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -144,24 +213,28 @@ func TestApplyGateway(t *testing.T) {
 					},
 					Mode:         networking.ServerTLSSettings_MUTUAL,
 					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion:   "TLSv1.2",
+					MaxVersion:   "TLSv1.3",
 				},
 			},
 			expect: &networking.Gateway{
 				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
+					{Port: &networking.Port{
+						Protocol: "HTTPS",
+					},
 						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_MUTUAL,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							CredentialName:     "kubernetes-ingress://cluster/foo/bar",
+							Mode:               networking.ServerTLSSettings_MUTUAL,
+							CipherSuites:       []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
 						},
 					},
 				},
 			},
 		},
 		{
+			name: "invalid TLS version",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -169,20 +242,15 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
+							Mode: networking.ServerTLSSettings_SIMPLE,
 						},
 					},
 				},
 			},
 			config: &Ingress{
 				DownstreamTLS: &DownstreamTLSConfig{
-					CASecretName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar-cacert",
-					},
-					Mode:         networking.ServerTLSSettings_MUTUAL,
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion: "invalid",
+					MaxVersion: "invalid",
 				},
 			},
 			expect: &networking.Gateway{
@@ -192,48 +260,10 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_MUTUAL,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
-						},
-					},
-				},
-			},
-		},
-		{
-			input: &networking.Gateway{
-				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
-						Tls: &networking.ServerTLSSettings{
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-						},
-					},
-				},
-			},
-			config: &Ingress{
-				DownstreamTLS: &DownstreamTLSConfig{
-					CASecretName: types.NamespacedName{
-						Namespace: "bar",
-						Name:      "foo",
-					},
-					Mode:         networking.ServerTLSSettings_MUTUAL,
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
-				},
-			},
-			expect: &networking.Gateway{
-				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
-						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							Mode: networking.ServerTLSSettings_SIMPLE,
+							// Invalid versions should default to TLS_AUTO
+							MinProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
 						},
 					},
 				},
@@ -241,11 +271,59 @@ func TestApplyGateway(t *testing.T) {
 		},
 	}

-	for _, testCase := range testCases {
-		t.Run("", func(t *testing.T) {
-			parser.ApplyGateway(testCase.input, testCase.config)
-			if !reflect.DeepEqual(testCase.input, testCase.expect) {
-				t.Fatalf("Should be equal")
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			parser.ApplyGateway(tc.input, tc.config)
+			if !reflect.DeepEqual(tc.input, tc.expect) {
+				t.Fatalf("ApplyGateway result mismatch for %s:\nExpect: %+v\nGot: %+v",
+					tc.name, tc.expect, tc.input)
+			}
+		})
+	}
+}
+
+func TestNeedDownstreamTLS(t *testing.T) {
+	testCases := []struct {
+		name        string
+		annotations map[string]string
+		expect      bool
+	}{
+		{
+			name:        "empty annotations",
+			annotations: map[string]string{},
+			expect:      false,
+		},
+		{
+			name: "with ssl cipher",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384",
+			},
+			expect: true,
+		},
+		{
+			name: "with TLS version",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+			},
+			expect: true,
+		},
+		{
+			name: "with multiple TLS configs",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(sslCipher):               "ECDHE-RSA-AES256-GCM-SHA384",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
+			},
+			expect: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := needDownstreamTLS(tc.annotations)
+			if result != tc.expect {
+				t.Errorf("needDownstreamTLS() for %s = %v, want %v",
+					tc.name, result, tc.expect)
 			}
 		})
 	}
--- a/pkg/ingress/kube/configmap/config.go
+++ b/pkg/ingress/kube/configmap/config.go
@@ -40,6 +40,7 @@ type HigressConfig struct {
 	Upstream             *Upstream   `json:"upstream,omitempty"`
 	DisableXEnvoyHeaders bool        `json:"disableXEnvoyHeaders,omitempty"`
 	AddXRealIpHeader     bool        `json:"addXRealIpHeader,omitempty"`
+	McpServer            *McpServer  `json:"mcpServer,omitempty"`
 }

 func NewDefaultHigressConfig() *HigressConfig {
@@ -51,6 +52,7 @@ func NewDefaultHigressConfig() *HigressConfig {
 		Upstream:             globalOption.Upstream,
 		DisableXEnvoyHeaders: globalOption.DisableXEnvoyHeaders,
 		AddXRealIpHeader:     globalOption.AddXRealIpHeader,
+		McpServer:            NewDefaultMcpServer(),
 	}
 	return higressConfig
 }
--- a/pkg/ingress/kube/configmap/controller.go
+++ b/pkg/ingress/kube/configmap/controller.go
@@ -89,6 +89,9 @@ func NewConfigmapMgr(XDSUpdater model.XDSUpdater, namespace string, higressConfi
 	globalOptionController := NewGlobalOptionController(namespace)
 	configmapMgr.AddItemControllers(globalOptionController)

+	mcpServerController := NewMcpServerController(namespace)
+	configmapMgr.AddItemControllers(mcpServerController)
+
 	configmapMgr.initEventHandlers()

 	return configmapMgr
--- a/pkg/ingress/kube/configmap/mcp_server.go
+++ b/pkg/ingress/kube/configmap/mcp_server.go
@@ -0,0 +1,327 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configmap
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+	"sync/atomic"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+)
+
+// RedisConfig defines the configuration for Redis connection
+type RedisConfig struct {
+	// The address of Redis server in the format of "host:port"
+	Address string `json:"address,omitempty"`
+	// The username for Redis authentication
+	Username string `json:"username,omitempty"`
+	// The password for Redis authentication
+	Password string `json:"password,omitempty"`
+	// The database index to use
+	DB int `json:"db,omitempty"`
+}
+
+// SSEServer defines the configuration for Server-Sent Events (SSE) server
+type SSEServer struct {
+	// The name of the SSE server
+	Name string `json:"name,omitempty"`
+	// The path where the SSE server will be mounted, the full path is (PATH + SsePathSuffix)
+	Path string `json:"path,omitempty"`
+	// The type of the SSE server
+	Type string `json:"type,omitempty"`
+	// Additional Config parameters for the real MCP server implementation
+	Config map[string]interface{} `json:"config,omitempty"`
+}
+
+// McpServer defines the configuration for MCP (Model Context Protocol) server
+type McpServer struct {
+	// Flag to control whether MCP server is enabled
+	Enable bool `json:"enable,omitempty"`
+	// Redis Config for MCP server
+	Redis *RedisConfig `json:"redis,omitempty"`
+	// The suffix to be appended to SSE paths, default is "/sse"
+	SsePathSuffix string `json:"sse_path_suffix,omitempty"`
+	// List of SSE servers Configs
+	Servers []*SSEServer `json:"servers,omitempty"`
+}
+
+func NewDefaultMcpServer() *McpServer {
+	return &McpServer{Enable: false}
+}
+
+const (
+	higressMcpServerEnvoyFilterName = "higress-config-mcp-server"
+)
+
+func validMcpServer(m *McpServer) error {
+	if m == nil {
+		return nil
+	}
+
+	if m.Enable && m.Redis == nil {
+		return errors.New("redis config cannot be empty when mcp server is enabled")
+	}
+
+	return nil
+}
+
+func compareMcpServer(old *McpServer, new *McpServer) (Result, error) {
+	if old == nil && new == nil {
+		return ResultNothing, nil
+	}
+
+	if new == nil {
+		return ResultDelete, nil
+	}
+
+	if !reflect.DeepEqual(old, new) {
+		return ResultReplace, nil
+	}
+
+	return ResultNothing, nil
+}
+
+func deepCopyMcpServer(mcp *McpServer) (*McpServer, error) {
+	newMcp := NewDefaultMcpServer()
+	newMcp.Enable = mcp.Enable
+
+	if mcp.Redis != nil {
+		newMcp.Redis = &RedisConfig{
+			Address:  mcp.Redis.Address,
+			Username: mcp.Redis.Username,
+			Password: mcp.Redis.Password,
+			DB:       mcp.Redis.DB,
+		}
+	}
+
+	newMcp.SsePathSuffix = mcp.SsePathSuffix
+
+	if len(mcp.Servers) > 0 {
+		newMcp.Servers = make([]*SSEServer, len(mcp.Servers))
+		for i, server := range mcp.Servers {
+			newServer := &SSEServer{
+				Name: server.Name,
+				Path: server.Path,
+				Type: server.Type,
+			}
+			if server.Config != nil {
+				newServer.Config = make(map[string]interface{})
+				for k, v := range server.Config {
+					newServer.Config[k] = v
+				}
+			}
+			newMcp.Servers[i] = newServer
+		}
+	}
+
+	return newMcp, nil
+}
+
+type McpServerController struct {
+	Namespace    string
+	mcpServer    atomic.Value
+	Name         string
+	eventHandler ItemEventHandler
+}
+
+func NewMcpServerController(namespace string) *McpServerController {
+	mcpController := &McpServerController{
+		Namespace: namespace,
+		mcpServer: atomic.Value{},
+		Name:      "mcpServer",
+	}
+	mcpController.SetMcpServer(NewDefaultMcpServer())
+	return mcpController
+}
+
+func (m *McpServerController) GetName() string {
+	return m.Name
+}
+
+func (m *McpServerController) SetMcpServer(mcp *McpServer) {
+	m.mcpServer.Store(mcp)
+}
+
+func (m *McpServerController) GetMcpServer() *McpServer {
+	value := m.mcpServer.Load()
+	if value != nil {
+		if mcp, ok := value.(*McpServer); ok {
+			return mcp
+		}
+	}
+	return nil
+}
+
+func (m *McpServerController) AddOrUpdateHigressConfig(name util.ClusterNamespacedName, old *HigressConfig, new *HigressConfig) error {
+	if err := validMcpServer(new.McpServer); err != nil {
+		IngressLog.Errorf("data:%+v convert to mcp server, error: %+v", new.McpServer, err)
+		return nil
+	}
+
+	result, _ := compareMcpServer(old.McpServer, new.McpServer)
+
+	switch result {
+	case ResultReplace:
+		if newMcp, err := deepCopyMcpServer(new.McpServer); err != nil {
+			IngressLog.Infof("mcp server deepcopy error:%v", err)
+		} else {
+			m.SetMcpServer(newMcp)
+			IngressLog.Infof("AddOrUpdate Higress config mcp server")
+			m.eventHandler(higressMcpServerEnvoyFilterName)
+			IngressLog.Infof("send event with filter name:%s", higressMcpServerEnvoyFilterName)
+		}
+	case ResultDelete:
+		m.SetMcpServer(NewDefaultMcpServer())
+		IngressLog.Infof("Delete Higress config mcp server")
+		m.eventHandler(higressMcpServerEnvoyFilterName)
+		IngressLog.Infof("send event with filter name:%s", higressMcpServerEnvoyFilterName)
+	}
+
+	return nil
+}
+
+func (m *McpServerController) ValidHigressConfig(higressConfig *HigressConfig) error {
+	if higressConfig == nil {
+		return nil
+	}
+	if higressConfig.McpServer == nil {
+		return nil
+	}
+
+	return validMcpServer(higressConfig.McpServer)
+}
+
+func (m *McpServerController) RegisterItemEventHandler(eventHandler ItemEventHandler) {
+	m.eventHandler = eventHandler
+}
+
+func (m *McpServerController) ConstructEnvoyFilters() ([]*config.Config, error) {
+	configs := make([]*config.Config, 0)
+	mcpServer := m.GetMcpServer()
+	namespace := m.Namespace
+
+	if mcpServer == nil || !mcpServer.Enable {
+		return configs, nil
+	}
+
+	mcpStruct := m.constructMcpServerStruct(mcpServer)
+	if mcpStruct == "" {
+		return configs, nil
+	}
+
+	config := &config.Config{
+		Meta: config.Meta{
+			GroupVersionKind: gvk.EnvoyFilter,
+			Name:             higressMcpServerEnvoyFilterName,
+			Namespace:        namespace,
+		},
+		Spec: &networking.EnvoyFilter{
+			ConfigPatches: []*networking.EnvoyFilter_EnvoyConfigObjectPatch{
+				{
+					ApplyTo: networking.EnvoyFilter_HTTP_FILTER,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+							Listener: &networking.EnvoyFilter_ListenerMatch{
+								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+										Name: "envoy.filters.network.http_connection_manager",
+										SubFilter: &networking.EnvoyFilter_ListenerMatch_SubFilterMatch{
+											Name: "envoy.filters.http.cors",
+										},
+									},
+								},
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_INSERT_AFTER,
+						Value:     util.BuildPatchStruct(mcpStruct),
+					},
+				},
+			},
+		},
+	}
+
+	configs = append(configs, config)
+	return configs, nil
+}
+
+func (m *McpServerController) constructMcpServerStruct(mcp *McpServer) string {
+	// 构建 servers 配置
+	servers := "[]"
+	if len(mcp.Servers) > 0 {
+		serverConfigs := make([]string, len(mcp.Servers))
+		for i, server := range mcp.Servers {
+			serverConfig := fmt.Sprintf(`{
+				"name": "%s",
+				"path": "%s",
+				"type": "%s"`,
+				server.Name, server.Path, server.Type)
+
+			if len(server.Config) > 0 {
+				config, _ := json.Marshal(server.Config)
+				serverConfig += fmt.Sprintf(`,
+				"config": %s`, string(config))
+			}
+
+			serverConfig += "}"
+			serverConfigs[i] = serverConfig
+		}
+		servers = fmt.Sprintf("[%s]", strings.Join(serverConfigs, ","))
+	}
+
+	// 构建完整的配置结构
+	structFmt := `{
+		"name": "envoy.filters.http.golang",
+		"typed_config": {
+			"@type": "type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config",
+			"value": {
+				"library_id": "mcp-server",
+				"library_path": "/var/lib/istio/envoy/mcp-server.so",
+				"plugin_name": "mcp-server",
+				"plugin_config": {
+					"@type": "type.googleapis.com/xds.type.v3.TypedStruct",
+					"value": {
+						"redis": {
+							"address": "%s",
+							"username": "%s",
+							"password": "%s",
+							"db": %d
+						},
+						"sse_path_suffix": "%s",
+						"servers": %s
+					}
+				}
+			}
+		}
+	}`
+
+	return fmt.Sprintf(structFmt,
+		mcp.Redis.Address,
+		mcp.Redis.Username,
+		mcp.Redis.Password,
+		mcp.Redis.DB,
+		mcp.SsePathSuffix,
+		servers)
+}
--- a/pkg/ingress/kube/configmap/mcp_server_test.go
+++ b/pkg/ingress/kube/configmap/mcp_server_test.go
@@ -0,0 +1,354 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configmap
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_validMcpServer(t *testing.T) {
+	tests := []struct {
+		name    string
+		mcp     *McpServer
+		wantErr error
+	}{
+		{
+			name: "default",
+			mcp: &McpServer{
+				Enable: false,
+			},
+			wantErr: nil,
+		},
+		{
+			name:    "nil",
+			mcp:     nil,
+			wantErr: nil,
+		},
+		{
+			name: "enabled but no redis config",
+			mcp: &McpServer{
+				Enable: true,
+				Redis:  nil,
+			},
+			wantErr: errors.New("redis config cannot be empty when mcp server is enabled"),
+		},
+		{
+			name: "valid config with redis",
+			mcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+				SsePathSuffix: "/sse",
+				Servers: []*SSEServer{
+					{
+						Name: "test-server",
+						Path: "/test",
+						Type: "test",
+						Config: map[string]interface{}{
+							"key": "value",
+						},
+					},
+				},
+			},
+			wantErr: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validMcpServer(tt.mcp)
+			assert.Equal(t, tt.wantErr, err)
+		})
+	}
+}
+
+func Test_compareMcpServer(t *testing.T) {
+	tests := []struct {
+		name       string
+		old        *McpServer
+		new        *McpServer
+		wantResult Result
+		wantErr    error
+	}{
+		{
+			name:       "compare both nil",
+			old:        nil,
+			new:        nil,
+			wantResult: ResultNothing,
+			wantErr:    nil,
+		},
+		{
+			name: "compare result delete",
+			old: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "localhost:6379",
+				},
+			},
+			new:        nil,
+			wantResult: ResultDelete,
+			wantErr:    nil,
+		},
+		{
+			name: "compare result equal",
+			old: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "localhost:6379",
+				},
+			},
+			new: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "localhost:6379",
+				},
+			},
+			wantResult: ResultNothing,
+			wantErr:    nil,
+		},
+		{
+			name: "compare result replace",
+			old: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "localhost:6379",
+				},
+			},
+			new: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "redis:6379",
+				},
+			},
+			wantResult: ResultReplace,
+			wantErr:    nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := compareMcpServer(tt.old, tt.new)
+			assert.Equal(t, tt.wantResult, result)
+			assert.Equal(t, tt.wantErr, err)
+		})
+	}
+}
+
+func Test_deepCopyMcpServer(t *testing.T) {
+	tests := []struct {
+		name    string
+		mcp     *McpServer
+		wantMcp *McpServer
+		wantErr error
+	}{
+		{
+			name: "deep copy with redis only",
+			mcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+			},
+			wantMcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "deep copy with full config",
+			mcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+				SsePathSuffix: "/sse",
+				Servers: []*SSEServer{
+					{
+						Name: "test-server",
+						Path: "/test",
+						Type: "test",
+						Config: map[string]interface{}{
+							"key": "value",
+						},
+					},
+				},
+			},
+			wantMcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+				SsePathSuffix: "/sse",
+				Servers: []*SSEServer{
+					{
+						Name: "test-server",
+						Path: "/test",
+						Type: "test",
+						Config: map[string]interface{}{
+							"key": "value",
+						},
+					},
+				},
+			},
+			wantErr: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mcp, err := deepCopyMcpServer(tt.mcp)
+			assert.Equal(t, tt.wantMcp, mcp)
+			assert.Equal(t, tt.wantErr, err)
+		})
+	}
+}
+
+func TestMcpServerController_AddOrUpdateHigressConfig(t *testing.T) {
+	eventPush := "default"
+	defaultHandler := func(name string) {
+		eventPush = "push"
+	}
+
+	defaultName := util.ClusterNamespacedName{}
+
+	tests := []struct {
+		name          string
+		old           *HigressConfig
+		new           *HigressConfig
+		wantErr       error
+		wantEventPush string
+		wantMcp       *McpServer
+	}{
+		{
+			name: "default",
+			old: &HigressConfig{
+				McpServer: NewDefaultMcpServer(),
+			},
+			new: &HigressConfig{
+				McpServer: NewDefaultMcpServer(),
+			},
+			wantErr:       nil,
+			wantEventPush: "default",
+			wantMcp:       NewDefaultMcpServer(),
+		},
+		{
+			name: "replace and push - enable mcp server",
+			old: &HigressConfig{
+				McpServer: NewDefaultMcpServer(),
+			},
+			new: &HigressConfig{
+				McpServer: &McpServer{
+					Enable: true,
+					Redis: &RedisConfig{
+						Address:  "localhost:6379",
+						Username: "default",
+						Password: "password",
+						DB:       0,
+					},
+				},
+			},
+			wantErr:       nil,
+			wantEventPush: "push",
+			wantMcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address:  "localhost:6379",
+					Username: "default",
+					Password: "password",
+					DB:       0,
+				},
+			},
+		},
+		{
+			name: "replace and push - update config",
+			old: &HigressConfig{
+				McpServer: &McpServer{
+					Enable: true,
+					Redis: &RedisConfig{
+						Address: "localhost:6379",
+					},
+				},
+			},
+			new: &HigressConfig{
+				McpServer: &McpServer{
+					Enable: true,
+					Redis: &RedisConfig{
+						Address: "redis:6379",
+					},
+				},
+			},
+			wantErr:       nil,
+			wantEventPush: "push",
+			wantMcp: &McpServer{
+				Enable: true,
+				Redis: &RedisConfig{
+					Address: "redis:6379",
+				},
+			},
+		},
+		{
+			name: "delete and push",
+			old: &HigressConfig{
+				McpServer: &McpServer{
+					Enable: true,
+					Redis: &RedisConfig{
+						Address: "localhost:6379",
+					},
+				},
+			},
+			new: &HigressConfig{
+				McpServer: nil,
+			},
+			wantErr:       nil,
+			wantEventPush: "push",
+			wantMcp:       NewDefaultMcpServer(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := NewMcpServerController("higress-system")
+			m.eventHandler = defaultHandler
+			eventPush = "default"
+			err := m.AddOrUpdateHigressConfig(defaultName, tt.old, tt.new)
+			assert.Equal(t, tt.wantEventPush, eventPush)
+			assert.Equal(t, tt.wantErr, err)
+			assert.Equal(t, tt.wantMcp, m.GetMcpServer())
+		})
+	}
+}
--- a/pkg/ingress/kube/http2rpc/controller.go
+++ b/pkg/ingress/kube/http2rpc/controller.go
@@ -15,21 +15,33 @@
 package http2rpc

 import (
-	"istio.io/istio/pkg/cluster"
+	"time"
+
 	"istio.io/istio/pkg/kube/controllers"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/cache"

+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	"github.com/alibaba/higress/client/pkg/clientset/versioned"
+	informersv1 "github.com/alibaba/higress/client/pkg/informers/externalversions/networking/v1"
 	listersv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
 	kubeclient "github.com/alibaba/higress/pkg/kube"
 )

 type Http2RpcController controller.Controller[listersv1.Http2RpcLister]

-func NewController(client kubeclient.Client, clusterId cluster.ID) Http2RpcController {
-	informer := client.HigressInformer().Networking().V1().Http2Rpcs().Informer()
-	return controller.NewCommonController("http2rpc", client.HigressInformer().Networking().V1().Http2Rpcs().Lister(),
-		informer, GetHttp2Rpc, clusterId)
+func NewController(client kubeclient.Client, options common.Options) Http2RpcController {
+	var informer cache.SharedIndexInformer
+	if options.WatchNamespace == "" {
+		informer = client.HigressInformer().Networking().V1().Http2Rpcs().Informer()
+	} else {
+		informer = client.HigressInformer().InformerFor(&v1.Http2Rpc{}, func(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+			return informersv1.NewHttp2RpcInformer(client, options.WatchNamespace, resyncPeriod, nil)
+		})
+	}
+	return controller.NewCommonController("http2rpc", listersv1.NewHttp2RpcLister(informer.GetIndexer()), informer, GetHttp2Rpc, options.ClusterId)
 }

 func GetHttp2Rpc(lister listersv1.Http2RpcLister, namespacedName types.NamespacedName) (controllers.Object, error) {
--- a/pkg/ingress/kube/ingress/controller.go
+++ b/pkg/ingress/kube/ingress/controller.go
@@ -100,7 +100,7 @@ type controller struct {
 // NewController creates a new Kubernetes controller
 func NewController(localKubeClient, client kubeclient.Client, options common.Options,
 	secretController secret.SecretController) common.IngressController {
-	opts := ktypes.InformerOptions{}
+	opts := ktypes.InformerOptions{Namespace: options.WatchNamespace}
 	ingressInformer := util.GetInformerFiltered(client, opts, gvrIngressV1Beta1, &ingress.Ingress{},
 		func(options metav1.ListOptions) (runtime.Object, error) {
 			return client.Kube().NetworkingV1beta1().Ingresses(opts.Namespace).List(context.Background(), options)
--- a/pkg/ingress/kube/ingress/controller_test.go
+++ b/pkg/ingress/kube/ingress/controller_test.go
@@ -54,7 +54,7 @@ func TestIngressControllerApplies(t *testing.T) {

 	options := common.Options{IngressClass: "mse", ClusterId: ""}

-	secretController := secret.NewController(localKubeClient, options.ClusterId)
+	secretController := secret.NewController(localKubeClient, options)
 	ingressController := NewController(localKubeClient, client, options, secretController)

 	testcases := map[string]func(*testing.T, common.IngressController){
@@ -253,7 +253,7 @@ func TestIngressControllerConventions(t *testing.T) {

 	options := common.Options{IngressClass: "mse", ClusterId: "", EnableStatus: true}

-	secretController := secret.NewController(localKubeClient, options.ClusterId)
+	secretController := secret.NewController(localKubeClient, options)
 	ingressController := NewController(localKubeClient, client, options, secretController)

 	testcases := map[string]func(*testing.T, common.IngressController){
@@ -1142,7 +1142,7 @@ func TestIngressControllerProcessing(t *testing.T) {

 	options := common.Options{IngressClass: "mse", ClusterId: "", EnableStatus: true}

-	secretController := secret.NewController(localKubeClient, options.ClusterId)
+	secretController := secret.NewController(localKubeClient, options)

 	opts := ktypes.InformerOptions{}
 	ingressInformer := util.GetInformerFiltered(fakeClient, opts, gvrIngressV1Beta1, &ingress.Ingress{},
--- a/pkg/ingress/kube/ingress/status.go
+++ b/pkg/ingress/kube/ingress/status.go
@@ -81,8 +81,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
-
 	lbStatusList := common.GetLbStatusListV1Beta1(svcList)
 	if len(lbStatusList) == 0 {
 		return nil
--- a/pkg/ingress/kube/ingressv1/controller.go
+++ b/pkg/ingress/kube/ingressv1/controller.go
@@ -92,7 +92,7 @@ type controller struct {

 // NewController creates a new Kubernetes controller
 func NewController(localKubeClient, client kubeclient.Client, options common.Options, secretController secret.SecretController) common.IngressController {
-	opts := ktypes.InformerOptions{}
+	opts := ktypes.InformerOptions{Namespace: options.WatchNamespace}
 	ingressInformer := schemakubeclient.GetInformerFilteredFromGVR(client, opts, gvr.Ingress)
 	ingressLister := networkinglister.NewIngressLister(ingressInformer.Informer.GetIndexer())
 	serviceInformer := schemakubeclient.GetInformerFilteredFromGVR(client, opts, gvr.Service)
@@ -162,6 +162,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 			delete(c.ingresses, namespacedName.String())
 			c.mutex.Unlock()
 		} else {
+			IngressLog.Warnf("ingressLister Get failed, ingress: %s, err: %v", namespacedName, err)
 			return err
 		}
 	}
@@ -171,7 +172,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 		return nil
 	}

-	IngressLog.Debugf("ingress: %s, event: %s", namespacedName, event)
+	IngressLog.Infof("ingress: %s, event: %s", namespacedName, event)

 	// we should check need process only when event is not delete,
 	// if it is delete event, and previously processed, we need to process too.
@@ -181,7 +182,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 			return err
 		}
 		if !shouldProcess {
-			IngressLog.Infof("no need process, ingress %s", namespacedName)
+			IngressLog.Infof("no need process, ingress: %s", namespacedName)
 			return nil
 		}
 	}
@@ -279,10 +280,17 @@ func (c *controller) List() []config.Config {
 	for _, raw := range c.ingressInformer.Informer.GetStore().List() {
 		ing, ok := raw.(*ingress.Ingress)
 		if !ok {
+			IngressLog.Warnf("get ingress from informer failed: %v", raw)
 			continue
 		}

-		if should, err := c.shouldProcessIngress(ing); !should || err != nil {
+		should, err := c.shouldProcessIngress(ing)
+		if err != nil {
+			IngressLog.Warnf("check should process ingress failed: %v", err)
+			continue
+		}
+		if !should {
+			IngressLog.Debugf("no need process ingress: %s/%s", ing.Namespace, ing.Name)
 			continue
 		}

--- a/pkg/ingress/kube/ingressv1/status.go
+++ b/pkg/ingress/kube/ingressv1/status.go
@@ -81,8 +81,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
-
 	lbStatusList := common.GetLbStatusListV1(svcList)
 	if len(lbStatusList) == 0 {
 		return nil
--- a/pkg/ingress/kube/kingress/controller.go
+++ b/pkg/ingress/kube/kingress/controller.go
@@ -21,6 +21,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"

 	"github.com/hashicorp/go-multierror"
 	networking "istio.io/api/networking/v1alpha3"
@@ -43,7 +44,9 @@ import (
 	listerv1 "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	ingress "knative.dev/networking/pkg/apis/networking/v1alpha1"
-	networkingv1alpha1 "knative.dev/networking/pkg/client/listers/networking/v1alpha1"
+	"knative.dev/networking/pkg/client/clientset/versioned"
+	informernetworkingv1alpha1 "knative.dev/networking/pkg/client/informers/externalversions/networking/v1alpha1"
+	listernetworkingv1alpha1 "knative.dev/networking/pkg/client/listers/networking/v1alpha1"

 	"github.com/alibaba/higress/pkg/ingress/kube/annotations"
 	"github.com/alibaba/higress/pkg/ingress/kube/common"
@@ -76,7 +79,7 @@ type controller struct {
 	ingresses map[string]*ingress.Ingress

 	ingressInformer  cache.SharedInformer
-	ingressLister    networkingv1alpha1.IngressLister
+	ingressLister    listernetworkingv1alpha1.IngressLister
 	serviceInformer  informerfactory.StartableInformer
 	serviceLister    listerv1.ServiceLister
 	secretController secret.SecretController
@@ -86,16 +89,23 @@ type controller struct {
 // NewController creates a new Kubernetes controller
 func NewController(localKubeClient, client kube.Client, options common.Options,
 	secretController secret.SecretController) common.KIngressController {
-	//var namespace string = "default"
-	ingressInformer := client.KIngressInformer().Networking().V1alpha1().Ingresses()
-	serviceInformer := schemakubeclient.GetInformerFilteredFromGVR(client, ktypes.InformerOptions{}, gvr.Service)
+	var ingressInformer cache.SharedIndexInformer
+	if options.WatchNamespace == "" {
+		ingressInformer = client.KIngressInformer().Networking().V1alpha1().Ingresses().Informer()
+	} else {
+		ingressInformer = client.KIngressInformer().InformerFor(&ingress.Ingress{}, func(c versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+			return informernetworkingv1alpha1.NewIngressInformer(c, options.WatchNamespace, resyncPeriod, nil)
+		})
+	}
+	ingressLister := listernetworkingv1alpha1.NewIngressLister(ingressInformer.GetIndexer())
+	serviceInformer := schemakubeclient.GetInformerFilteredFromGVR(client, ktypes.InformerOptions{Namespace: options.WatchNamespace}, gvr.Service)
 	serviceLister := listerv1.NewServiceLister(serviceInformer.Informer.GetIndexer())

 	c := &controller{
 		options:          options,
 		ingresses:        make(map[string]*ingress.Ingress),
-		ingressInformer:  ingressInformer.Informer(),
-		ingressLister:    ingressInformer.Lister(),
+		ingressInformer:  ingressInformer,
+		ingressLister:    ingressLister,
 		serviceInformer:  serviceInformer,
 		serviceLister:    serviceLister,
 		secretController: secretController,
--- a/pkg/ingress/kube/kingress/controller_test.go
+++ b/pkg/ingress/kube/kingress/controller_test.go
@@ -154,7 +154,7 @@ func TestKIngressControllerConventions(t *testing.T) {

 	options := common.Options{IngressClass: "mse", ClusterId: "", EnableStatus: true}

-	secretController := secret.NewController(localKubeClient, options.ClusterId)
+	secretController := secret.NewController(localKubeClient, options)
 	ingressController := NewController(localKubeClient, client, options, secretController)

 	testcases := map[string]func(*testing.T, common.KIngressController){
--- a/pkg/ingress/kube/kingress/status.go
+++ b/pkg/ingress/kube/kingress/status.go
@@ -77,7 +77,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
 	lbStatusList := common2.GetLbStatusList(svcList)
 	return s.updateStatus(lbStatusList)
 }
--- a/pkg/ingress/kube/mcpbridge/controller.go
+++ b/pkg/ingress/kube/mcpbridge/controller.go
@@ -15,21 +15,33 @@
 package mcpbridge

 import (
-	"istio.io/istio/pkg/cluster"
+	"time"
+
 	"istio.io/istio/pkg/kube/controllers"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/cache"

+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	"github.com/alibaba/higress/client/pkg/clientset/versioned"
+	informersv1 "github.com/alibaba/higress/client/pkg/informers/externalversions/networking/v1"
 	listersv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
 	kubeclient "github.com/alibaba/higress/pkg/kube"
 )

 type McpBridgeController controller.Controller[listersv1.McpBridgeLister]

-func NewController(client kubeclient.Client, clusterId cluster.ID) McpBridgeController {
-	informer := client.HigressInformer().Networking().V1().McpBridges().Informer()
-	return controller.NewCommonController("mcpbridge", client.HigressInformer().Networking().V1().McpBridges().Lister(),
-		informer, GetMcpBridge, clusterId)
+func NewController(client kubeclient.Client, options common.Options) McpBridgeController {
+	var informer cache.SharedIndexInformer
+	if options.WatchNamespace == "" {
+		informer = client.HigressInformer().Networking().V1().McpBridges().Informer()
+	} else {
+		informer = client.HigressInformer().InformerFor(&v1.McpBridge{}, func(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+			return informersv1.NewMcpBridgeInformer(client, options.WatchNamespace, resyncPeriod, nil)
+		})
+	}
+	return controller.NewCommonController("mcpbridge", listersv1.NewMcpBridgeLister(informer.GetIndexer()), informer, GetMcpBridge, options.ClusterId)
 }

 func GetMcpBridge(lister listersv1.McpBridgeLister, namespacedName types.NamespacedName) (controllers.Object, error) {
--- a/pkg/ingress/kube/secret/controller.go
+++ b/pkg/ingress/kube/secret/controller.go
@@ -15,15 +15,14 @@
 package secret

 import (
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
-	"istio.io/istio/pkg/cluster"
 	"istio.io/istio/pkg/config/schema/gvr"
 	schemakubeclient "istio.io/istio/pkg/config/schema/kubeclient"
 	kubeclient "istio.io/istio/pkg/kube"
 	"istio.io/istio/pkg/kube/controllers"
 	ktypes "istio.io/istio/pkg/kube/kubetypes"
 	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	listersv1 "k8s.io/client-go/listers/core/v1"
@@ -31,17 +30,17 @@ import (

 type SecretController controller.Controller[listersv1.SecretLister]

-func NewController(client kubeclient.Client, clusterId cluster.ID) SecretController {
+func NewController(client kubeclient.Client, options common.Options) SecretController {
 	opts := ktypes.InformerOptions{
-		Namespace: metav1.NamespaceAll,
-		Cluster:   clusterId,
+		Namespace: options.WatchNamespace,
+		Cluster:   options.ClusterId,
 		FieldSelector: fields.AndSelectors(
 			fields.OneTermNotEqualSelector("type", "helm.sh/release.v1"),
 			fields.OneTermNotEqualSelector("type", string(v1.SecretTypeServiceAccountToken)),
 		).String(),
 	}
 	informer := schemakubeclient.GetInformerFilteredFromGVR(client, opts, gvr.Secret)
-	return controller.NewCommonController("secret", listersv1.NewSecretLister(informer.Informer.GetIndexer()), informer.Informer, GetSecret, clusterId)
+	return controller.NewCommonController("secret", listersv1.NewSecretLister(informer.Informer.GetIndexer()), informer.Informer, GetSecret, options.ClusterId)
 }

 func GetSecret(lister listersv1.SecretLister, namespacedName types.NamespacedName) (controllers.Object, error) {
--- a/pkg/ingress/kube/secret/controller_test.go
+++ b/pkg/ingress/kube/secret/controller_test.go
@@ -16,6 +16,7 @@ package secret

 import (
 	"context"
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"reflect"
 	"sync"
 	"testing"
@@ -43,7 +44,7 @@ var period = time.Second

 func TestController(t *testing.T) {
 	client := kubeclient.NewFakeClient()
-	ctrl := NewController(client, "fake-cluster")
+	ctrl := NewController(client, common.Options{ClusterId: "fake-cluster"})

 	stop := make(chan struct{})
 	t.Cleanup(func() {
--- a/pkg/ingress/kube/wasmplugin/controller.go
+++ b/pkg/ingress/kube/wasmplugin/controller.go
@@ -15,21 +15,33 @@
 package wasmplugin

 import (
-	"istio.io/istio/pkg/cluster"
+	"time"
+
 	"istio.io/istio/pkg/kube/controllers"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/cache"

+	v1 "github.com/alibaba/higress/client/pkg/apis/extensions/v1alpha1"
+	"github.com/alibaba/higress/client/pkg/clientset/versioned"
+	informersv1 "github.com/alibaba/higress/client/pkg/informers/externalversions/extensions/v1alpha1"
 	listersv1 "github.com/alibaba/higress/client/pkg/listers/extensions/v1alpha1"
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
 	kubeclient "github.com/alibaba/higress/pkg/kube"
 )

 type WasmPluginController controller.Controller[listersv1.WasmPluginLister]

-func NewController(client kubeclient.Client, clusterId cluster.ID) WasmPluginController {
-	informer := client.HigressInformer().Extensions().V1alpha1().WasmPlugins().Informer()
-	return controller.NewCommonController("wasmplugin", client.HigressInformer().Extensions().V1alpha1().WasmPlugins().Lister(),
-		informer, GetWasmPlugin, clusterId)
+func NewController(client kubeclient.Client, options common.Options) WasmPluginController {
+	var informer cache.SharedIndexInformer
+	if options.WatchNamespace == "" {
+		informer = client.HigressInformer().Extensions().V1alpha1().WasmPlugins().Informer()
+	} else {
+		informer = client.HigressInformer().InformerFor(&v1.WasmPlugin{}, func(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+			return informersv1.NewWasmPluginInformer(client, options.WatchNamespace, resyncPeriod, nil)
+		})
+	}
+	return controller.NewCommonController("wasmplugin", listersv1.NewWasmPluginLister(informer.GetIndexer()), informer, GetWasmPlugin, options.ClusterId)
 }

 func GetWasmPlugin(lister listersv1.WasmPluginLister, namespacedName types.NamespacedName) (controllers.Object, error) {
--- a/pkg/ingress/log/log.go
+++ b/pkg/ingress/log/log.go
@@ -14,6 +14,6 @@

 package log

-import "istio.io/pkg/log"
+import "istio.io/istio/pkg/log"

-var IngressLog = log.RegisterScope("ingress", "Higress Ingress process.", 0)
+var IngressLog = log.RegisterScope("ingress", "Higress Ingress process.")
--- a/pkg/ingress/translation/translation.go
+++ b/pkg/ingress/translation/translation.go
@@ -19,7 +19,6 @@ import (

 	"istio.io/istio/pilot/pkg/model"
 	istiomodel "istio.io/istio/pilot/pkg/model"
-	"istio.io/istio/pkg/cluster"
 	"istio.io/istio/pkg/config"
 	"istio.io/istio/pkg/config/schema/collection"
 	"istio.io/istio/pkg/config/schema/gvk"
@@ -45,13 +44,13 @@ type IngressTranslation struct {
 	higressDomainCache model.IngressDomainCollection
 }

-func NewIngressTranslation(localKubeClient kube.Client, xdsUpdater istiomodel.XDSUpdater, namespace string, clusterId cluster.ID) *IngressTranslation {
-	if clusterId == "Kubernetes" {
-		clusterId = ""
+func NewIngressTranslation(localKubeClient kube.Client, xdsUpdater istiomodel.XDSUpdater, namespace string, options common.Options) *IngressTranslation {
+	if options.ClusterId == "Kubernetes" {
+		options.ClusterId = ""
 	}
 	Config := &IngressTranslation{
-		ingressConfig:  ingressconfig.NewIngressConfig(localKubeClient, xdsUpdater, namespace, clusterId),
-		kingressConfig: ingressconfig.NewKIngressConfig(localKubeClient, xdsUpdater, namespace, clusterId),
+		ingressConfig:  ingressconfig.NewIngressConfig(localKubeClient, xdsUpdater, namespace, options),
+		kingressConfig: ingressconfig.NewKIngressConfig(localKubeClient, xdsUpdater, namespace, options),
 	}
 	return Config
 }
--- a/plugins/golang-filter/Dockerfile
+++ b/plugins/golang-filter/Dockerfile
@@ -0,0 +1,39 @@
+FROM golang:1.23-bullseye AS golang-base
+
+ARG GOPROXY
+ARG GO_FILTER_NAME
+ARG GOARCH
+
+ENV GOFLAGS=-buildvcs=false
+ENV GOPROXY=${GOPROXY}
+ENV GOARCH=${GOARCH}
+ENV CGO_ENABLED=1
+
+# 根据目标架构安装对应的编译工具
+RUN if [ "$GOARCH" = "arm64" ]; then \
+        echo "Installing ARM64 toolchain" && \
+        apt-get update && \
+        apt-get install -y gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu; \
+    else \
+        echo "Installing AMD64 toolchain" && \
+        apt-get update && \
+        apt-get install -y gcc binutils; \
+    fi
+
+WORKDIR /workspace
+
+COPY . .
+
+WORKDIR /workspace/$GO_FILTER_NAME
+
+RUN go mod tidy
+RUN if [ "$GOARCH" = "arm64" ]; then \
+        CC=aarch64-linux-gnu-gcc AS=aarch64-linux-gnu-as go build -o /$GO_FILTER_NAME.so -buildmode=c-shared .; \
+    else \
+        go build -o /$GO_FILTER_NAME.so -buildmode=c-shared .; \
+    fi
+
+FROM scratch AS output
+ARG GO_FILTER_NAME
+ARG GOARCH
+COPY --from=golang-base /${GO_FILTER_NAME}.so ${GO_FILTER_NAME}_${GOARCH}.so
--- a/plugins/golang-filter/Makefile
+++ b/plugins/golang-filter/Makefile
@@ -0,0 +1,12 @@
+GO_FILTER_NAME ?= mcp-server
+GOPROXY := $(shell go env GOPROXY)
+GOARCH ?= amd64
+
+.DEFAULT:
+build:
+	DOCKER_BUILDKIT=1 docker build --build-arg GOPROXY=$(GOPROXY) \
+								    --build-arg GO_FILTER_NAME=${GO_FILTER_NAME} \
+									--build-arg GOARCH=${GOARCH} \
+									-t ${GO_FILTER_NAME} \
+									--output ./${GO_FILTER_NAME} \
+									.
--- a/plugins/golang-filter/README.md
+++ b/plugins/golang-filter/README.md
@@ -0,0 +1,47 @@
+# Golang HTTP Filter
+
+[English](./README_en.md) | 简体中文
+
+## 简介
+
+Golang HTTP Filter 允许开发者使用 Go 语言编写自定义的 Envoy Filter。该框架支持在请求和响应流程中执行 Golang 代码，使 Envoy 的扩展开发变得更加简单。最重要的是，使用此框架开发的 Go 插件可以独立于 Envoy 进行编译，这大大提高了开发和部署的灵活性。
+
+> **注意** Golang Filter 需要 Higress 2.1.0 或更高版本才能使用。
+## 特性
+
+- 支持在HTTP请求和响应流程中执行 Go 代码
+- 支持插件独立编译，无需重新编译 Envoy
+- 提供简洁的 API 接口
+- 支持请求/响应头部修改
+- 支持请求/响应体修改
+- 支持同步请求
+
+## 快速开始
+
+请参考 [Envoy Golang HTTP Filter 示例](https://github.com/envoyproxy/examples/tree/main/golang-http) 了解如何开发和运行一个基本的 Golang Filter。
+
+## 配置示例
+
+```yaml
+http_filters:
+- name: envoy.filters.http.golang
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
+    library_id: my-go-filter
+    library_path: "./my-go-filter.so"
+    plugin_name: my-go-filter
+    plugin_config:
+      "@type": type.googleapis.com/xds.type.v3.TypedStruct
+      value:
+          your_config_here: value
+                  
+```
+
+
+## 快速构建
+
+使用以下命令可以快速构建 golang filter 插件:
+
+```bash
+GO_FILTER_NAME=mcp-server make build
+```
--- a/plugins/golang-filter/README_en.md
+++ b/plugins/golang-filter/README_en.md
@@ -0,0 +1,45 @@
+# Golang HTTP Filter
+
+English | [简体中文](./README.md)
+
+## Introduction
+
+The Golang HTTP Filter allows developers to write custom Envoy Filters using the Go language. This framework supports executing Golang code during both request and response flows, making it easier to extend Envoy. Most importantly, Go plugins developed using this framework can be compiled independently of Envoy, which greatly enhances development and deployment flexibility.
+
+> **注意** Golang Filter require Higress version 2.1.0 or higher to be used.
+## Features
+
+- Support for Golang code execution in both request and response flows
+- Independent plugin compilation without rebuilding Envoy
+- Simple and clean API interface
+- Request/response header modification
+- Request/response body modification
+- Synchronous request support
+
+## Quick Start
+
+Please refer to [Envoy Golang HTTP Filter Example](https://github.com/envoyproxy/examples/tree/main/golang-http) to learn how to develop and run a basic Golang Filter.
+
+## Configuration Example
+
+```yaml
+http_filters:
+- name: envoy.filters.http.golang
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
+    library_id: my-go-filter
+    library_path: "./my-go-filter.so"
+    plugin_name: my-go-filter
+    plugin_config:
+      "@type": type.googleapis.com/xds.type.v3.TypedStruct
+      value:
+          your_config_here: value
+```
+
+## Quick Build
+
+Use the following command to quickly build the golang filter plugin:
+
+```bash
+GO_FILTER_NAME=mcp-server make build
+``` 
--- a/plugins/golang-filter/mcp-server/README.md
+++ b/plugins/golang-filter/mcp-server/README.md
@@ -0,0 +1,65 @@
+# MCP Server
+[English](./README_en.md) | 简体中文
+
+## 概述
+
+MCP Server 是一个基于 Envoy 的 Golang Filter 插件，用于实现服务器端事件（SSE）和消息通信功能。该插件支持多种数据库类型，并使用 Redis 作为消息队列来实现负载均衡的请求通过对应的SSE连接发送。
+
+> **注意**：MCP Server需要 Higress 2.1.0 或更高版本才能使用。
+## 项目结构
+```
+mcp-server/
+├── config.go                # 配置解析相关代码
+├── filter.go                # 请求处理相关代码
+├── internal/                # 内部实现逻辑
+├── servers/                 # MCP 服务器实现
+├── go.mod                   # Go模块依赖定义
+└── go.sum                   # Go模块依赖校验
+```
+## MCP Server开发指南
+
+```go
+// 在init函数中注册你的服务器
+// 参数1: 服务器名称
+// 参数2: 配置结构体实例
+func init() {
+	internal.GlobalRegistry.RegisterServer("demo", &DemoConfig{})
+}
+
+// 服务器配置结构体
+type DemoConfig struct {
+	helloworld string
+}
+
+// 解析配置方法
+// 从配置map中解析并验证配置项
+func (c *DBConfig) ParseConfig(config map[string]any) error {
+	helloworld, ok := config["helloworld"].(string)
+	if !ok { return errors.New("missing helloworld")}
+	c.helloworld = helloworld
+	return nil
+}
+
+// 创建新的MCP服务器实例
+// serverName: 服务器名称
+// 返回值: MCP服务器实例和可能的错误
+func (c *DBConfig) NewServer(serverName string) (*internal.MCPServer, error) {
+	mcpServer := internal.NewMCPServer(serverName, Version)
+    
+	// 添加工具方法到服务器
+	// mcpServer.AddTool()	
+	
+	// 添加资源到服务器
+	// mcpServer.AddResource()
+	
+	return mcpServer, nil
+}
+```
+
+**Note**: 
+需要在config.go里面使用下划线导入以执行包的init函数
+```go
+import (
+	_ "github.com/alibaba/higress/plugins/golang-filter/mcp-server/servers/gorm"
+)
+```
--- a/plugins/golang-filter/mcp-server/README_en.md
+++ b/plugins/golang-filter/mcp-server/README_en.md
@@ -0,0 +1,67 @@
+# MCP Server
+English | [简体中文](./README.md)
+
+## Overview
+
+MCP Server is a Golang Filter plugin based on Envoy, designed to implement Server-Sent Events (SSE) and message communication functionality. This plugin supports various database types and uses Redis as a message queue to enable load-balanced requests to be sent through corresponding SSE connections.
+
+> **Note**: MCP Server requires Higress 2.1.0 or higher version.
+
+## Project Structure
+```
+mcp-server/
+├── config.go                # Configuration parsing code
+├── filter.go                # Request processing code
+├── internal/                # Internal implementation logic
+├── servers/                 # MCP server implementation
+├── go.mod                   # Go module dependency definition
+└── go.sum                   # Go module dependency checksum
+```
+
+## MCP Server Development Guide
+
+```go
+// Register your server in the init function
+// Param 1: Server name
+// Param 2: Config struct instance
+func init() {
+	internal.GlobalRegistry.RegisterServer("demo", &DemoConfig{})
+}
+
+// Server configuration struct
+type DemoConfig struct {
+	helloworld string
+}
+
+// Configuration parsing method
+// Parse and validate configuration items from the config map
+func (c *DBConfig) ParseConfig(config map[string]any) error {
+	helloworld, ok := config["helloworld"].(string)
+	if !ok { return errors.New("missing helloworld")}
+	c.helloworld = helloworld
+	return nil
+}
+
+// Create a new MCP server instance
+// serverName: Server name
+// Returns: MCP server instance and possible error
+func (c *DBConfig) NewServer(serverName string) (*internal.MCPServer, error) {
+	mcpServer := internal.NewMCPServer(serverName, Version)
+    
+	// Add tool methods to server
+	// mcpServer.AddTool()	
+	
+	// Add resources to server
+	// mcpServer.AddResource()
+	
+	return mcpServer, nil
+}
+```
+
+**Note**: 
+Need to use underscore import in config.go to execute the package's init function
+```go
+import (
+	_ "github.com/alibaba/higress/plugins/golang-filter/mcp-server/servers/gorm"
+)
+```
--- a/plugins/golang-filter/mcp-server/config.go
+++ b/plugins/golang-filter/mcp-server/config.go
@@ -0,0 +1,153 @@
+package main
+
+import (
+	"fmt"
+
+	xds "github.com/cncf/xds/go/xds/type/v3"
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	_ "github.com/alibaba/higress/plugins/golang-filter/mcp-server/registry/nacos"
+	_ "github.com/alibaba/higress/plugins/golang-filter/mcp-server/servers/gorm"
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	envoyHttp "github.com/envoyproxy/envoy/contrib/golang/filters/http/source/go/pkg/http"
+)
+
+const Name = "mcp-server"
+const Version = "1.0.0"
+const DefaultServerName = "defaultServer"
+const MessageEndpoint = "/message"
+
+func init() {
+	envoyHttp.RegisterHttpFilterFactoryAndConfigParser(Name, filterFactory, &parser{})
+}
+
+type config struct {
+	ssePathSuffix string
+	redisClient   *internal.RedisClient
+	stopChan      chan struct{}
+	servers       []*internal.SSEServer
+	defaultServer *internal.SSEServer
+}
+
+type parser struct {
+}
+
+// Parse the filter configuration
+func (p *parser) Parse(any *anypb.Any, callbacks api.ConfigCallbackHandler) (interface{}, error) {
+	configStruct := &xds.TypedStruct{}
+	if err := any.UnmarshalTo(configStruct); err != nil {
+		return nil, err
+	}
+	v := configStruct.Value
+
+	conf := &config{}
+	conf.stopChan = make(chan struct{})
+
+	redisConfigMap, ok := v.AsMap()["redis"].(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("redis config is not set")
+	}
+
+	redisConfig, err := internal.ParseRedisConfig(redisConfigMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse redis config: %w", err)
+	}
+
+	redisClient, err := internal.NewRedisClient(redisConfig, conf.stopChan)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize RedisClient: %w", err)
+	}
+	conf.redisClient = redisClient
+
+	ssePathSuffix, ok := v.AsMap()["sse_path_suffix"].(string)
+	if !ok {
+		return nil, fmt.Errorf("sse path suffix is not set")
+	}
+	conf.ssePathSuffix = ssePathSuffix
+
+	serverConfigs, ok := v.AsMap()["servers"].([]interface{})
+	if !ok {
+		api.LogDebug("No servers are configured")
+		return conf, nil
+	}
+
+	for _, serverConfig := range serverConfigs {
+		serverConfigMap, ok := serverConfig.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("server config must be an object")
+		}
+		serverType, ok := serverConfigMap["type"].(string)
+		if !ok {
+			return nil, fmt.Errorf("server type is not set")
+		}
+		serverPath, ok := serverConfigMap["path"].(string)
+		if !ok {
+			return nil, fmt.Errorf("server %s path is not set", serverType)
+		}
+		serverName, ok := serverConfigMap["name"].(string)
+		if !ok {
+			return nil, fmt.Errorf("server %s name is not set", serverType)
+		}
+		server := internal.GlobalRegistry.GetServer(serverType)
+
+		if server == nil {
+			return nil, fmt.Errorf("server %s is not registered", serverType)
+		}
+		serverConfig, ok := serverConfigMap["config"].(map[string]interface{})
+		if !ok {
+			api.LogDebug(fmt.Sprintf("No config provided for server %s", serverType))
+		}
+		api.LogDebug(fmt.Sprintf("Server config: %+v", serverConfig))
+
+		err = server.ParseConfig(serverConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse server config: %w", err)
+		}
+
+		serverInstance, err := server.NewServer(serverName)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize DBServer: %w", err)
+		}
+
+		conf.servers = append(conf.servers, internal.NewSSEServer(serverInstance,
+			internal.WithRedisClient(redisClient),
+			internal.WithSSEEndpoint(fmt.Sprintf("%s%s", serverPath, ssePathSuffix)),
+			internal.WithMessageEndpoint(fmt.Sprintf("%s%s", serverPath, MessageEndpoint))))
+		api.LogDebug(fmt.Sprintf("Registered MCP Server: %s", serverType))
+	}
+	return conf, nil
+}
+
+func (p *parser) Merge(parent interface{}, child interface{}) interface{} {
+	parentConfig := parent.(*config)
+	childConfig := child.(*config)
+
+	newConfig := *parentConfig
+	if childConfig.redisClient != nil {
+		newConfig.redisClient = childConfig.redisClient
+	}
+	if childConfig.ssePathSuffix != "" {
+		newConfig.ssePathSuffix = childConfig.ssePathSuffix
+	}
+	if childConfig.servers != nil {
+		newConfig.servers = append(newConfig.servers, childConfig.servers...)
+	}
+	if childConfig.defaultServer != nil {
+		newConfig.defaultServer = childConfig.defaultServer
+	}
+	return &newConfig
+}
+
+func filterFactory(c interface{}, callbacks api.FilterCallbackHandler) api.StreamFilter {
+	conf, ok := c.(*config)
+	if !ok {
+		panic("unexpected config type")
+	}
+	return &filter{
+		callbacks: callbacks,
+		config:    conf,
+	}
+}
+
+func main() {}
--- a/plugins/golang-filter/mcp-server/filter.go
+++ b/plugins/golang-filter/mcp-server/filter.go
@@ -0,0 +1,188 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+)
+
+// The callbacks in the filter, like `DecodeHeaders`, can be implemented on demand.
+// Because api.PassThroughStreamFilter provides a default implementation.
+type filter struct {
+	api.PassThroughStreamFilter
+
+	callbacks api.FilterCallbackHandler
+	path      string
+	config    *config
+
+	req        *http.Request
+	serverName string
+	message    bool
+	bodyBuffer []byte
+}
+
+type RequestURL struct {
+	method    string
+	scheme    string
+	host      string
+	path      string
+	baseURL   string
+	parsedURL *url.URL
+}
+
+func NewRequestURL(header api.RequestHeaderMap) *RequestURL {
+	method, _ := header.Get(":method")
+	scheme, _ := header.Get(":scheme")
+	host, _ := header.Get(":authority")
+	path, _ := header.Get(":path")
+	baseURL := fmt.Sprintf("%s://%s", scheme, host)
+	parsedURL, _ := url.Parse(path)
+	api.LogDebugf("RequestURL: method=%s, scheme=%s, host=%s, path=%s", method, scheme, host, path)
+	return &RequestURL{method: method, scheme: scheme, host: host, path: path, baseURL: baseURL, parsedURL: parsedURL}
+}
+
+// Callbacks which are called in request path
+// The endStream is true if the request doesn't have body
+func (f *filter) DecodeHeaders(header api.RequestHeaderMap, endStream bool) api.StatusType {
+	url := NewRequestURL(header)
+	f.path = url.parsedURL.Path
+
+	for _, server := range f.config.servers {
+		if f.path == server.GetSSEEndpoint() {
+			if url.method != http.MethodGet {
+				f.callbacks.DecoderFilterCallbacks().SendLocalReply(http.StatusMethodNotAllowed, "Method not allowed", nil, 0, "")
+			} else {
+				f.serverName = server.GetServerName()
+				body := "SSE connection create"
+				f.callbacks.DecoderFilterCallbacks().SendLocalReply(http.StatusOK, body, nil, 0, "")
+			}
+			api.LogDebugf("%s SSE connection started", server.GetServerName())
+			server.SetBaseURL(url.baseURL)
+			return api.LocalReply
+		} else if f.path == server.GetMessageEndpoint() {
+			if url.method != http.MethodPost {
+				f.callbacks.DecoderFilterCallbacks().SendLocalReply(http.StatusMethodNotAllowed, "Method not allowed", nil, 0, "")
+			}
+			// Create a new http.Request object
+			f.req = &http.Request{
+				Method: url.method,
+				URL:    url.parsedURL,
+				Header: make(http.Header),
+			}
+			api.LogDebugf("Message request: %v", url.parsedURL)
+			// Copy headers from api.RequestHeaderMap to http.Header
+			header.Range(func(key, value string) bool {
+				f.req.Header.Add(key, value)
+				return true
+			})
+			f.message = true
+			if endStream {
+				return api.Continue
+			} else {
+				return api.StopAndBuffer
+			}
+		}
+	}
+	if !strings.HasSuffix(url.parsedURL.Path, f.config.ssePathSuffix) {
+		if endStream {
+			return api.Continue
+		} else {
+			return api.StopAndBuffer
+		}
+	}
+
+	if url.method != http.MethodGet {
+		f.callbacks.DecoderFilterCallbacks().SendLocalReply(http.StatusMethodNotAllowed, "Method not allowed", nil, 0, "")
+	} else {
+		f.config.defaultServer = internal.NewSSEServer(internal.NewMCPServer(DefaultServerName, Version),
+			internal.WithSSEEndpoint(f.config.ssePathSuffix),
+			internal.WithMessageEndpoint(strings.TrimSuffix(url.parsedURL.Path, f.config.ssePathSuffix)),
+			internal.WithRedisClient(f.config.redisClient))
+		f.serverName = f.config.defaultServer.GetServerName()
+		body := "SSE connection create"
+		f.callbacks.DecoderFilterCallbacks().SendLocalReply(http.StatusOK, body, nil, 0, "")
+		f.config.defaultServer.SetBaseURL(url.baseURL)
+	}
+	return api.LocalReply
+}
+
+// DecodeData might be called multiple times during handling the request body.
+// The endStream is true when handling the last piece of the body.
+func (f *filter) DecodeData(buffer api.BufferInstance, endStream bool) api.StatusType {
+	if f.message {
+		f.bodyBuffer = append(f.bodyBuffer, buffer.Bytes()...)
+
+		if endStream {
+			for _, server := range f.config.servers {
+				if f.path == server.GetMessageEndpoint() {
+					// Create a response recorder to capture the response
+					recorder := httptest.NewRecorder()
+					// Call the handleMessage method of SSEServer with complete body
+					server.HandleMessage(recorder, f.req, f.bodyBuffer)
+					f.message = false
+					// clear buffer
+					f.bodyBuffer = nil
+					f.callbacks.DecoderFilterCallbacks().SendLocalReply(recorder.Code, recorder.Body.String(), recorder.Header(), 0, "")
+					return api.LocalReply
+				}
+			}
+		}
+		return api.StopAndBuffer
+	}
+	return api.Continue
+}
+
+// Callbacks which are called in response path
+// The endStream is true if the response doesn't have body
+func (f *filter) EncodeHeaders(header api.ResponseHeaderMap, endStream bool) api.StatusType {
+	if f.serverName != "" {
+		header.Set("Content-Type", "text/event-stream")
+		header.Set("Cache-Control", "no-cache")
+		header.Set("Connection", "keep-alive")
+		header.Set("Access-Control-Allow-Origin", "*")
+		header.Del("Content-Length")
+		return api.Continue
+	}
+	return api.Continue
+}
+
+// EncodeData might be called multiple times during handling the response body.
+// The endStream is true when handling the last piece of the body.
+func (f *filter) EncodeData(buffer api.BufferInstance, endStream bool) api.StatusType {
+	if f.serverName != "" {
+		// handle specific server
+		for _, server := range f.config.servers {
+			if f.serverName == server.GetServerName() {
+				buffer.Reset()
+				server.HandleSSE(f.callbacks)
+				return api.Running
+			}
+		}
+		// handle default server
+		if f.serverName == f.config.defaultServer.GetServerName() {
+			buffer.Reset()
+			f.config.defaultServer.HandleSSE(f.callbacks)
+			return api.Running
+		}
+		return api.Continue
+	}
+	return api.Continue
+}
+
+// OnDestroy stops the goroutine
+func (f *filter) OnDestroy(reason api.DestroyReason) {
+	if f.serverName != "" && f.config.stopChan != nil {
+		select {
+		case <-f.config.stopChan:
+			return
+		default:
+			api.LogDebug("Stopping SSE connection")
+			close(f.config.stopChan)
+		}
+	}
+}
--- a/plugins/golang-filter/mcp-server/go.mod
+++ b/plugins/golang-filter/mcp-server/go.mod
@@ -0,0 +1,54 @@
+module github.com/alibaba/higress/plugins/golang-filter/mcp-server
+
+go 1.23
+
+require (
+	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42
+	github.com/envoyproxy/envoy v1.33.1-0.20250224062430-6c11eac01993
+	github.com/go-redis/redis/v8 v8.11.5
+	github.com/google/uuid v1.6.0
+	github.com/mark3labs/mcp-go v0.12.0
+	google.golang.org/protobuf v1.36.5
+	gorm.io/driver/clickhouse v0.6.1
+	gorm.io/driver/mysql v1.5.7
+	gorm.io/driver/postgres v1.5.11
+	gorm.io/driver/sqlite v1.5.7
+	gorm.io/gorm v1.25.12
+)
+
+require (
+	cel.dev/expr v0.15.0 // indirect
+	github.com/ClickHouse/ch-go v0.61.5 // indirect
+	github.com/ClickHouse/clickhouse-go/v2 v2.23.2 // indirect
+	github.com/andybalholm/brotli v1.1.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
+	github.com/go-faster/city v1.0.1 // indirect
+	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/go-sql-driver/mysql v1.7.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.5.5 // indirect
+	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/klauspost/compress v1.17.8 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/nacos-group/nacos-sdk-go/v2 v2.2.9
+	github.com/paulmach/orb v0.11.1 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	go.opentelemetry.io/otel v1.26.0 // indirect
+	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
--- a/plugins/golang-filter/mcp-server/go.sum
+++ b/plugins/golang-filter/mcp-server/go.sum
@@ -0,0 +1,182 @@
+cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w=
+cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
+github.com/ClickHouse/ch-go v0.61.5 h1:zwR8QbYI0tsMiEcze/uIMK+Tz1D3XZXLdNrlaOpeEI4=
+github.com/ClickHouse/ch-go v0.61.5/go.mod h1:s1LJW/F/LcFs5HJnuogFMta50kKDO0lf9zzfrbl0RQg=
+github.com/ClickHouse/clickhouse-go/v2 v2.23.2 h1:+DAKPMnxLS7pduQZsrJc8OhdLS2L9MfDEJ2TS+hpYDM=
+github.com/ClickHouse/clickhouse-go/v2 v2.23.2/go.mod h1:aNap51J1OM3yxQJRgM+AlP/MPkGBCL8A74uQThoQhR0=
+github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
+github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk=
+github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/envoyproxy/envoy v1.33.1-0.20250224062430-6c11eac01993 h1:98rKr5Irapq0t68+sHM78LIkflsiDVttSExZTaqsxSo=
+github.com/envoyproxy/envoy v1.33.1-0.20250224062430-6c11eac01993/go.mod h1:x7d0dNbE0xGuDBUkBg19VGCgnPQ+lJ2k8lDzDzKExow=
+github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
+github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw=
+github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw=
+github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg=
+github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo=
+github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
+github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
+github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
+github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
+github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
+github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
+github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
+github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
+github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
+github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mark3labs/mcp-go v0.12.0 h1:Pue1Tdwqcz77GHq18uzgmLT3wmeDUxXUSAqSwhGLhVo=
+github.com/mark3labs/mcp-go v0.12.0/go.mod h1:cjMlBU0cv/cj9kjlgmRhoJ5JREdS7YX83xeIG9Ko/jE=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
+github.com/onsi/gomega v1.24.2 h1:J/tulyYK6JwBldPViHJReihxxZ+22FHs0piGjQAvoUE=
+github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk=
+github.com/paulmach/orb v0.11.1 h1:3koVegMC4X/WeiXYz9iswopaTwMem53NzTJuTF20JzU=
+github.com/paulmach/orb v0.11.1/go.mod h1:5mULz1xQfs3bmQm63QEJA6lNGujuRafwA5S/EnuLaLU=
+github.com/paulmach/protoscan v0.2.1/go.mod h1:SpcSwydNLrxUGSDvXvO0P7g7AuhJ7lcKfDlhJCDw2gY=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
+github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
+github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g=
+go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
+go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
+go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
+go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q=
+google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gorm.io/driver/clickhouse v0.6.1 h1:t7JMB6sLBXxN8hEO6RdzCbJCwq/jAEVZdwXlmQs1Sd4=
+gorm.io/driver/clickhouse v0.6.1/go.mod h1:riMYpJcGZ3sJ/OAZZ1rEP1j/Y0H6cByOAnwz7fo2AyM=
+gorm.io/driver/mysql v1.5.7 h1:MndhOPYOfEp2rHKgkZIhJ16eVUIRf2HmzgoPmh7FCWo=
+gorm.io/driver/mysql v1.5.7/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
+gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
+gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
+gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
+gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
--- a/plugins/golang-filter/mcp-server/internal/redis.go
+++ b/plugins/golang-filter/mcp-server/internal/redis.go
@@ -0,0 +1,202 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/go-redis/redis/v8"
+)
+
+type RedisConfig struct {
+	Address  string
+	Username string
+	Password string
+	DB       int
+}
+
+func ParseRedisConfig(config map[string]any) (*RedisConfig, error) {
+	c := &RedisConfig{}
+
+	// address is required
+	addr, ok := config["address"].(string)
+	if !ok {
+		return nil, fmt.Errorf("address is required and must be a string")
+	}
+	c.Address = addr
+
+	// username is optional
+	if username, ok := config["username"].(string); ok {
+		c.Username = username
+	}
+
+	// password is optional
+	if password, ok := config["password"].(string); ok {
+		c.Password = password
+	}
+
+	// db is optional, default to 0
+	if db, ok := config["db"].(int); ok {
+		c.DB = db
+	}
+
+	return c, nil
+}
+
+// RedisClient is a struct to handle Redis connections and operations
+type RedisClient struct {
+	client   *redis.Client
+	ctx      context.Context
+	stopChan chan struct{}
+	config   *RedisConfig
+}
+
+// NewRedisClient creates a new RedisClient instance and establishes a connection to the Redis server
+func NewRedisClient(config *RedisConfig, stopChan chan struct{}) (*RedisClient, error) {
+	client := redis.NewClient(&redis.Options{
+		Addr:     config.Address,
+		Username: config.Username,
+		Password: config.Password,
+		DB:       config.DB,
+	})
+
+	// Ping the Redis server to check the connection
+	pong, err := client.Ping(context.Background()).Result()
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to Redis: %w", err)
+	}
+	api.LogDebugf("Connected to Redis: %s", pong)
+
+	redisClient := &RedisClient{
+		client:   client,
+		ctx:      context.Background(),
+		stopChan: stopChan,
+		config:   config,
+	}
+
+	// Start keep-alive check
+	go redisClient.keepAlive()
+
+	return redisClient, nil
+}
+
+// keepAlive periodically checks Redis connection and attempts to reconnect if needed
+func (r *RedisClient) keepAlive() {
+	ticker := time.NewTicker(30 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-r.stopChan:
+			return
+		case <-ticker.C:
+			if err := r.checkConnection(); err != nil {
+				api.LogErrorf("Redis connection check failed: %v", err)
+				if err := r.reconnect(); err != nil {
+					api.LogErrorf("Failed to reconnect to Redis: %v", err)
+				}
+			}
+		}
+	}
+}
+
+// checkConnection verifies if the Redis connection is still alive
+func (r *RedisClient) checkConnection() error {
+	_, err := r.client.Ping(r.ctx).Result()
+	return err
+}
+
+// reconnect attempts to establish a new connection to Redis
+func (r *RedisClient) reconnect() error {
+	// Close the old client
+	if err := r.client.Close(); err != nil {
+		api.LogErrorf("Error closing old Redis connection: %v", err)
+	}
+
+	// Create new client
+	r.client = redis.NewClient(&redis.Options{
+		Addr:     r.config.Address,
+		Username: r.config.Username,
+		Password: r.config.Password,
+		DB:       r.config.DB,
+	})
+
+	// Test the new connection
+	if err := r.checkConnection(); err != nil {
+		return fmt.Errorf("failed to reconnect to Redis: %w", err)
+	}
+
+	api.LogDebugf("Successfully reconnected to Redis")
+	return nil
+}
+
+// Publish publishes a message to a Redis channel
+func (r *RedisClient) Publish(channel string, message string) error {
+	err := r.client.Publish(r.ctx, channel, message).Err()
+	if err != nil {
+		return fmt.Errorf("failed to publish message: %w", err)
+	}
+	return nil
+}
+
+// Subscribe subscribes to a Redis channel and processes messages
+func (r *RedisClient) Subscribe(channel string, callback func(message string)) error {
+	pubsub := r.client.Subscribe(r.ctx, channel)
+	_, err := pubsub.Receive(r.ctx)
+	if err != nil {
+		return fmt.Errorf("failed to subscribe to channel: %w", err)
+	}
+
+	go func() {
+		defer func() {
+			pubsub.Close()
+			api.LogDebugf("Closed subscription to channel %s", channel)
+		}()
+
+		ch := pubsub.Channel()
+		for {
+			select {
+			case <-r.stopChan:
+				api.LogDebugf("Stopping subscription to channel %s", channel)
+				return
+			case msg, ok := <-ch:
+				if !ok {
+					api.LogDebugf("Redis subscription channel closed for %s", channel)
+					return
+				}
+
+				func() {
+					defer func() {
+						if r := recover(); r != nil {
+							api.LogErrorf("Recovered from panic in callback: %v", r)
+						}
+					}()
+					callback(msg.Payload)
+				}()
+			}
+		}
+	}()
+
+	return nil
+}
+
+// Set sets the value of a key in Redis
+func (r *RedisClient) Set(key string, value string, expiration time.Duration) error {
+	err := r.client.Set(r.ctx, key, value, expiration).Err()
+	if err != nil {
+		return fmt.Errorf("failed to set key: %w", err)
+	}
+	return nil
+}
+
+// Get retrieves the value of a key from Redis
+func (r *RedisClient) Get(key string) (string, error) {
+	val, err := r.client.Get(r.ctx, key).Result()
+	if err == redis.Nil {
+		return "", fmt.Errorf("key does not exist")
+	} else if err != nil {
+		return "", fmt.Errorf("failed to get key: %w", err)
+	}
+	return val, nil
+}
--- a/plugins/golang-filter/mcp-server/internal/registry.go
+++ b/plugins/golang-filter/mcp-server/internal/registry.go
@@ -0,0 +1,26 @@
+package internal
+
+var GlobalRegistry = NewServerRegistry()
+
+type Server interface {
+	ParseConfig(config map[string]any) error
+	NewServer(serverName string) (*MCPServer, error)
+}
+
+type ServerRegistry struct {
+	servers map[string]Server
+}
+
+func NewServerRegistry() *ServerRegistry {
+	return &ServerRegistry{
+		servers: make(map[string]Server),
+	}
+}
+
+func (r *ServerRegistry) RegisterServer(name string, server Server) {
+	r.servers[name] = server
+}
+
+func (r *ServerRegistry) GetServer(name string) Server {
+	return r.servers[name]
+}
--- a/plugins/golang-filter/mcp-server/internal/server.go
+++ b/plugins/golang-filter/mcp-server/internal/server.go
@@ -0,0 +1,844 @@
+package internal
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"sort"
+	"sync"
+	"sync/atomic"
+
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+// resourceEntry holds both a resource and its handler
+type resourceEntry struct {
+	resource mcp.Resource
+	handler  ResourceHandlerFunc
+}
+
+// resourceTemplateEntry holds both a template and its handler
+type resourceTemplateEntry struct {
+	template mcp.ResourceTemplate
+	handler  ResourceTemplateHandlerFunc
+}
+
+// ServerOption is a function that configures an MCPServer.
+type ServerOption func(*MCPServer)
+
+// ResourceHandlerFunc is a function that returns resource contents.
+type ResourceHandlerFunc func(ctx context.Context, request mcp.ReadResourceRequest) ([]mcp.ResourceContents, error)
+
+// ResourceTemplateHandlerFunc is a function that returns a resource template.
+type ResourceTemplateHandlerFunc func(ctx context.Context, request mcp.ReadResourceRequest) ([]mcp.ResourceContents, error)
+
+// PromptHandlerFunc handles prompt requests with given arguments.
+type PromptHandlerFunc func(ctx context.Context, request mcp.GetPromptRequest) (*mcp.GetPromptResult, error)
+
+// ToolHandlerFunc handles tool calls with given arguments.
+type ToolHandlerFunc func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error)
+
+// ServerTool combines a Tool with its ToolHandlerFunc.
+type ServerTool struct {
+	Tool    mcp.Tool
+	Handler ToolHandlerFunc
+}
+
+// NotificationContext provides client identification for notifications
+type NotificationContext struct {
+	ClientID  string
+	SessionID string
+}
+
+// ServerNotification combines the notification with client context
+type ServerNotification struct {
+	Context      NotificationContext
+	Notification mcp.JSONRPCNotification
+}
+
+// NotificationHandlerFunc handles incoming notifications.
+type NotificationHandlerFunc func(ctx context.Context, notification mcp.JSONRPCNotification)
+
+// MCPServer implements a Model Control Protocol server that can handle various types of requests
+// including resources, prompts, and tools.
+type MCPServer struct {
+	mu                   sync.RWMutex // Add mutex for protecting shared resources
+	name                 string
+	version              string
+	instructions         string
+	resources            map[string]resourceEntry
+	resourceTemplates    map[string]resourceTemplateEntry
+	prompts              map[string]mcp.Prompt
+	promptHandlers       map[string]PromptHandlerFunc
+	tools                map[string]ServerTool
+	notificationHandlers map[string]NotificationHandlerFunc
+	capabilities         serverCapabilities
+	notifications        chan ServerNotification
+	clientMu             sync.Mutex // Separate mutex for client context
+	currentClient        NotificationContext
+	initialized          atomic.Bool // Use atomic for the initialized flag
+}
+
+// serverKey is the context key for storing the server instance
+type serverKey struct{}
+
+// ServerFromContext retrieves the MCPServer instance from a context
+func ServerFromContext(ctx context.Context) *MCPServer {
+	if srv, ok := ctx.Value(serverKey{}).(*MCPServer); ok {
+		return srv
+	}
+	return nil
+}
+
+// WithContext sets the current client context and returns the provided context
+func (s *MCPServer) WithContext(
+	ctx context.Context,
+	notifCtx NotificationContext,
+) context.Context {
+	s.clientMu.Lock()
+	s.currentClient = notifCtx
+	s.clientMu.Unlock()
+	return ctx
+}
+
+// SendNotificationToClient sends a notification to the current client
+func (s *MCPServer) SendNotificationToClient(
+	method string,
+	params map[string]interface{},
+) error {
+	if s.notifications == nil {
+		return fmt.Errorf("notification channel not initialized")
+	}
+
+	s.clientMu.Lock()
+	clientContext := s.currentClient
+	s.clientMu.Unlock()
+
+	notification := mcp.JSONRPCNotification{
+		JSONRPC: mcp.JSONRPC_VERSION,
+		Notification: mcp.Notification{
+			Method: method,
+			Params: mcp.NotificationParams{
+				AdditionalFields: params,
+			},
+		},
+	}
+
+	select {
+	case s.notifications <- ServerNotification{
+		Context:      clientContext,
+		Notification: notification,
+	}:
+		return nil
+	default:
+		return fmt.Errorf("notification channel full or blocked")
+	}
+}
+
+// serverCapabilities defines the supported features of the MCP server
+type serverCapabilities struct {
+	tools     *toolCapabilities
+	resources *resourceCapabilities
+	prompts   *promptCapabilities
+	logging   bool
+}
+
+// resourceCapabilities defines the supported resource-related features
+type resourceCapabilities struct {
+	subscribe   bool
+	listChanged bool
+}
+
+// promptCapabilities defines the supported prompt-related features
+type promptCapabilities struct {
+	listChanged bool
+}
+
+// toolCapabilities defines the supported tool-related features
+type toolCapabilities struct {
+	listChanged bool
+}
+
+// WithResourceCapabilities configures resource-related server capabilities
+func WithResourceCapabilities(subscribe, listChanged bool) ServerOption {
+	return func(s *MCPServer) {
+		// Always create a non-nil capability object
+		s.capabilities.resources = &resourceCapabilities{
+			subscribe:   subscribe,
+			listChanged: listChanged,
+		}
+	}
+}
+
+// WithPromptCapabilities configures prompt-related server capabilities
+func WithPromptCapabilities(listChanged bool) ServerOption {
+	return func(s *MCPServer) {
+		// Always create a non-nil capability object
+		s.capabilities.prompts = &promptCapabilities{
+			listChanged: listChanged,
+		}
+	}
+}
+
+// WithToolCapabilities configures tool-related server capabilities
+func WithToolCapabilities(listChanged bool) ServerOption {
+	return func(s *MCPServer) {
+		// Always create a non-nil capability object
+		s.capabilities.tools = &toolCapabilities{
+			listChanged: listChanged,
+		}
+	}
+}
+
+// WithLogging enables logging capabilities for the server
+func WithLogging() ServerOption {
+	return func(s *MCPServer) {
+		s.capabilities.logging = true
+	}
+}
+
+// WithInstructions sets the server instructions for the client returned in the initialize response
+func WithInstructions(instructions string) ServerOption {
+	return func(s *MCPServer) {
+		s.instructions = instructions
+	}
+}
+
+// NewMCPServer creates a new MCP server instance with the given name, version and options
+func NewMCPServer(
+	name, version string,
+	opts ...ServerOption,
+) *MCPServer {
+	s := &MCPServer{
+		resources:            make(map[string]resourceEntry),
+		resourceTemplates:    make(map[string]resourceTemplateEntry),
+		prompts:              make(map[string]mcp.Prompt),
+		promptHandlers:       make(map[string]PromptHandlerFunc),
+		tools:                make(map[string]ServerTool),
+		name:                 name,
+		version:              version,
+		notificationHandlers: make(map[string]NotificationHandlerFunc),
+		notifications:        make(chan ServerNotification, 100),
+		capabilities: serverCapabilities{
+			tools:     nil,
+			resources: nil,
+			prompts:   nil,
+			logging:   false,
+		},
+	}
+
+	for _, opt := range opts {
+		opt(s)
+	}
+
+	return s
+}
+
+// HandleMessage processes an incoming JSON-RPC message and returns an appropriate response
+func (s *MCPServer) HandleMessage(
+	ctx context.Context,
+	message json.RawMessage,
+) mcp.JSONRPCMessage {
+	// Add server to context
+	ctx = context.WithValue(ctx, serverKey{}, s)
+
+	var baseMessage struct {
+		JSONRPC string      `json:"jsonrpc"`
+		Method  string      `json:"method"`
+		ID      interface{} `json:"id,omitempty"`
+	}
+
+	if err := json.Unmarshal(message, &baseMessage); err != nil {
+		return createErrorResponse(
+			nil,
+			mcp.PARSE_ERROR,
+			"Failed to parse message",
+		)
+	}
+
+	// Check for valid JSONRPC version
+	if baseMessage.JSONRPC != mcp.JSONRPC_VERSION {
+		return createErrorResponse(
+			baseMessage.ID,
+			mcp.INVALID_REQUEST,
+			"Invalid JSON-RPC version",
+		)
+	}
+
+	if baseMessage.ID == nil {
+		var notification mcp.JSONRPCNotification
+		if err := json.Unmarshal(message, &notification); err != nil {
+			return createErrorResponse(
+				nil,
+				mcp.PARSE_ERROR,
+				"Failed to parse notification",
+			)
+		}
+		s.handleNotification(ctx, notification)
+		return nil // Return nil for notifications
+	}
+
+	switch baseMessage.Method {
+	case "initialize":
+		var request mcp.InitializeRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid initialize request",
+			)
+		}
+		return s.handleInitialize(ctx, baseMessage.ID, request)
+	case "ping":
+		var request mcp.PingRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid ping request",
+			)
+		}
+		return s.handlePing(ctx, baseMessage.ID, request)
+	case "resources/list":
+		if s.capabilities.resources == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Resources not supported",
+			)
+		}
+		var request mcp.ListResourcesRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid list resources request",
+			)
+		}
+		return s.handleListResources(ctx, baseMessage.ID, request)
+	case "resources/templates/list":
+		if s.capabilities.resources == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Resources not supported",
+			)
+		}
+		var request mcp.ListResourceTemplatesRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid list resource templates request",
+			)
+		}
+		return s.handleListResourceTemplates(ctx, baseMessage.ID, request)
+	case "resources/read":
+		if s.capabilities.resources == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Resources not supported",
+			)
+		}
+		var request mcp.ReadResourceRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid read resource request",
+			)
+		}
+		return s.handleReadResource(ctx, baseMessage.ID, request)
+	case "prompts/list":
+		if s.capabilities.prompts == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Prompts not supported",
+			)
+		}
+		var request mcp.ListPromptsRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid list prompts request",
+			)
+		}
+		return s.handleListPrompts(ctx, baseMessage.ID, request)
+	case "prompts/get":
+		if s.capabilities.prompts == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Prompts not supported",
+			)
+		}
+		var request mcp.GetPromptRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid get prompt request",
+			)
+		}
+		return s.handleGetPrompt(ctx, baseMessage.ID, request)
+	case "tools/list":
+		if s.capabilities.tools == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Tools not supported",
+			)
+		}
+		var request mcp.ListToolsRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid list tools request",
+			)
+		}
+		return s.handleListTools(ctx, baseMessage.ID, request)
+	case "tools/call":
+		if s.capabilities.tools == nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.METHOD_NOT_FOUND,
+				"Tools not supported",
+			)
+		}
+		var request mcp.CallToolRequest
+		if err := json.Unmarshal(message, &request); err != nil {
+			return createErrorResponse(
+				baseMessage.ID,
+				mcp.INVALID_REQUEST,
+				"Invalid call tool request",
+			)
+		}
+		return s.handleToolCall(ctx, baseMessage.ID, request)
+	default:
+		return createErrorResponse(
+			baseMessage.ID,
+			mcp.METHOD_NOT_FOUND,
+			fmt.Sprintf("Method %s not found", baseMessage.Method),
+		)
+	}
+}
+
+// AddResource registers a new resource and its handler
+func (s *MCPServer) AddResource(
+	resource mcp.Resource,
+	handler ResourceHandlerFunc,
+) {
+	if s.capabilities.resources == nil {
+		s.capabilities.resources = &resourceCapabilities{}
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.resources[resource.URI] = resourceEntry{
+		resource: resource,
+		handler:  handler,
+	}
+}
+
+// AddResourceTemplate registers a new resource template and its handler
+func (s *MCPServer) AddResourceTemplate(
+	template mcp.ResourceTemplate,
+	handler ResourceTemplateHandlerFunc,
+) {
+	if s.capabilities.resources == nil {
+		s.capabilities.resources = &resourceCapabilities{}
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.resourceTemplates[template.URITemplate] = resourceTemplateEntry{
+		template: template,
+		handler:  handler,
+	}
+}
+
+// AddPrompt registers a new prompt handler with the given name
+func (s *MCPServer) AddPrompt(prompt mcp.Prompt, handler PromptHandlerFunc) {
+	if s.capabilities.prompts == nil {
+		s.capabilities.prompts = &promptCapabilities{}
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.prompts[prompt.Name] = prompt
+	s.promptHandlers[prompt.Name] = handler
+}
+
+// AddTool registers a new tool and its handler
+func (s *MCPServer) AddTool(tool mcp.Tool, handler ToolHandlerFunc) {
+	s.AddTools(ServerTool{Tool: tool, Handler: handler})
+}
+
+// AddTools registers multiple tools at once
+func (s *MCPServer) AddTools(tools ...ServerTool) {
+	if s.capabilities.tools == nil {
+		s.capabilities.tools = &toolCapabilities{}
+	}
+	s.mu.Lock()
+	for _, entry := range tools {
+		s.tools[entry.Tool.Name] = entry
+	}
+	initialized := s.initialized.Load()
+	s.mu.Unlock()
+
+	// Send notification if server is already initialized
+	if initialized {
+		if err := s.SendNotificationToClient("notifications/tools/list_changed", nil); err != nil {
+			// We can't return the error, but in a future version we could log it
+		}
+	}
+}
+
+// SetTools replaces all existing tools with the provided list
+func (s *MCPServer) SetTools(tools ...ServerTool) {
+	s.mu.Lock()
+	s.tools = make(map[string]ServerTool)
+	s.mu.Unlock()
+	s.AddTools(tools...)
+}
+
+// DeleteTools removes a tool from the server
+func (s *MCPServer) DeleteTools(names ...string) {
+	s.mu.Lock()
+	for _, name := range names {
+		delete(s.tools, name)
+	}
+	initialized := s.initialized.Load()
+	s.mu.Unlock()
+
+	// Send notification if server is already initialized
+	if initialized {
+		if err := s.SendNotificationToClient("notifications/tools/list_changed", nil); err != nil {
+			// We can't return the error, but in a future version we could log it
+		}
+	}
+}
+
+// AddNotificationHandler registers a new handler for incoming notifications
+func (s *MCPServer) AddNotificationHandler(
+	method string,
+	handler NotificationHandlerFunc,
+) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.notificationHandlers[method] = handler
+}
+
+func (s *MCPServer) handleInitialize(
+	ctx context.Context,
+	id interface{},
+	request mcp.InitializeRequest,
+) mcp.JSONRPCMessage {
+	capabilities := mcp.ServerCapabilities{}
+
+	// Only add resource capabilities if they're configured
+	if s.capabilities.resources != nil {
+		capabilities.Resources = &struct {
+			Subscribe   bool `json:"subscribe,omitempty"`
+			ListChanged bool `json:"listChanged,omitempty"`
+		}{
+			Subscribe:   s.capabilities.resources.subscribe,
+			ListChanged: s.capabilities.resources.listChanged,
+		}
+	}
+
+	// Only add prompt capabilities if they're configured
+	if s.capabilities.prompts != nil {
+		capabilities.Prompts = &struct {
+			ListChanged bool `json:"listChanged,omitempty"`
+		}{
+			ListChanged: s.capabilities.prompts.listChanged,
+		}
+	}
+
+	// Only add tool capabilities if they're configured
+	if s.capabilities.tools != nil {
+		capabilities.Tools = &struct {
+			ListChanged bool `json:"listChanged,omitempty"`
+		}{
+			ListChanged: s.capabilities.tools.listChanged,
+		}
+	}
+
+	if s.capabilities.logging {
+		capabilities.Logging = &struct{}{}
+	}
+
+	result := mcp.InitializeResult{
+		ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION,
+		ServerInfo: mcp.Implementation{
+			Name:    s.name,
+			Version: s.version,
+		},
+		Capabilities: capabilities,
+		Instructions: s.instructions,
+	}
+
+	s.initialized.Store(true)
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handlePing(
+	ctx context.Context,
+	id interface{},
+	request mcp.PingRequest,
+) mcp.JSONRPCMessage {
+	return createResponse(id, mcp.EmptyResult{})
+}
+
+func (s *MCPServer) handleListResources(
+	ctx context.Context,
+	id interface{},
+	request mcp.ListResourcesRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	resources := make([]mcp.Resource, 0, len(s.resources))
+	for _, entry := range s.resources {
+		resources = append(resources, entry.resource)
+	}
+	s.mu.RUnlock()
+
+	result := mcp.ListResourcesResult{
+		Resources: resources,
+	}
+	if request.Params.Cursor != "" {
+		result.NextCursor = "" // Handle pagination if needed
+	}
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleListResourceTemplates(
+	ctx context.Context,
+	id interface{},
+	request mcp.ListResourceTemplatesRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	templates := make([]mcp.ResourceTemplate, 0, len(s.resourceTemplates))
+	for _, entry := range s.resourceTemplates {
+		templates = append(templates, entry.template)
+	}
+	s.mu.RUnlock()
+
+	result := mcp.ListResourceTemplatesResult{
+		ResourceTemplates: templates,
+	}
+	if request.Params.Cursor != "" {
+		result.NextCursor = "" // Handle pagination if needed
+	}
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleReadResource(
+	ctx context.Context,
+	id interface{},
+	request mcp.ReadResourceRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	// First try direct resource handlers
+	if entry, ok := s.resources[request.Params.URI]; ok {
+		handler := entry.handler
+		s.mu.RUnlock()
+		contents, err := handler(ctx, request)
+		if err != nil {
+			return createErrorResponse(id, mcp.INTERNAL_ERROR, err.Error())
+		}
+		return createResponse(id, mcp.ReadResourceResult{Contents: contents})
+	}
+
+	// If no direct handler found, try matching against templates
+	var matchedHandler ResourceTemplateHandlerFunc
+	var matched bool
+	for uriTemplate, entry := range s.resourceTemplates {
+		if matchesTemplate(request.Params.URI, uriTemplate) {
+			matchedHandler = entry.handler
+			matched = true
+			break
+		}
+	}
+	s.mu.RUnlock()
+
+	if matched {
+		contents, err := matchedHandler(ctx, request)
+		if err != nil {
+			return createErrorResponse(id, mcp.INTERNAL_ERROR, err.Error())
+		}
+		return createResponse(
+			id,
+			mcp.ReadResourceResult{Contents: contents},
+		)
+	}
+
+	return createErrorResponse(
+		id,
+		mcp.INVALID_PARAMS,
+		fmt.Sprintf(
+			"No handler found for resource URI: %s",
+			request.Params.URI,
+		),
+	)
+}
+
+// matchesTemplate checks if a URI matches a URI template pattern
+func matchesTemplate(uri string, template string) bool {
+	// Convert template into a regex pattern
+	pattern := template
+	// Replace {name} with ([^/]+)
+	pattern = regexp.QuoteMeta(pattern)
+	pattern = regexp.MustCompile(`\\\{[^}]+\\\}`).
+		ReplaceAllString(pattern, `([^/]+)`)
+	pattern = "^" + pattern + "$"
+
+	matched, _ := regexp.MatchString(pattern, uri)
+	return matched
+}
+
+func (s *MCPServer) handleListPrompts(
+	ctx context.Context,
+	id interface{},
+	request mcp.ListPromptsRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	prompts := make([]mcp.Prompt, 0, len(s.prompts))
+	for _, prompt := range s.prompts {
+		prompts = append(prompts, prompt)
+	}
+	s.mu.RUnlock()
+
+	result := mcp.ListPromptsResult{
+		Prompts: prompts,
+	}
+	if request.Params.Cursor != "" {
+		result.NextCursor = "" // Handle pagination if needed
+	}
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleGetPrompt(
+	ctx context.Context,
+	id interface{},
+	request mcp.GetPromptRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	handler, ok := s.promptHandlers[request.Params.Name]
+	s.mu.RUnlock()
+
+	if !ok {
+		return createErrorResponse(
+			id,
+			mcp.INVALID_PARAMS,
+			fmt.Sprintf("Prompt not found: %s", request.Params.Name),
+		)
+	}
+
+	result, err := handler(ctx, request)
+	if err != nil {
+		return createErrorResponse(id, mcp.INTERNAL_ERROR, err.Error())
+	}
+
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleListTools(
+	ctx context.Context,
+	id interface{},
+	request mcp.ListToolsRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	tools := make([]mcp.Tool, 0, len(s.tools))
+
+	// Get all tool names for consistent ordering
+	toolNames := make([]string, 0, len(s.tools))
+	for name := range s.tools {
+		toolNames = append(toolNames, name)
+	}
+
+	// Sort the tool names for consistent ordering
+	sort.Strings(toolNames)
+
+	// Add tools in sorted order
+	for _, name := range toolNames {
+		tools = append(tools, s.tools[name].Tool)
+	}
+	s.mu.RUnlock()
+
+	result := mcp.ListToolsResult{
+		Tools: tools,
+	}
+	if request.Params.Cursor != "" {
+		result.NextCursor = "" // Handle pagination if needed
+	}
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleToolCall(
+	ctx context.Context,
+	id interface{},
+	request mcp.CallToolRequest,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	tool, ok := s.tools[request.Params.Name]
+	s.mu.RUnlock()
+
+	if !ok {
+		return createErrorResponse(
+			id,
+			mcp.INVALID_PARAMS,
+			fmt.Sprintf("Tool not found: %s", request.Params.Name),
+		)
+	}
+
+	result, err := tool.Handler(ctx, request)
+	if err != nil {
+		return createErrorResponse(id, mcp.INTERNAL_ERROR, err.Error())
+	}
+
+	return createResponse(id, result)
+}
+
+func (s *MCPServer) handleNotification(
+	ctx context.Context,
+	notification mcp.JSONRPCNotification,
+) mcp.JSONRPCMessage {
+	s.mu.RLock()
+	handler, ok := s.notificationHandlers[notification.Method]
+	s.mu.RUnlock()
+
+	if ok {
+		handler(ctx, notification)
+	}
+	return nil
+}
+
+func createResponse(id interface{}, result interface{}) mcp.JSONRPCMessage {
+	return mcp.JSONRPCResponse{
+		JSONRPC: mcp.JSONRPC_VERSION,
+		ID:      id,
+		Result:  result,
+	}
+}
+
+func createErrorResponse(
+	id interface{},
+	code int,
+	message string,
+) mcp.JSONRPCMessage {
+	return mcp.JSONRPCError{
+		JSONRPC: mcp.JSONRPC_VERSION,
+		ID:      id,
+		Error: struct {
+			Code    int         `json:"code"`
+			Message string      `json:"message"`
+			Data    interface{} `json:"data,omitempty"`
+		}{
+			Code:    code,
+			Message: message,
+		},
+	}
+}
--- a/plugins/golang-filter/mcp-server/internal/sse.go
+++ b/plugins/golang-filter/mcp-server/internal/sse.go
@@ -0,0 +1,227 @@
+package internal
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/google/uuid"
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+// SSEServer implements a Server-Sent Events (SSE) based MCP server.
+// It provides real-time communication capabilities over HTTP using the SSE protocol.
+type SSEServer struct {
+	server          *MCPServer
+	baseURL         string
+	messageEndpoint string
+	sseEndpoint     string
+	sessions        sync.Map
+	redisClient     *RedisClient // Redis client for pub/sub
+}
+
+func (s *SSEServer) SetBaseURL(baseURL string) {
+	s.baseURL = baseURL
+}
+
+func (s *SSEServer) GetMessageEndpoint() string {
+	return s.messageEndpoint
+}
+
+func (s *SSEServer) GetSSEEndpoint() string {
+	return s.sseEndpoint
+}
+
+func (s *SSEServer) GetServerName() string {
+	return s.server.name
+}
+
+// Option defines a function type for configuring SSEServer
+type Option func(*SSEServer)
+
+// WithBaseURL sets the base URL for the SSE server
+func WithBaseURL(baseURL string) Option {
+	return func(s *SSEServer) {
+		s.baseURL = baseURL
+	}
+}
+
+// WithMessageEndpoint sets the message endpoint path
+func WithMessageEndpoint(endpoint string) Option {
+	return func(s *SSEServer) {
+		s.messageEndpoint = endpoint
+	}
+}
+
+// WithSSEEndpoint sets the SSE endpoint path
+func WithSSEEndpoint(endpoint string) Option {
+	return func(s *SSEServer) {
+		s.sseEndpoint = endpoint
+	}
+}
+
+func WithRedisClient(redisClient *RedisClient) Option {
+	return func(s *SSEServer) {
+		s.redisClient = redisClient
+	}
+}
+
+// NewSSEServer creates a new SSE server instance with the given MCP server and options.
+func NewSSEServer(server *MCPServer, opts ...Option) *SSEServer {
+	s := &SSEServer{
+		server:          server,
+		sseEndpoint:     "/sse",
+		messageEndpoint: "/message",
+	}
+
+	// Apply all options
+	for _, opt := range opts {
+		opt(s)
+	}
+	return s
+}
+
+// handleSSE handles incoming SSE connection requests.
+// It sets up appropriate headers and creates a new session for the client.
+func (s *SSEServer) HandleSSE(cb api.FilterCallbackHandler) {
+	sessionID := uuid.New().String()
+
+	s.sessions.Store(sessionID, true)
+	defer s.sessions.Delete(sessionID)
+
+	channel := fmt.Sprintf("sse:%s", sessionID)
+
+	messageEndpoint := fmt.Sprintf(
+		"%s%s?sessionId=%s",
+		s.baseURL,
+		s.messageEndpoint,
+		sessionID,
+	)
+
+	// go func() {
+	// 	for {
+	// 		select {
+	// 		case serverNotification := <-s.server.notifications:
+	// 			// Only forward notifications meant for this session
+	// 			if serverNotification.Context.SessionID == sessionID {
+	// 				eventData, err := json.Marshal(serverNotification.Notification)
+	// 				if err == nil {
+	// 					select {
+	// 					case session.eventQueue <- fmt.Sprintf("event: message\ndata: %s\n\n", eventData):
+	// 						// Event queued successfully
+	// 					case <-session.done:
+	// 						return
+	// 					}
+	// 				}
+	// 			}
+	// 		case <-session.done:
+	// 			return
+	// 		case <-r.Context().Done():
+	// 			return
+	// 		}
+	// 	}
+	// }()
+
+	err := s.redisClient.Subscribe(channel, func(message string) {
+		defer cb.EncoderFilterCallbacks().RecoverPanic()
+		api.LogDebugf("SSE Send message: %s", message)
+		cb.EncoderFilterCallbacks().InjectData([]byte(message))
+	})
+	if err != nil {
+		api.LogErrorf("Failed to subscribe to Redis channel: %v", err)
+	}
+
+	// Send the initial endpoint event
+	initialEvent := fmt.Sprintf("event: endpoint\ndata: %s\r\n\r\n", messageEndpoint)
+	err = s.redisClient.Publish(channel, initialEvent)
+	if err != nil {
+		api.LogErrorf("Failed to send initial event: %v", err)
+	}
+
+	// Start health check handler
+	go func() {
+		ticker := time.NewTicker(time.Minute)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-s.redisClient.stopChan:
+				return
+			case <-ticker.C:
+				// Send health check message
+				healthCheckEvent := "event: health_check\ndata: ping\r\n\r\n"
+				if err := s.redisClient.Publish(channel, healthCheckEvent); err != nil {
+					api.LogErrorf("Failed to send health check: %v", err)
+				}
+			}
+		}
+	}()
+}
+
+// handleMessage processes incoming JSON-RPC messages from clients and sends responses
+// back through both the SSE connection and HTTP response.
+func (s *SSEServer) HandleMessage(w http.ResponseWriter, r *http.Request, body json.RawMessage) {
+	if r.Method != http.MethodPost {
+		s.writeJSONRPCError(w, nil, mcp.INVALID_REQUEST, fmt.Sprintf("Method %s not allowed", r.Method))
+		return
+	}
+
+	sessionID := r.URL.Query().Get("sessionId")
+	if sessionID == "" {
+		s.writeJSONRPCError(w, nil, mcp.INVALID_PARAMS, "Missing sessionId")
+		return
+	}
+
+	// Set the client context in the server before handling the message
+	ctx := s.server.WithContext(r.Context(), NotificationContext{
+		ClientID:  sessionID,
+		SessionID: sessionID,
+	})
+
+	//TODO： check session id
+	// _, ok := s.sessions.Load(sessionID)
+	// if !ok {
+	// 	s.writeJSONRPCError(w, nil, mcp.INVALID_PARAMS, "Invalid session ID")
+	// 	return
+	// }
+
+	// Process message through MCPServer
+	response := s.server.HandleMessage(ctx, body)
+
+	// Only send response if there is one (not for notifications)
+	if response != nil {
+		eventData, _ := json.Marshal(response)
+
+		if sessionID != "" {
+			channel := fmt.Sprintf("sse:%s", sessionID)
+			publishErr := s.redisClient.Publish(channel, fmt.Sprintf("event: message\ndata: %s\n\n", eventData))
+
+			if publishErr != nil {
+				api.LogErrorf("Failed to publish message to Redis: %v", publishErr)
+			}
+		}
+		// Send HTTP response
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusAccepted)
+		json.NewEncoder(w).Encode(response)
+	} else {
+		// For notifications, just send 202 Accepted with no body
+		w.WriteHeader(http.StatusAccepted)
+	}
+}
+
+// writeJSONRPCError writes a JSON-RPC error response with the given error details.
+func (s *SSEServer) writeJSONRPCError(
+	w http.ResponseWriter,
+	id interface{},
+	code int,
+	message string,
+) {
+	response := createErrorResponse(id, code, message)
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusBadRequest)
+	json.NewEncoder(w).Encode(response)
+}
--- a/plugins/golang-filter/mcp-server/registry/nacos/nacos.go
+++ b/plugins/golang-filter/mcp-server/registry/nacos/nacos.go
@@ -0,0 +1,243 @@
+package nacos
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/registry"
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/nacos-group/nacos-sdk-go/v2/clients/config_client"
+	"github.com/nacos-group/nacos-sdk-go/v2/clients/naming_client"
+	"github.com/nacos-group/nacos-sdk-go/v2/model"
+	"github.com/nacos-group/nacos-sdk-go/v2/vo"
+)
+
+type NacosMcpRegsitry struct {
+	serviceMatcher           map[string]string
+	configClient             config_client.IConfigClient
+	namingClient             naming_client.INamingClient
+	toolsDescription         map[string]*registry.ToolDescription
+	toolsRpcContext          map[string]*registry.RpcContext
+	toolChangeEventListeners []registry.ToolChangeEventListener
+	currentServiceSet        map[string]bool
+}
+
+const DEFAULT_SERVICE_LIST_MAX_PGSIZXE = 10000
+const MCP_TOOL_SUBFIX = "-mcp-tools.json"
+
+func (n *NacosMcpRegsitry) ListToolsDesciption() []*registry.ToolDescription {
+	if n.toolsDescription == nil {
+		n.refreshToolsList()
+	}
+
+	result := []*registry.ToolDescription{}
+	for _, tool := range n.toolsDescription {
+		result = append(result, tool)
+	}
+	return result
+}
+
+func (n *NacosMcpRegsitry) GetToolRpcContext(toolName string) (*registry.RpcContext, bool) {
+	tool, ok := n.toolsRpcContext[toolName]
+	return tool, ok
+}
+
+func (n *NacosMcpRegsitry) RegisterToolChangeEventListener(listener registry.ToolChangeEventListener) {
+	n.toolChangeEventListeners = append(n.toolChangeEventListeners, listener)
+}
+
+func (n *NacosMcpRegsitry) refreshToolsList() bool {
+	changed := false
+	for group, serviceMatcher := range n.serviceMatcher {
+		if n.refreshToolsListForGroup(group, serviceMatcher) {
+			changed = true
+		}
+	}
+	return changed
+}
+
+func (n *NacosMcpRegsitry) refreshToolsListForGroup(group string, serviceMatcher string) bool {
+	services, err := n.namingClient.GetAllServicesInfo(vo.GetAllServiceInfoParam{
+		GroupName: group,
+		PageNo:    1,
+		PageSize:  DEFAULT_SERVICE_LIST_MAX_PGSIZXE,
+	})
+
+	if err != nil {
+		api.LogError(fmt.Sprintf("Get service list error when refresh tools list for group %s, error %s", group, err))
+		return false
+	}
+
+	changed := false
+	serviceList := services.Doms
+	pattern, err := regexp.Compile(serviceMatcher)
+	if err != nil {
+		api.LogErrorf("Match service error for patter %s", serviceMatcher)
+		return false
+	}
+	for _, service := range serviceList {
+		if !pattern.MatchString(service) {
+			continue
+		}
+
+		if _, ok := n.currentServiceSet[group+service]; !ok {
+			changed = true
+			n.refreshToolsListForService(group, service)
+			n.listenToService(group, service)
+		}
+	}
+	return changed
+}
+
+func (n *NacosMcpRegsitry) refreshToolsListForServiceWithContent(group string, service string, newConfig *string, instances *[]model.Instance) {
+
+	if newConfig == nil {
+		dataId := makeToolsConfigId(service)
+		content, err := n.configClient.GetConfig(vo.ConfigParam{
+			DataId: dataId,
+			Group:  group,
+		})
+
+		if err != nil {
+			api.LogError(fmt.Sprintf("Get tools config for sercice %s:%s error %s", group, service, err))
+			return
+		}
+
+		newConfig = &content
+	}
+
+	if instances == nil {
+		instancesFromNacos, err := n.namingClient.SelectInstances(vo.SelectInstancesParam{
+			ServiceName: service,
+			GroupName:   group,
+			HealthyOnly: true,
+		})
+
+		if err != nil {
+			api.LogError(fmt.Sprintf("List instance for sercice %s:%s error %s", group, service, err))
+			return
+		}
+
+		instances = &instancesFromNacos
+	}
+
+	var applicationDescription registry.McpApplicationDescription
+	err := json.Unmarshal([]byte(*newConfig), &applicationDescription)
+	if err != nil {
+		api.LogError(fmt.Sprintf("Parse tools config for sercice %s:%s error, config is %s, error is %s", group, service, *newConfig, err))
+		return
+	}
+
+	wrappedInstances := []registry.Instance{}
+	for _, instance := range *instances {
+		wrappedInstance := registry.Instance{
+			Host: instance.Ip,
+			Port: instance.Port,
+			Meta: instance.Metadata,
+		}
+		wrappedInstances = append(wrappedInstances, wrappedInstance)
+	}
+
+	if n.toolsDescription == nil {
+		n.toolsDescription = map[string]*registry.ToolDescription{}
+	}
+
+	if n.toolsRpcContext == nil {
+		n.toolsRpcContext = map[string]*registry.RpcContext{}
+	}
+
+	for _, tool := range applicationDescription.ToolsDescription {
+		meta := applicationDescription.ToolsMeta[tool.Name]
+
+		var cred *registry.CredentialInfo
+		credentialRef := meta.CredentialRef
+		if credentialRef != nil {
+			cred = n.GetCredential(*credentialRef, group)
+		}
+
+		context := registry.RpcContext{
+			ToolMeta:   meta,
+			Instances:  &wrappedInstances,
+			Protocol:   applicationDescription.Protocol,
+			Credential: cred,
+		}
+
+		tool.Name = makeToolName(group, service, tool.Name)
+		n.toolsDescription[tool.Name] = tool
+		n.toolsRpcContext[tool.Name] = &context
+	}
+	n.currentServiceSet[group+service] = true
+	api.LogInfo(fmt.Sprintf("Refresh tools list for service success %s:%s", group, service))
+}
+
+func (n *NacosMcpRegsitry) GetCredential(name string, group string) *registry.CredentialInfo {
+	dataId := makeCredentialDataId(name)
+	content, err := n.configClient.GetConfig(vo.ConfigParam{
+		DataId: dataId,
+		Group:  group,
+	})
+
+	if err != nil {
+		api.LogError(fmt.Sprintf("Get credentials for %s:%s error %s", group, dataId, err))
+		return nil
+	}
+
+	var credential registry.CredentialInfo
+	err = json.Unmarshal([]byte(content), &credential)
+	if err != nil {
+		api.LogError(fmt.Sprintf("Parse credentials for %s:%s error %s", group, dataId, err))
+		return nil
+	}
+
+	return &credential
+}
+
+func (n *NacosMcpRegsitry) refreshToolsListForService(group string, service string) {
+	n.refreshToolsListForServiceWithContent(group, service, nil, nil)
+}
+
+func (n *NacosMcpRegsitry) listenToService(group string, service string) {
+
+	// config changed, tools description may be changed
+	err := n.configClient.ListenConfig(vo.ConfigParam{
+		DataId: makeToolsConfigId(service),
+		Group:  group,
+		OnChange: func(namespace, group, dataId, data string) {
+			n.refreshToolsListForServiceWithContent(group, service, &data, nil)
+			for _, listener := range n.toolChangeEventListeners {
+				listener.OnToolChanged(n)
+			}
+		},
+	})
+
+	if err != nil {
+		api.LogError(fmt.Sprintf("Listen to service's tool config error %s", err))
+	}
+
+	err = n.namingClient.Subscribe(&vo.SubscribeParam{
+		ServiceName: service,
+		GroupName:   group,
+		SubscribeCallback: func(services []model.Instance, err error) {
+			n.refreshToolsListForServiceWithContent(group, service, nil, &services)
+			for _, listener := range n.toolChangeEventListeners {
+				listener.OnToolChanged(n)
+			}
+		},
+	})
+	if err != nil {
+		api.LogError(fmt.Sprintf("Listen to service's tool instance list error %s", err))
+	}
+}
+
+func makeToolName(group string, service string, toolName string) string {
+	return fmt.Sprintf("%s_%s_%s", group, service, toolName)
+}
+
+func makeToolsConfigId(service string) string {
+	return service + MCP_TOOL_SUBFIX
+}
+
+func makeCredentialDataId(credentialName string) string {
+	return credentialName
+}
--- a/plugins/golang-filter/mcp-server/registry/nacos/server.go
+++ b/plugins/golang-filter/mcp-server/registry/nacos/server.go
@@ -0,0 +1,170 @@
+package nacos
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/registry"
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/nacos-group/nacos-sdk-go/v2/clients"
+	"github.com/nacos-group/nacos-sdk-go/v2/common/constant"
+	"github.com/nacos-group/nacos-sdk-go/v2/vo"
+)
+
+func init() {
+	internal.GlobalRegistry.RegisterServer("nacos-mcp-registry", &NacosConfig{})
+}
+
+type NacosConfig struct {
+	ServerAddr     *string
+	Ak             *string
+	Sk             *string
+	Namespace      *string
+	RegionId       *string
+	ServiceMatcher *map[string]string
+}
+
+type McpServerToolsChangeListener struct {
+	mcpServer *internal.MCPServer
+}
+
+func (l *McpServerToolsChangeListener) OnToolChanged(reg registry.McpServerRegistry) {
+	resetToolsToMcpServer(l.mcpServer, reg)
+}
+
+func CreateNacosMcpRegsitry(config *NacosConfig) (*NacosMcpRegsitry, error) {
+	sc := []constant.ServerConfig{
+		*constant.NewServerConfig(*config.ServerAddr, 8848, constant.WithContextPath("/nacos")),
+	}
+
+	//create ClientConfig
+	cc := *constant.NewClientConfig(
+		constant.WithTimeoutMs(5000),
+		constant.WithNotLoadCacheAtStart(true),
+		constant.WithOpenKMS(true),
+	)
+
+	if config.Namespace != nil {
+		cc.NamespaceId = *config.Namespace
+	}
+
+	if config.RegionId != nil {
+		cc.RegionId = *config.RegionId
+	}
+
+	if config.Ak != nil {
+		cc.AccessKey = *config.Ak
+	}
+
+	if config.Sk != nil {
+		cc.SecretKey = *config.Sk
+	}
+
+	// create config client
+	configClient, err := clients.NewConfigClient(
+		vo.NacosClientParam{
+			ClientConfig:  &cc,
+			ServerConfigs: sc,
+		},
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initial nacos config client: %w", err)
+	}
+
+	namingClient, err := clients.NewNamingClient(
+		vo.NacosClientParam{
+			ClientConfig:  &cc,
+			ServerConfigs: sc,
+		},
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initial naming config client: %w", err)
+	}
+
+	return &NacosMcpRegsitry{
+		configClient:             configClient,
+		namingClient:             namingClient,
+		serviceMatcher:           *config.ServiceMatcher,
+		toolChangeEventListeners: []registry.ToolChangeEventListener{},
+		currentServiceSet:        map[string]bool{},
+	}, nil
+}
+
+func (c *NacosConfig) ParseConfig(config map[string]any) error {
+
+	serverAddr, ok := config["serverAddr"].(string)
+	if !ok {
+		return errors.New("missing serverAddr")
+	}
+	c.ServerAddr = &serverAddr
+
+	serviceMatcher, ok := config["serviceMatcher"].(map[string]any)
+	if !ok {
+		return errors.New("missing serviceMatcher")
+	}
+
+	matchers := map[string]string{}
+	for key, value := range serviceMatcher {
+		matchers[key] = value.(string)
+	}
+
+	c.ServiceMatcher = &matchers
+
+	if ak, ok := config["accessKey"].(string); ok {
+		c.Ak = &ak
+	}
+
+	if sk, ok := config["secretKey"].(string); ok {
+		c.Sk = &sk
+	}
+
+	if region, ok := config["regionId"].(string); ok {
+		c.RegionId = &region
+	}
+	return nil
+}
+
+func (c *NacosConfig) NewServer(serverName string) (*internal.MCPServer, error) {
+	mcpServer := internal.NewMCPServer(
+		serverName,
+		"1.0.0",
+	)
+
+	nacosRegistry, err := CreateNacosMcpRegsitry(c)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize NacosMcpRegistry: %w", err)
+	}
+
+	listener := McpServerToolsChangeListener{
+		mcpServer: mcpServer,
+	}
+	nacosRegistry.RegisterToolChangeEventListener(&listener)
+
+	go func() {
+		for {
+			if nacosRegistry.refreshToolsList() {
+				resetToolsToMcpServer(mcpServer, nacosRegistry)
+			}
+			time.Sleep(time.Second * 10)
+		}
+	}()
+	return mcpServer, nil
+}
+
+func resetToolsToMcpServer(mcpServer *internal.MCPServer, reg registry.McpServerRegistry) {
+	wrappedTools := []internal.ServerTool{}
+	tools := reg.ListToolsDesciption()
+	for _, tool := range tools {
+		wrappedTools = append(wrappedTools, internal.ServerTool{
+			Tool:    mcp.NewToolWithRawSchema(tool.Name, tool.Description, tool.InputSchema),
+			Handler: registry.HandleRegistryToolsCall(reg),
+		})
+	}
+	mcpServer.SetTools(wrappedTools...)
+	api.LogInfo("Config changed reset tools")
+}
--- a/plugins/golang-filter/mcp-server/registry/registry.go
+++ b/plugins/golang-filter/mcp-server/registry/registry.go
@@ -0,0 +1,64 @@
+package registry
+
+import (
+	"encoding/json"
+
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+type McpApplicationDescription struct {
+	Protocol         string              `json:"protocol"`
+	ToolsDescription []*ToolDescription  `json:"tools"`
+	ToolsMeta        map[string]ToolMeta `json:"toolsMeta"`
+}
+
+type ToolMeta struct {
+	InvokeContext     map[string]string           `json:"invokeContext"`
+	ParametersMapping map[string]ParameterMapInfo `json:"parametersMapping"`
+	CredentialRef     *string                     `json:"credentialRef"`
+}
+
+type ParameterMapInfo struct {
+	ParamName   string `json:"name"`
+	BackendName string `json:"backendName"`
+	ParamType   string `json:"type"`
+	Position    string `json:"position"`
+}
+
+type ToolDescription struct {
+	Name        string          `json:"name"`
+	Description string          `json:"description"`
+	InputSchema json.RawMessage `json:"inputSchema"`
+}
+
+type ToolChangeEventListener interface {
+	OnToolChanged(McpServerRegistry)
+}
+
+type McpServerRegistry interface {
+	ListToolsDesciption() []*ToolDescription
+	GetToolRpcContext(toolname string) (*RpcContext, bool)
+	RegisterToolChangeEventListener(listener ToolChangeEventListener)
+}
+
+type RpcContext struct {
+	Instances  *[]Instance
+	ToolMeta   ToolMeta
+	Protocol   string
+	Credential *CredentialInfo
+}
+
+type CredentialInfo struct {
+	CredentialType string         `json:"type"`
+	Credentials    map[string]any `json:"credentialsMap"`
+}
+
+type Instance struct {
+	Host string
+	Port uint64
+	Meta map[string]string
+}
+
+type RemoteCallHandle interface {
+	HandleToolCall(ctx *RpcContext, parameters map[string]any) (*mcp.CallToolResult, error)
+}
--- a/plugins/golang-filter/mcp-server/registry/remote.go
+++ b/plugins/golang-filter/mcp-server/registry/remote.go
@@ -0,0 +1,200 @@
+package registry
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"math/rand"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+const HTTP_URL_TEMPLATE = "%s://%s:%d%s"
+const FIX_QUERY_TOKEN_KEY = "key"
+const FIX_QUERY_TOKEN_VALUE = "value"
+const PROTOCOL_HTTP = "http"
+const PROTOCOL_HTTPS = "https"
+const DEFAULT_HTTP_METHOD = "GET"
+const DEFAULT_HTTP_PATH = "/"
+
+func getHttpCredentialHandle(name string) (func(*CredentialInfo, *HttpRemoteCallHandle), error) {
+	if name == "fixed-query-token" {
+		return FixedQueryToken, nil
+	}
+
+	return nil, fmt.Errorf("Unknown credential type")
+}
+
+type CommonRemoteCallHandle struct {
+	Instance *Instance
+}
+
+type HttpRemoteCallHandle struct {
+	CommonRemoteCallHandle
+	Protocol string
+	Headers  http.Header
+	Body     *string
+	Query    map[string]string
+	Path     string
+	Method   string
+}
+
+// http credentials handles
+func FixedQueryToken(cred *CredentialInfo, h *HttpRemoteCallHandle) {
+	key, _ := cred.Credentials[FIX_QUERY_TOKEN_KEY]
+	value, _ := cred.Credentials[FIX_QUERY_TOKEN_VALUE]
+	h.Query[key.(string)] = value.(string)
+}
+
+func newHttpRemoteCallHandle(ctx *RpcContext) *HttpRemoteCallHandle {
+	instance := selectOneInstance(ctx)
+	method, ok := ctx.ToolMeta.InvokeContext["method"]
+	if !ok {
+		method = DEFAULT_HTTP_METHOD
+	}
+
+	path, ok := ctx.ToolMeta.InvokeContext["path"]
+	if !ok {
+		path = DEFAULT_HTTP_PATH
+	}
+
+	return &HttpRemoteCallHandle{
+		CommonRemoteCallHandle: CommonRemoteCallHandle{
+			Instance: &instance,
+		},
+		Protocol: ctx.Protocol,
+		Headers:  http.Header{},
+		Body:     nil,
+		Query:    map[string]string{},
+		Path:     path,
+		Method:   method,
+	}
+}
+
+// http remote handle implementation
+func (h *HttpRemoteCallHandle) HandleToolCall(ctx *RpcContext, parameters map[string]any) (*mcp.CallToolResult, error) {
+	if ctx.Credential != nil {
+		credentialHandle, err := getHttpCredentialHandle(ctx.Credential.CredentialType)
+		if err != nil {
+			return nil, err
+		}
+		credentialHandle(ctx.Credential, h)
+	}
+
+	err := h.handleParamMapping(&ctx.ToolMeta.ParametersMapping, parameters)
+	if err != nil {
+		return nil, err
+	}
+
+	response, err := h.doHttpCall()
+	if err != nil {
+		return nil, err
+	}
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	responseType := "text"
+	if respType, ok := ctx.ToolMeta.InvokeContext["responseType"]; ok {
+		responseType = respType
+	}
+
+	return &mcp.CallToolResult{
+		Content: []mcp.Content{
+			mcp.TextContent{
+				Type: responseType,
+				Text: string(body),
+			},
+		},
+	}, nil
+}
+
+func (h *HttpRemoteCallHandle) handleParamMapping(mapInfo *map[string]ParameterMapInfo, params map[string]any) error {
+	paramMapInfo := *mapInfo
+	for param, value := range params {
+		if info, ok := paramMapInfo[param]; ok {
+			if info.Position == "Query" {
+				h.Query[info.BackendName] = fmt.Sprintf("%s", value)
+			} else if info.Position == "Header" {
+				h.Headers[info.BackendName] = []string{fmt.Sprintf("%s", value)}
+			} else {
+				return fmt.Errorf("Unsupport position for args %s, pos is %s", param, info.Position)
+			}
+		} else {
+			h.Query[param] = fmt.Sprintf("%s", value)
+		}
+	}
+	return nil
+}
+
+func (h *HttpRemoteCallHandle) doHttpCall() (*http.Response, error) {
+	pathPrefix := fmt.Sprintf(HTTP_URL_TEMPLATE, h.Protocol, h.Instance.Host, h.Instance.Port, h.Path)
+	queryString := ""
+	queryGroup := []string{}
+	for queryKey, queryValue := range h.Query {
+		queryGroup = append(queryGroup, url.QueryEscape(queryKey)+"="+url.QueryEscape(queryValue))
+	}
+
+	if len(queryGroup) > 0 {
+		queryString = "?" + strings.Join(queryGroup, "&")
+	}
+	fullUrl, err := url.Parse(pathPrefix + queryString)
+	if err != nil {
+		return nil, fmt.Errorf("Parse url error , url is %s", pathPrefix+queryString)
+	}
+	request := http.Request{
+		URL:    fullUrl,
+		Method: h.Method,
+		Header: h.Headers,
+	}
+
+	if h.Body != nil {
+		request.Body = io.NopCloser(strings.NewReader(*h.Body))
+	}
+
+	return http.DefaultClient.Do(&request)
+}
+
+func selectOneInstance(ctx *RpcContext) Instance {
+	instanceId := 0
+	instances := *ctx.Instances
+	if len(instances) != 1 {
+		instanceId = rand.Intn(len(instances) - 1)
+	}
+	return instances[instanceId]
+}
+
+func getRemoteCallhandle(ctx *RpcContext) RemoteCallHandle {
+	if ctx.Protocol == PROTOCOL_HTTP || ctx.Protocol == PROTOCOL_HTTPS {
+		return newHttpRemoteCallHandle(ctx)
+	} else {
+		return nil
+	}
+}
+
+// common remote call process
+func CommonRemoteCall(reg McpServerRegistry, toolName string, parameters map[string]any) (*mcp.CallToolResult, error) {
+	ctx, ok := reg.GetToolRpcContext(toolName)
+	if !ok {
+		return nil, fmt.Errorf("Unknown tool %s", toolName)
+	}
+
+	remoteHandle := getRemoteCallhandle(ctx)
+	if remoteHandle == nil {
+		return nil, fmt.Errorf("Unknown backend protocol %s", ctx.Protocol)
+	}
+
+	return remoteHandle.HandleToolCall(ctx, parameters)
+}
+
+func HandleRegistryToolsCall(reg McpServerRegistry) internal.ToolHandlerFunc {
+	return func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		arguments := request.Params.Arguments
+		return CommonRemoteCall(reg, request.Params.Name, arguments)
+	}
+}
--- a/plugins/golang-filter/mcp-server/servers/gorm/db.go
+++ b/plugins/golang-filter/mcp-server/servers/gorm/db.go
@@ -0,0 +1,90 @@
+package gorm
+
+import (
+	"fmt"
+
+	"gorm.io/driver/clickhouse"
+	"gorm.io/driver/mysql"
+	"gorm.io/driver/postgres"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+// DBClient is a struct to handle PostgreSQL connections and operations
+type DBClient struct {
+	db *gorm.DB
+}
+
+// NewDBClient creates a new DBClient instance and establishes a connection to the PostgreSQL database
+func NewDBClient(dsn string, dbType string) (*DBClient, error) {
+	var db *gorm.DB
+	var err error
+	if dbType == "postgres" {
+		db, err = gorm.Open(postgres.Open(dsn), &gorm.Config{})
+	} else if dbType == "clickhouse" {
+		db, err = gorm.Open(clickhouse.Open(dsn), &gorm.Config{})
+	} else if dbType == "mysql" {
+		db, err = gorm.Open(mysql.Open(dsn), &gorm.Config{})
+	} else if dbType == "sqlite" {
+		db, err = gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	} else {
+		return nil, fmt.Errorf("unsupported database type %s", dbType)
+	}
+	// Connect to the database
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to database: %w", err)
+	}
+
+	return &DBClient{db: db}, nil
+}
+
+// ExecuteSQL executes a raw SQL query and returns the result as a slice of maps
+func (c *DBClient) ExecuteSQL(query string, args ...interface{}) ([]map[string]interface{}, error) {
+	rows, err := c.db.Raw(query, args...).Rows()
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute SQL query: %w", err)
+	}
+	defer rows.Close()
+
+	// Get column names
+	columns, err := rows.Columns()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get columns: %w", err)
+	}
+
+	// Prepare a slice to hold the results
+	var results []map[string]interface{}
+
+	// Iterate over the rows
+	for rows.Next() {
+		// Create a slice of interface{}'s to represent each column,
+		// and a second slice to contain pointers to each item in the columns slice.
+		columnsData := make([]interface{}, len(columns))
+		columnsPointers := make([]interface{}, len(columns))
+		for i := range columnsData {
+			columnsPointers[i] = &columnsData[i]
+		}
+
+		// Scan the result into the column pointers...
+		if err := rows.Scan(columnsPointers...); err != nil {
+			return nil, fmt.Errorf("failed to scan row: %w", err)
+		}
+
+		// Create a map to hold the column name and value
+		rowMap := make(map[string]interface{})
+		for i, colName := range columns {
+			val := columnsData[i]
+			b, ok := val.([]byte)
+			if ok {
+				rowMap[colName] = string(b)
+			} else {
+				rowMap[colName] = val
+			}
+		}
+
+		// Append the map to the results slice
+		results = append(results, rowMap)
+	}
+
+	return results, nil
+}
--- a/plugins/golang-filter/mcp-server/servers/gorm/server.go
+++ b/plugins/golang-filter/mcp-server/servers/gorm/server.go
@@ -0,0 +1,58 @@
+package gorm
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+const Version = "1.0.0"
+
+func init() {
+	internal.GlobalRegistry.RegisterServer("database", &DBConfig{})
+}
+
+type DBConfig struct {
+	dbType string
+	dsn    string
+}
+
+func (c *DBConfig) ParseConfig(config map[string]any) error {
+	dsn, ok := config["dsn"].(string)
+	if !ok {
+		return errors.New("missing dsn")
+	}
+	c.dsn = dsn
+
+	dbType, ok := config["dbType"].(string)
+	if !ok {
+		return errors.New("missing database type")
+	}
+	c.dbType = dbType
+	api.LogDebugf("DBConfig ParseConfig: %+v", config)
+	return nil
+}
+
+func (c *DBConfig) NewServer(serverName string) (*internal.MCPServer, error) {
+	mcpServer := internal.NewMCPServer(
+		serverName,
+		Version,
+		internal.WithInstructions(fmt.Sprintf("This is a %s database server", c.dbType)),
+	)
+
+	dbClient, err := NewDBClient(c.dsn, c.dbType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize DBClient: %w", err)
+	}
+
+	// Add query tool
+	mcpServer.AddTool(
+		mcp.NewToolWithRawSchema("query", "Run a read-only SQL query in database", GetQueryToolSchema()),
+		HandleQueryTool(dbClient),
+	)
+
+	return mcpServer, nil
+}
--- a/plugins/golang-filter/mcp-server/servers/gorm/tools.go
+++ b/plugins/golang-filter/mcp-server/servers/gorm/tools.go
@@ -0,0 +1,55 @@
+package gorm
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/alibaba/higress/plugins/golang-filter/mcp-server/internal"
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+// HandleQueryTool handles SQL query execution
+func HandleQueryTool(dbClient *DBClient) internal.ToolHandlerFunc {
+	return func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		arguments := request.Params.Arguments
+		message, ok := arguments["sql"].(string)
+		if !ok {
+			return nil, fmt.Errorf("invalid message argument")
+		}
+
+		results, err := dbClient.ExecuteSQL(message)
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute SQL query: %w", err)
+		}
+
+		jsonData, err := json.Marshal(results)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal SQL results: %w", err)
+		}
+
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(jsonData),
+				},
+			},
+		}, nil
+	}
+}
+
+// GetQueryToolSchema returns the schema for query tool
+func GetQueryToolSchema() json.RawMessage {
+	return json.RawMessage(`
+	{
+		"type": "object",
+		"properties": {
+		"sql": { 
+				"type": "string",
+				"description": "The sql query to execute"
+			}
+		}
+	}
+	`)
+}
--- a/plugins/wasm-cpp/WORKSPACE
+++ b/plugins/wasm-cpp/WORKSPACE
@@ -27,13 +27,17 @@ http_archive(
    url = "https://github.com/higress-group/proxy-wasm-cpp-sdk/archive/" + PROXY_WASM_CPP_SDK_SHA + ".tar.gz",
 )

-load("@proxy_wasm_cpp_sdk//bazel/dep:deps.bzl", "wasm_dependencies")
+load("@proxy_wasm_cpp_sdk//bazel:repositories.bzl", "proxy_wasm_cpp_sdk_repositories")

-wasm_dependencies()
+proxy_wasm_cpp_sdk_repositories()

-load("@proxy_wasm_cpp_sdk//bazel/dep:deps_extra.bzl", "wasm_dependencies_extra")
+load("@proxy_wasm_cpp_sdk//bazel:dependencies.bzl", "proxy_wasm_cpp_sdk_dependencies")

-wasm_dependencies_extra()
+proxy_wasm_cpp_sdk_dependencies()
+
+load("@proxy_wasm_cpp_sdk//bazel:dependencies_extra.bzl", "proxy_wasm_cpp_sdk_dependencies_extra")
+
+proxy_wasm_cpp_sdk_dependencies_extra()

 load("@istio_ecosystem_wasm_extensions//bazel:wasm.bzl", "wasm_libraries")

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
澄潭	6f762b5e4c	fix golang filter build (#1966 )	2025-03-27 16:43:06 +08:00
澄潭	96e4713703	update default enable path suffix in model mapper&router plugin (#1962 )	2025-03-27 14:15:11 +08:00
Xin Luo	d3887835a3	feat: support nacos mcp registry (#1961 )	2025-03-27 09:41:22 +08:00
澄潭	1965d107d0	Update README.md	2025-03-27 00:49:19 +08:00
johnlanni	b2f9bf94fa	update README	2025-03-27 00:48:24 +08:00
johnlanni	9257077fa3	update mcp readme	2025-03-27 00:26:02 +08:00
zty98751	7e310a3520	update gomod in hgctl	2025-03-26 21:53:28 +08:00
Jingze	663b28fa9b	fix: update log info to debug (#1954 )	2025-03-26 21:54:06 +08:00
Kent Dong	9fbe331f5f	fix: Fetch get-higress.sh from standalone repo (#1945 )	2025-03-26 21:53:39 +08:00
zty98751	dd50ac09dc	fix cache action in workflow	2025-03-26 21:43:47 +08:00
澄潭	8450a0869b	rel 2.1.0-rc.1 (#1959 )	2025-03-26 21:42:25 +08:00
澄潭	bd6708552d	key auth support multiple credentials (#1956 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2025-03-26 21:05:55 +08:00
Kent Dong	50cfa0bb4b	fix: Fix the incorrect image used to build envoy (#1958 )	2025-03-26 20:38:40 +08:00
澄潭	ea0143829d	Fix log import (#1957 )	2025-03-26 20:27:53 +08:00
Jingze	f83e66c23b	feat: update Go filter mcp-server (#1950 ) Co-authored-by: johnlanni <zty98751@alibaba-inc.com>	2025-03-26 14:31:23 +08:00
Jingze	87fe1aeeb5	feat: add mcpServer in config map (#1953 )	2025-03-26 14:30:41 +08:00
mirror	386a208b14	add: add mcp server amap tools (#1951 )	2025-03-25 21:20:36 +08:00
澄潭	ee77ffb753	fix ai-search rewrite query when no search result found (#1949 )	2025-03-25 14:24:16 +08:00
澄潭	6eeef07621	revert wrapper changes (#1948 )	2025-03-25 11:55:14 +08:00
澄潭	8978a4e0e0	fix invalid ai-proxy cluster (#1947 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2025-03-25 11:20:20 +08:00
007gzs	71029d791d	add parse_rule_config fail log (#1938 )	2025-03-25 10:44:48 +08:00
澄潭	d9f16f7d5e	Add remote mcp server sdk (#1946 )	2025-03-24 22:11:45 +08:00
Jingze	f5d20b72e0	feat: add config parse in mcp server (#1944 )	2025-03-24 17:52:16 +08:00
Kent Dong	9bde0dfb46	chore: Remove redundant get-higress.sh (#1943 )	2025-03-24 14:28:45 +08:00
Jingze	f5c1e7f2ec	feat: add golang filter and mcp-server (#1942 ) Co-authored-by: johnlanni <zty98751@alibaba-inc.com>	2025-03-24 11:07:03 +08:00
澄潭	45fbc8b084	optimize plugin sdk (#1930 )	2025-03-22 22:46:37 +08:00
rinfx	1812a6b0a9	add example for extending span attributes (#1936 )	2025-03-21 15:39:52 +08:00
rinfx	2640c76760	improve the logic for constructing redis key (#1933 )	2025-03-21 14:02:59 +08:00
rinfx	4223b2d666	Fix the error in the embedding interface under the AI proxy Qwen compatible mode. (#1928 )	2025-03-21 08:32:00 +08:00
DefNed	dee4786c1c	feat: add buffer_limit functions (#1922 ) Co-authored-by: 纪卓志 <jizhuozhi.george@gmail.com> Co-authored-by: 007gzs <007gzs@gmail.com>	2025-03-20 18:07:13 +08:00
Yiiong	e549c79ae4	feat: add xfyun emb to ai-cache (#1921 )	2025-03-20 11:05:36 +08:00
小小hao	6742df57df	feat: add ratelimit metrics in the ai-token-ratelimit plugin (#1918 )	2025-03-19 21:51:56 +08:00
Kent Dong	eef8adf42f	fix: Skip reading non-JSON request bodies in ai-proxy (#1914 )	2025-03-18 21:23:54 +08:00
007gzs	029c3e75fc	optimization parseIP in xff (#1915 )	2025-03-18 15:58:24 +08:00
Kent Dong	9fa3a730d5	feat: Support forwarding embedding calls to Ollama in ai-proxy (#1913 )	2025-03-18 10:23:34 +08:00
澄潭	9acaed0b43	Update README_EN.md	2025-03-17 17:40:14 +08:00
澄潭	f95264448c	Update README.md	2025-03-17 17:39:46 +08:00
澄潭	e0dc9672ac	support nil option in NewCommonVmCtx (#1909 )	2025-03-17 15:02:22 +08:00
Kent Dong	5de7c2a5ea	feat: Support files and batches APIs provided by Azure OpenAI (#1904 )	2025-03-17 11:21:05 +08:00
澄潭	9a89665b22	optimize retry&failover logic (#1903 )	2025-03-17 11:19:33 +08:00
Jun	4a82d50d80	add variable from secret when applying istio cr (#1877 )	2025-03-17 10:59:05 +08:00
澄潭	34b3fc3114	more optimize of ai search plugin (#1896 )	2025-03-14 23:24:22 +08:00
澄潭	f09e029a6b	fix chunk merge bug in ai-search (#1895 )	2025-03-14 21:52:49 +08:00
澄潭	5e7e20ff7e	AI-search plugin supports controlling through the web_search_options parameter. (#1893 )	2025-03-14 21:52:33 +08:00
007gzs	26bfdd45ff	Rust WASM plugin support for matching service and route name prefixes is effective. (#1882 )	2025-03-14 20:43:19 +08:00
澄潭	61defc13c6	fix openai embedding path (#1881 )	2025-03-12 13:16:33 +08:00
Se7en	19496e5759	feat: support retry on http status code (#1817 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2025-03-11 13:38:02 +08:00
mamba	beb60fcacd	bugfix：【frontend-gray插件】针对fetch的请求，强制不缓存 (#1856 )	2025-03-11 12:54:40 +08:00
Se7en	01cc7939ae	feat: support elasticsearch hybrid search (#1844 )	2025-03-11 11:25:58 +08:00
rinfx	5a5af4ecbf	support default value (#1873 )	2025-03-11 09:32:11 +08:00
澄潭	d172cf4d19	Update README_EN.md	2025-03-10 17:33:13 +08:00
澄潭	58c4ba2021	Update README.md	2025-03-10 17:32:22 +08:00
rinfx	9e2df8f7c7	add redis init status log (#1867 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2025-03-10 17:10:53 +08:00
Yiiong	b897825069	feat: add huggingface embedding to ai-cache (#1864 )	2025-03-10 16:59:13 +08:00
yunmaoQu	f45bc9008a	feat: add replay protection plugin (#1672 ) Co-authored-by: hanxiantao <601803023@qq.com>	2025-03-10 15:11:13 +08:00
Se7en	5536502c15	feat: allow failover to distinguish between different endpoint of the same provider (#1862 )	2025-03-10 10:45:59 +08:00
澄潭	a0c334a7cb	optimize model router&mapper (#1866 )	2025-03-09 23:07:49 +08:00
澄潭	9e6bd6d2cc	optimize ai-search references (#1859 )	2025-03-07 10:34:49 +08:00
Kent Dong	ab419efda4	fix: Fix the incorrect reasoning content concat logic in ai-proxy (#1842 )	2025-03-07 10:33:45 +08:00
Jacky Wu	d4155411ee	fix plugin_wrapper.go log level (#1848 )	2025-03-06 14:41:47 +08:00
Jacky Wu	d721c235cb	chore: load EXTRA_TAGS from plugin .buildrc file to avoid build issue. (#1852 )	2025-03-05 12:15:37 +08:00
澄潭	0905cd0fc0	Set the llm-api-key field of the ai-search plugin to optional (#1846 )	2025-03-03 20:42:15 +08:00
Kent Dong	188914a16b	feat: Support only watching key resources in one namespace (#1821 )	2025-03-03 15:40:44 +08:00
rinfx	988e2c1fa7	add plugin start log in sdk (#1831 )	2025-03-03 15:37:23 +08:00
Kent Dong	4f1901586a	doc: Update the description of timeout config of ai-proxy (#1845 )	2025-03-03 15:33:16 +08:00
Xijun Dai	80b58e86e1	feat(helm): add podLabels to gateway && controller (#1792 ) Signed-off-by: Xijun Dai <daixijun1990@gmail.com>	2025-03-03 15:31:28 +08:00
澄潭	ca32e587d3	optimize ai search (#1843 )	2025-03-03 09:44:53 +08:00
澄潭	6d2d98f653	Simplify the implementation of ai-search integration with quark and add a tutorial. (#1838 )	2025-02-28 18:36:07 +08:00
firebook	2d1d8ac2b1	fix: gateway log config should read from helm\core\values.yaml when deploy with helm (#1834 )	2025-02-28 14:14:13 +08:00
Kent Dong	a2b8f9a646	fix: Disable helm-docs action since it's still under development (#1828 )	2025-02-28 13:36:44 +08:00
007gzs	5bece9c8ef	fix rust_wasm_build (#1824 )	2025-02-27 14:15:50 +08:00
Kent Dong	45fdd95a9c	feat: Support pushing multi-arch images to a custom image registry (#1815 )	2025-02-26 21:15:53 +08:00
Se7en	d3afe345ad	fix: remove last failed apiToken from retry apiToken list (#1802 )	2025-02-26 21:11:51 +08:00
韩贤涛	90ca903d2e	feat: ext-auth plugin: Blacklist and whitelist modes support HTTP request method matching (#1798 )	2025-02-26 20:54:52 +08:00
007gzs	2d8a8f26da	Ai data masking msg window (#1775 )	2025-02-26 20:48:37 +08:00
Se7en	9ea2410388	feat: update ai-token-ratelimit documentation by removing ai-statistics plugin (#1767 )	2025-02-26 20:47:37 +08:00
littlejian	9e1792c245	add notes to gateway.rollingMaxUnavailable (#1819 )	2025-02-26 20:46:53 +08:00
rinfx	3eda7def89	ai-search support quark (#1811 )	2025-02-26 18:42:22 +08:00
澄潭	1787553294	set include_usage by default for all model providers (#1818 )	2025-02-26 16:49:16 +08:00
澄潭	f6c48415d1	Add database configuration for plugins that use Redis. (#1814 )	2025-02-26 10:52:54 +08:00
MARATRIX Li	e27d3d0971	fix(typo): use the correct bing name for ai-search. (#1807 ) Signed-off-by: maratrixx <maratrix@163.com>	2025-02-25 13:37:32 +08:00
Kent Dong	49617c7a98	feat: Unify the SSE processing logic (#1800 )	2025-02-25 11:00:18 +08:00
澄潭	53a015d8fe	Update arxiv.md	2025-02-24 11:27:55 +08:00
澄潭	e711e9f997	Update full.md	2025-02-24 11:27:33 +08:00
澄潭	8530742472	Update README_EN.md	2025-02-24 11:16:09 +08:00
澄潭	c0c1f5113a	Update README.md	2025-02-24 11:15:55 +08:00
澄潭	2e6ddd7e35	Add ai search plugin (#1804 )	2025-02-24 11:14:47 +08:00
Kent Dong	2328e19c9d	fix: Fix a bug in openaiCustomUrl support (#1790 )	2025-02-22 12:12:49 +08:00
Kent Dong	fabc22f218	feat: Support transforming reasoning_content returned by Qwen to OpenAI contract (#1791 )	2025-02-21 17:32:02 +08:00
Yiiong	2986e1911d	feat: add ollama embedding to ai-cache (#1794 )	2025-02-21 15:21:49 +08:00
澄潭	a566f7257d	update helm docs (#1782 )	2025-02-19 17:48:20 +08:00
澄潭	3dbd1b2731	release 2.0.7 (#1781 )	2025-02-19 17:44:08 +08:00
澄潭	7f23980bf5	remove basic-auth useless annotation (#1779 )	2025-02-19 15:58:03 +08:00
澄潭	6fb0684c39	fix openai compatiable (#1778 )	2025-02-19 15:23:15 +08:00
澄潭	dfac9fa5e6	Update README.md	2025-02-18 14:17:21 +08:00
澄潭	bfd9e3026d	Update helm-docs.yaml	2025-02-18 10:00:05 +08:00
澄潭	49aad4152c	Supports completions API & support config openai baseUrl through `openaiCustomUrl` (#1765 )	2025-02-18 09:57:48 +08:00
澄潭	94aacf5153	Update helm-docs.yaml Remove the part that causes the action to fail	2025-02-17 18:59:54 +08:00
littlejian	efcfdbf36e	Add translate-readme action to translate English into Chinese (#1711 )	2025-02-17 17:34:30 +08:00
澄潭	2dbde1833f	ai proxy support passthrough path when api name is unknown (#1754 )	2025-02-13 21:22:43 +08:00
mirror	7272eff8b6	update ai-cache extension (#1746 )	2025-02-13 19:49:52 +08:00
pepesi	a84a382f1d	feature: allow ai-proxy to forward standard AI capabilities that are … (#1704 )	2025-02-12 15:23:44 +08:00
韩贤涛	477e44b9f1	e2e: Enhance the e2e testing of the ai-proxy plugin based on the LLM mock server (#1742 )	2025-02-11 20:16:03 +08:00
澄潭	512385d225	fix host rewrite in frontend-gray (#1747 )	2025-02-08 17:42:29 +08:00
007gzs	b997e6fd26	wasm32-wasi to wasm32-wasip1 (#1716 )	2025-02-05 15:35:48 +08:00
韩贤涛	fab3ebb35a	ut: add ext-auth unit tests (#1710 )	2025-02-05 13:39:10 +08:00
韩贤涛	1431ff9cfe	e2e: Enhance the e2e testing of the ai-proxy plugin based on the LLM mock server (#1713 )	2025-02-05 10:14:25 +08:00
kai2321	fac2c3e7a3	feat:完善对接dify时返回usage相关信息 (#1715 )	2025-02-03 08:35:00 +08:00
韩贤涛	574d1aa36a	fix: Path concatenation issue for authentication requests in Envoy authentication mode (#1709 )	2025-01-23 15:47:07 +08:00
澄潭	7840167c4a	optimize body bufferlimit set in ext-auth plugin (#1707 )	2025-01-23 11:52:30 +08:00
韩贤涛	9d8e78dae3	fix: ext-auth crash bugfix (#1705 )	2025-01-23 11:29:49 +08:00
Se7en	133a30b8d5	fix: stream response buffer issue (#1703 )	2025-01-22 11:28:37 +08:00
kai2321	ce94c6e62d	feat:接入dify (#1664 )	2025-01-21 16:04:15 +08:00
Xijun Dai	05f251e627	fix gateway env (#1689 )	2025-01-21 15:05:14 +08:00
韩贤涛	0259eaddbb	feat: Add ext-auth plugin support for authentication blacklists/whitelists (#1694 )	2025-01-21 14:28:49 +08:00
Se7en	cfa3baddf8	sync ai-token-ratelimit docs (#1688 )	2025-01-19 13:05:25 +08:00
Se7en	b1f625a652	feat: support baidu api key (#1687 )	2025-01-19 11:46:29 +08:00
澄潭	fd1eb54f25	Release 2.0.6 (#1686 )	2025-01-17 15:22:43 +08:00
澄潭	c7550e2d49	Update deploy-to-oss.yaml	2025-01-17 15:10:40 +08:00
Se7en	ba74f4bbb9	fix: baidu api issue (#1685 )	2025-01-16 21:42:43 +08:00
澄潭	9e418dafd9	release 2.0.6-rc.3 (#1680 )	2025-01-15 20:47:20 +08:00
澄潭	95523a1bc7	Fix istio lds cache (#1679 )	2025-01-15 20:44:13 +08:00
澄潭	dcd8466127	Update build-and-test-plugin.yaml	2025-01-15 20:19:58 +08:00
澄潭	cceae6ad2a	update cpp wasm plugins (#1675 )	2025-01-15 19:15:11 +08:00
zty98751	32f9a5ff32	fix istio commit	2025-01-15 15:29:44 +08:00
澄潭	6f95297b80	Release 2.0.6-rc.2 (#1671 )	2025-01-14 20:10:53 +08:00
Kent Dong	95426d5ccf	fix: Fix a typo in the README files of ai-statistics plugin (#1670 )	2025-01-14 13:39:55 +08:00
澄潭	a05b6b1e9d	add ai_log field (#1669 )	2025-01-14 10:03:24 +08:00
Jun	d0628344da	add higress architecture doc (#1662 )	2025-01-14 09:48:32 +08:00
韩贤涛	a1bf315b13	fix: resolve blocking issue with minimax responses in ai-proxy (#1663 )	2025-01-14 09:43:19 +08:00
mamba	b3d9123d59	[frontend-gray] 微前端灰度场景,支持 IncludePathPrefixes字段 (#1666 )	2025-01-13 16:24:51 +08:00
rinfx	817061c6cc	remove dependency for ai-statistic (#1660 )	2025-01-10 13:43:29 +08:00
rinfx	ea0d5e7564	Improve ai plugins (#1657 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2025-01-09 22:04:51 +08:00
澄潭	2a89c3bb70	Optimize wasmplugin proto (#1656 )	2025-01-09 13:19:46 +08:00
johnlanni	a570c72504	Update Chart.lock	2025-01-08 17:14:27 +08:00
澄潭	ab1316dfe1	rel: Release 2.0.6-rc.1 (#1653 )	2025-01-08 17:08:09 +08:00
澄潭	e97448b71b	Update metrics & enable lds cache (#1650 )	2025-01-08 16:49:23 +08:00
澄潭	6820a06a99	fix tls version annotation (#1652 )	2025-01-08 15:31:39 +08:00
澄潭	4733af849d	Update README.md	2025-01-08 11:30:29 +08:00
yunmaoQu	1c2330e33b	feat: add TLS version annotation support for per-rule configuration (#1592 ) Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>	2025-01-06 21:29:09 +08:00
澄潭	61fef0ecf8	Release 2.0.5 (#1646 )	2025-01-06 19:42:18 +08:00
澄潭	d29b8d7ca8	fix ai proxy checkStream (#1645 )	2025-01-06 15:30:02 +08:00
澄潭	2501895b66	ai-cache update body buffer limit size (#1644 )	2025-01-06 14:53:29 +08:00
Kent Dong	187a7b5408	fix: Enlarge the default retry timeout in ai-proxy (#1640 )	2025-01-03 11:19:40 +08:00
Jingze	00be491d02	feat: support github provider for oidc wasm plugin (#1639 )	2025-01-02 10:01:54 +08:00
ayanami-desu	2d74c48e8a	Add cohere embedding for ai-cache (#1572 )	2024-12-27 17:48:44 +08:00
澄潭	6dc4d43df5	optimize ai cache (#1626 )	2024-12-27 10:10:57 +08:00
rinfx	2a4e55d46f	move oidcHandler from global to pluginconfig (#1601 )	2024-12-26 19:15:20 +08:00
Se7en	579c986915	feat: retry failed request (#1590 )	2024-12-26 18:30:50 +08:00
Kent Dong	380717ae3d	fix: Make opa listen to all IPs (#1621 )	2024-12-26 17:41:28 +08:00
Kent Dong	8f3723f554	feat: Support setting gateway.unprivilegedPortSupported manually (#1616 )	2024-12-23 19:45:47 +08:00
VinciWu557	909cc0f088	feat: AI 代理 Wasm 插件接入 Together AI (#1617 )	2024-12-23 15:39:56 +08:00
007gzs	4eaf204737	Enhance the capabilities of the AI Intent plugin (#1605 )	2024-12-20 10:25:17 +08:00
澄潭	748bcb083a	redis wrapper support lazy init and database options (#1602 )	2024-12-19 16:22:56 +08:00
澄潭	39c007d045	optimize ai proxy (#1603 )	2024-12-19 16:22:35 +08:00
rinfx	d74d327b68	bugfix: cannot parse content if one streaming body has multi chunks (#1606 )	2024-12-19 16:21:57 +08:00
澄潭	be27726721	Update CODEOWNERS	2024-12-19 14:36:11 +08:00
澄潭	34cc1c0632	Update README.md	2024-12-18 17:02:28 +08:00
澄潭	5694475872	Update README.md	2024-12-18 16:59:03 +08:00
rinfx	2f5709a93e	qwen bailian compatible bug fix (#1597 )	2024-12-17 16:57:31 +08:00
StarryNight	2a200cdd42	AI proxy return unified status in header phase (#1588 )	2024-12-16 18:41:38 +08:00
rinfx	ec39d56731	AI observability upgrade (#1587 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2024-12-16 10:27:49 +08:00
韩贤涛	8544fa604d	feat: support choosing chatCompletionV2 or chatCompletionPro API for minimax provider (#1593 )	2024-12-15 15:12:00 +08:00
mirror	0ba63e5dd4	fix: default port of static service in ai-cache plugin (#1591 )	2024-12-13 19:03:26 +08:00
mirror	441408c593	docs: fix typos in ai-quota document (#1589 )	2024-12-13 08:56:43 +08:00
duxin40	be57960c22	Support OpenAI embedding. (#1542 )	2024-12-11 11:42:51 +08:00
rinfx	f32020068a	bugfix and extend ai log (#1576 )	2024-12-09 20:39:13 +08:00
澄潭	1a8fce48f0	Update release-hgctl.yaml	2024-12-06 14:01:18 +08:00
澄潭	85c7b1f501	rel: Release 2.0.4 (#1571 )	2024-12-06 13:52:03 +08:00
pepesi	8f660211e3	feat: ai-proxy support custom error handler by cover util.ErrorHandler (#1537 )	2024-12-06 11:47:50 +08:00
rinfx	433227323d	extension mechanism for custom logs and span attributes (#1451 )	2024-12-05 18:39:00 +08:00
pepesi	b36e5ea26b	feat: allow cover api-version when use ai-proxy azure provider (#1535 )	2024-12-05 13:41:02 +08:00
rinfx	ce66ff68ce	solve aliyun lvwang content length limit problem (#1569 )	2024-12-05 13:39:20 +08:00
pepesi	d026f0fca5	feat: ai-proxy support dashscope-finance (#1554 )	2024-12-05 11:48:09 +08:00
rinfx	22790aa149	fix moonshot usage compatible problem (#1568 )	2024-12-05 11:35:25 +08:00
澄潭	7ce6d7aba1	fix xds cache (#1559 )	2024-12-04 00:55:29 +08:00
Se7en	e705a0344f	fix: qwen stream issue (#1564 )	2024-12-03 13:10:47 +08:00
澄潭	d6094974c2	update ai proxy go mod (#1556 )	2024-12-02 14:41:55 +08:00
mamba	6187be97e5	fix: 🐛 frontend-grayurl 解析不正确导致路由失败 (#1550 )	2024-11-29 13:09:05 +08:00
澄潭	bb64b43f23	set concurrency argument of proxy by cpu limit/request (#1552 )	2024-11-28 16:55:57 +08:00
澄潭	ca7458cf1c	Optimize the overall log output (#1549 )	2024-11-27 20:44:34 +08:00
Se7en	ee2dd76ae1	feat: migrate baidu provider to v2 api (#1527 )	2024-11-27 20:12:00 +08:00
pepesi	8154cf95f1	feat: support custom log (#1521 )	2024-11-27 20:11:29 +08:00
澄潭	a7593381e1	fix ai fallback (#1541 )	2024-11-25 16:48:59 +08:00
澄潭	e68a8ac25f	add model-mapper plugin & optimize model-router plugin (#1538 )	2024-11-22 22:24:42 +08:00
Kent Dong	96575b982e	fix: Refresh go.mod and go.sum file contents (#1525 )	2024-11-22 13:34:55 +08:00
EnableAsync	c2d405b2a7	feat: Enhance ai-cache Plugin with Vector Similarity-Based LLM Cache Recall and Multi-DB Support (#1248 )	2024-11-21 16:57:41 +08:00
Jingze	6efb3109f2	fix: update oidc plugin go.mod dependencies (#1522 )	2024-11-19 17:33:42 +08:00
Se7en	1b1c08afb7	fix: apitoken failover for coze (#1515 )	2024-11-18 15:36:26 +08:00
Se7en	d24123a55f	feat: implement apiToken failover mechanism (#1256 )	2024-11-16 19:03:09 +08:00
澄潭	f2a5df3949	use the body returned by the ext auth server when auth fails (#1510 )	2024-11-14 18:50:33 +08:00
澄潭	ebc5b2987e	fix compile of wasm cpp plugins (#1511 )	2024-11-14 18:49:21 +08:00
007gzs	ca97cbd75a	fix workflows build-and-push-wasm-plugin-image (#1508 )	2024-11-13 17:39:24 +08:00
hanans426	a787e237ce	增加快速部署到阿里云的部署方案 (#1506 )	2024-11-13 16:26:55 +08:00
纪卓志	6a1bf90d42	feat: supports custom prepare build script (#1490 )	2024-11-12 13:45:28 +08:00
007gzs	60e476da87	fix example sse build error (#1503 )	2024-11-11 17:47:26 +08:00
rinfx	2cb8558cda	Optimize AI security guard plugin (#1473 ) Co-authored-by: Kent Dong <ch3cho@qq.com>	2024-11-11 14:49:17 +08:00
littlejian	4d1a037942	feat: Automatically generating markdown documentation for helm charts with helm-docs (#1496 )	2024-11-11 11:34:38 +08:00
xingyunyang01	39b6eac9d0	AI Agent plugin adds JSON formatting output feature (#1374 )	2024-11-11 11:11:02 +08:00