Merge a452a45c50 into d627ecea2a

* chore: updates culenag version and syntax across all files

Signed-off-by: Amit Singh <singhamitch@outlook.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* debuggin: reverts tf provider changes

Signed-off-by: Amit Singh <singhamitch@outlook.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Refactor: Simplify provider configuration by removing 'providerBasic' and directly defining access keys and region for providers

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Refactor: Consolidate provider configuration by introducing 'providerBasic' for access keys and region

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: reorganize import statements in deepcopy files for consistency

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: reorder import statements for consistency across deepcopy files

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Refactor: Safely handle pattern parameter selectors to avoid panics in GetParameters and getStatusMap

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: add comment to clarify test context in definition_revision_test.go

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: remove redundant comment from test context initialization in definition_revision_test.go

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Refactor: Introduce GetSelectorLabel function to safely extract labels from CUE selectors

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: add newline at end of file in utils.go

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* chore: increase timeout for multi-cluster e2e

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

---------

Signed-off-by: Amit Singh <singhamitch@outlook.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Co-authored-by: Amit Singh <singhamitch@outlook.com>
Co-authored-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

.github/CODEOWNERS

@@ -1,35 +1,35 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file
 
-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811 @briankane @jguionnet
 
 # Owner of Core Controllers
-pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811
+pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
 
 # Owner of Standard Controllers
-pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong
+pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong @briankane @jguionnet
 
 # Owner of CUE
-pkg/cue                            @leejanee @FogDong @Somefive @anoop2811
-pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811
+pkg/cue                            @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet
+pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet
 
 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811
+pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
 
 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
 
 # Owner of vela CLI
-references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong
+references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong @briankane @jguionnet
 
 # Owner of vela addon framework
-pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong
+pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong @briankane @jguionnet
 
 # Owner of resource keeper and tracker
-pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811
-pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811
+pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet
+pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet
 
-.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
-makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
-go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
+.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
 

.github/actions/deploy-current-branch/README.md

@@ -0,0 +1,35 @@
+# Deploy Current Branch Action
+
+This GitHub composite action builds a Docker image from the current branch commit and deploys it to a KubeVela cluster for development testing.
+
+## What it does
+
+- Generates a unique image tag from the latest commit hash
+- Builds and loads the Docker image into a KinD cluster
+- Applies KubeVela CRDs for upgrade safety
+- Upgrades the KubeVela Helm release to use the local development image
+- Verifies deployment status and the running image version
+
+## Usage
+
+```yaml
+- name: Deploy Current Branch
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Docker, Helm, kubectl, and KinD must be available in your runner environment
+- Kubernetes cluster access
+- `charts/vela-core/crds` directory with CRDs
+- Valid Helm chart at `charts/vela-core`
+
+## Steps performed
+
+1. **Generate commit hash for image tag**
+2. **Build & load Docker image into KinD**
+3. **Pre-apply chart CRDs**
+4. **Upgrade KubeVela using local image**
+5. **Verify deployment and image version**
+
+---

.github/actions/deploy-current-branch/action.yaml

@@ -0,0 +1,89 @@
+name: 'Deploy Current Branch'
+description: 'Builds Docker image from current branch commit and deploys it to KubeVela cluster for development testing'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Git Commit Hash Generation
+    # Generate unique image tag from current branch's latest commit
+    # ========================================================================
+    - name: Get commit hash
+      id: commit_hash
+      shell: bash
+      run: |
+        COMMIT_HASH="git-$(git rev-parse --short HEAD)"
+        echo "Using commit hash: $COMMIT_HASH"
+        echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
+    # ========================================================================
+    # Docker Image Build and Cluster Loading
+    # Build development image from current code and load into KinD cluster
+    # ========================================================================
+    - name: Build and load Docker image
+      shell: bash
+      run: |
+        echo "Building development image: vela-core-test:${{ env.COMMIT_HASH }}"
+
+        mkdir -p $HOME/tmp/
+
+        docker build --no-cache \
+          -t vela-core-test:${{ env.COMMIT_HASH }} \
+          -f Dockerfile .
+
+        echo "Loading image into KinD cluster..."
+        TMPDIR=$HOME/tmp/ kind load docker-image vela-core-test:${{ env.COMMIT_HASH }}
+
+    # ========================================================================
+    # Custom Resource Definitions Application
+    # Pre-apply CRDs to ensure upgrade compatibility and prevent conflicts
+    # ========================================================================
+    - name: Pre-apply CRDs from target chart (upgrade-safe)
+      shell: bash
+      run: |
+        CRD_DIR="charts/vela-core/crds"
+
+        echo "Applying CRDs idempotently..."
+        kubectl apply -f "${CRD_DIR}"
+
+    # ========================================================================
+    # KubeVela Helm Chart Upgrade
+    # Upgrade existing installation to use locally built development image
+    # ========================================================================
+    - name: Upgrade KubeVela to development image
+      shell: bash
+      run: |
+        echo "Upgrading KubeVela to development version..."
+        helm upgrade kubevela ./charts/vela-core \
+          --namespace vela-system \
+          --set image.repository=vela-core-test \
+          --set image.tag=${{ env.COMMIT_HASH }} \
+          --set image.pullPolicy=IfNotPresent \
+          --timeout 5m \
+          --wait \
+          --debug
+
+    # ========================================================================
+    # Deployment Status Verification
+    # Verify successful upgrade and confirm correct image deployment
+    # ========================================================================
+    - name: Verify deployment status
+      shell: bash
+      run: |
+        echo "=== DEPLOYMENT VERIFICATION ==="
+        echo "Verifying upgrade to local development image..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "--- Deployed Image Version ---"
+        kubectl get deployment kubevela-vela-core \
+          -n vela-system \
+          -o yaml | grep "image:" | head -1
+
+        echo "Deployment verification completed successfully!"

.github/actions/deploy-latest-release/README.md

@@ -0,0 +1,32 @@
+# Install Latest KubeVela Release Action
+
+This GitHub composite action installs the latest stable KubeVela release from the official Helm repository and verifies its deployment status.
+
+## What it does
+
+- Discovers the latest stable KubeVela release tag from GitHub
+- Adds and updates the official KubeVela Helm chart repository
+- Installs KubeVela into the `vela-system` namespace (using Helm)
+- Verifies pod status and deployment rollout for successful installation
+
+## Usage
+
+```yaml
+- name: Install Latest KubeVela Release
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Helm, kubectl, jq, and curl must be available in your runner environment
+- Kubernetes cluster access
+
+## Steps performed
+
+1. **Release Tag Discovery:** Fetches latest stable tag (without `v` prefix)
+2. **Helm Repo Setup:** Adds/updates KubeVela Helm chart repo
+3. **Install KubeVela:** Installs latest release in the `vela-system` namespace
+4. **Status Verification:** Checks pod status and rollout for readiness
+
+---
+

.github/actions/deploy-latest-release/action.yaml

@@ -0,0 +1,68 @@
+name: 'Install Latest KubeVela Release'
+description: 'Installs the latest stable KubeVela release from official Helm repository with status verification'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Latest Release Tag Discovery
+    # Fetch current stable release version from GitHub API
+    # ========================================================================
+    - name: Get latest KubeVela release tag (no v prefix)
+      id: get_latest_tag
+      shell: bash
+      run: |
+        TAG=$(curl -s https://api.github.com/repos/kubevela/kubevela/releases/latest | \
+              jq -r ".tag_name" | \
+              awk '{sub(/^v/, ""); print}')
+        echo "LATEST_TAG=$TAG" >> $GITHUB_ENV
+        echo "Discovered latest release: $TAG"
+
+    # ========================================================================
+    # Helm Repository Configuration
+    # Add and update official KubeVela chart repository
+    # ========================================================================
+    - name: Add KubeVela Helm repo
+      shell: bash
+      run: |
+        echo "Adding KubeVela Helm repository..."
+        helm repo add kubevela https://kubevela.github.io/charts
+        helm repo update
+        echo "Helm repository configuration completed"
+
+    # ========================================================================
+    # KubeVela Stable Release Installation
+    # Deploy latest stable version to vela-system namespace
+    # ========================================================================
+    - name: Install KubeVela ${{ env.LATEST_TAG }}
+      shell: bash
+      run: |
+        echo "Installing KubeVela version: ${{ env.LATEST_TAG }}"
+        helm install \
+          --create-namespace \
+          -n vela-system \
+          kubevela kubevela/vela-core \
+          --version ${{ env.LATEST_TAG }} \
+          --timeout 10m \
+          --wait
+        echo "KubeVela installation completed"
+
+    # ========================================================================
+    # Installation Status Verification
+    # Verify successful deployment and readiness of KubeVela components
+    # ========================================================================
+    - name: Post-install status
+      shell: bash
+      run: |
+        echo "=== INSTALLATION VERIFICATION ==="
+        echo "Verifying KubeVela deployment status..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "KubeVela installation verification completed successfully!"

.github/actions/e2e-test/README.md

@@ -0,0 +1,51 @@
+# Kubevela K8s Upgrade E2E Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade end-to-end (E2E) tests with complete environment setup, multiple test suites, and failure diagnostics.
+
+
+> **Note**: This action requires the `GO_VERSION` environment variable to be set in your workflow.
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    env:
+      GO_VERSION: '1.23.8'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela E2E Tests
+        uses: ./.github/actions/upgrade-e2e-test
+```
+
+## Test Flow Diagram
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│ Environment     │    │ E2E Environment  │    │ Test Execution  │
+│ Setup           │───▶│ Preparation      │───▶│ (3 Suites)      │
+│                 │    │                  │    │                 │
+│ • Install tools │    │ • Cleanup        │    │ • API tests     │
+│ • Setup Go      │    │ • Core setup     │    │ • Addon tests   │
+│ • Dependencies  │    │ • Helm tests     │    │ • General tests │
+│ • Build project │    │                  │    │                 │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                                        │
+                                                        ▼
+                                                ┌─────────────────┐
+                                                │ Diagnostics     │
+                                                │ (On Failure)    │
+                                                │                 │
+                                                │ • Cluster logs  │
+                                                │ • System events │
+                                                │ • Test artifacts│
+                                                └─────────────────┘
+```

.github/actions/e2e-test/action.yaml

@@ -0,0 +1,96 @@
+name: 'Kubevela K8s Upgrade e2e Test'
+description: 'Runs Kubevela K8s upgrade e2e tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    - name: Build project
+      shell: bash
+      run: make
+
+    # ========================================================================
+    # E2E Test Environment Preparation
+    # ========================================================================
+    - name: Prepare e2e environment
+      shell: bash
+      run: |
+        echo "Preparing e2e test environment..."
+        make e2e-cleanup
+        make e2e-setup-core
+
+        echo "Running Helm tests..."
+        helm test -n vela-system kubevela --timeout 5m
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Run API e2e tests
+      shell: bash
+      run: |
+        echo "Running API e2e tests..."
+        make e2e-api-test
+
+    - name: Run addon e2e tests
+      shell: bash
+      run: |
+        echo "Running addon e2e tests..."
+        make e2e-addon-test
+
+    - name: Run general e2e tests
+      shell: bash
+      run: |
+        echo "Running general e2e tests..."
+        make e2e-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Helm Release Status ---"
+        helm list -A || true
+        helm status kubevela -n vela-system || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -type f -exec echo "=== {} ===" \; -exec cat {} \; || true

.github/actions/env-setup/README.md

@@ -0,0 +1,67 @@
+# Kubevela Test Environment Setup Action
+
+A GitHub Actions composite action that sets up a complete testing environment for Kubevela projects with Go, Kubernetes tools, and the Ginkgo testing framework.
+
+## Features
+
+- 🛠️ **System Dependencies**: Installs essential build tools (make, gcc, jq, curl, etc.)
+- ☸️ **Kubernetes Tools**: Sets up kubectl and Helm for cluster operations
+- 🐹 **Go Environment**: Configurable Go version with module caching
+- 📦 **Dependency Management**: Downloads and verifies Go module dependencies
+- 🧪 **Testing Framework**: Installs Ginkgo v2 for BDD-style testing
+
+## Usage
+
+```yaml
+- name: Setup Kubevela Test Environment
+  uses: ./path/to/this/action
+  with:
+    go-version: '1.23.8'      # Optional: Go version (default: 1.23.8)
+```
+
+### Example Workflow
+
+```yaml
+name: Kubevela Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Test Environment
+        uses: ./path/to/this/action
+        with:
+          go-version: '1.21'
+          
+      - name: Run Tests
+        run: |
+          ginkgo -r ./tests/e2e/
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Usage |
+|-------|-------------|----------|---------|-------|
+| `go-version` | Go version to install and use | No | `1.23.8` | Specify Go version for your project |
+
+## What This Action Installs
+
+### System Tools
+- **make**: Build automation tool
+- **gcc**: GNU Compiler Collection
+- **jq**: JSON processor for shell scripts
+- **ca-certificates**: SSL/TLS certificates
+- **curl**: HTTP client for downloads
+- **gnupg**: GNU Privacy Guard for security
+
+### Kubernetes Ecosystem
+- **kubectl**: Kubernetes command-line tool (latest stable)
+- **helm**: Kubernetes package manager (latest stable)
+
+### Go Development
+- **Go Runtime**: Specified version with module caching enabled
+- **Go Modules**: Downloaded and verified dependencies
+- **Ginkgo v2.14.0**: BDD testing framework for Go

.github/actions/env-setup/action.yaml

@@ -0,0 +1,72 @@
+name: 'Kubevela Test Environment Setup'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  go-version:
+    description: 'Go version to use for testing'
+    required: false
+    default: '1.23.8'
+
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        # Update package manager and install essential tools
+        sudo apt-get update
+        sudo apt-get install -y \
+          make \
+          gcc \
+          jq \
+          ca-certificates \
+          curl \
+          gnupg
+
+    - name: Install kubectl and helm
+      shell: bash
+      run: |
+        # Detect architecture
+        ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+        
+        # Install kubectl
+        echo "Installing kubectl for architecture: $ARCH"
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl"
+        chmod +x kubectl
+        sudo mv kubectl /usr/local/bin/
+        
+        # Install helm using the official script (more reliable)
+        echo "Installing Helm using official script..."
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+        rm get_helm.sh
+        
+        # Verify installations
+        echo "Verifying installations..."
+        kubectl version --client
+        helm version
+    
+
+    - name: Setup Go environment
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      with:
+        go-version: ${{ inputs.go-version }}
+        cache: true
+
+    - name: Download Go dependencies
+      shell: bash
+      run: |
+        # Download and cache Go module dependencies
+        go mod download
+        go mod verify
+
+    - name: Install Ginkgo testing framework
+      shell: bash
+      run: |
+        echo "Installing Ginkgo testing framework..."
+        go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0

.github/actions/multicluster-test/README.md

@@ -0,0 +1,35 @@
+# Kubevela K8s Upgrade Multicluster E2E Test Action
+
+A comprehensive GitHub Actions composite action for running Kubevela Kubernetes upgrade multicluster end-to-end tests with automated coverage reporting and failure diagnostics.
+
+## Usage
+
+
+```yaml
+name: Kubevela Multicluster E2E Tests
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  multicluster-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Multicluster E2E Tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Type |
+|-------|-------------|----------|---------|------|
+| `codecov-token` | Codecov token for uploading coverage reports | No | `''` | string |
+| `codecov-enable` | Enable codecov coverage upload | No | `'false'` | string |

.github/actions/multicluster-test/action.yaml

@@ -0,0 +1,76 @@
+name: 'Kubevela K8s Upgrade Multicluster E2E Test'
+description: 'Runs Kubevela Kubernetes upgrade multicluster end-to-end tests, uploads coverage, and collects diagnostics on failure.'
+author: 'viskumar_gwre'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Prepare e2e test environment
+      shell: bash
+      run: |
+        # Build CLI tools and prepare test environment
+        echo "Building KubeVela CLI..."
+        make vela-cli
+
+        echo "Cleaning up previous test artifacts..."
+        make e2e-cleanup
+
+        echo "Setting up core authentication for e2e tests..."
+        make e2e-setup-core-auth
+
+    - name: Execute multicluster upgrade e2e tests
+      shell: bash
+      run: |
+        # Add built CLI to PATH and run multicluster tests
+        export PATH=$(pwd)/bin:$PATH
+
+        echo "Running e2e multicluster upgrade tests..."
+        make e2e-multicluster-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
+        flags: e2e-multicluster-test
+        name: codecov-umbrella
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true

.github/actions/setup-kind-cluster/README.md

@@ -0,0 +1,78 @@
+# Setup Kind Cluster Action
+
+A GitHub Action that sets up a Kubernetes testing environment using Kind (Kubernetes in Docker) for E2E testing.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `k8s-version` | Kubernetes version for the kind cluster | No | `v1.31.9` |
+
+## Quick Start
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      
+      - name: Setup Kind Cluster
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: 'v1.31.9'
+      
+      - name: Run tests
+        run: |
+          kubectl cluster-info
+          make test-e2e
+```
+
+## What it does
+
+1. **Installs Kind CLI** - Downloads Kind v0.29.0 using Go
+2. **Cleans up** - Removes any existing Kind clusters
+3. **Creates cluster** - Spins up Kubernetes v1.31.9 cluster
+4. **Sets up environment** - Configures KUBECONFIG for kubectl access
+5. **Loads images** - Builds and loads Docker images using `make image-load`
+
+## File Structure
+
+Save as `.github/actions/setup-kind-cluster/action.yaml`:
+
+```yaml
+name: 'SetUp kind cluster'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        kind delete cluster || true
+        kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+      shell: bash
+
+    - name: Load image
+      run: |
+        mkdir -p $HOME/tmp/
+        TMPDIR=$HOME/tmp/ make image-load
+      shell: bash
+```

.github/actions/setup-kind-cluster/action.yaml

@@ -0,0 +1,36 @@
+name: 'SetUp kind cluster'
+description: 'Sets up a KinD (Kubernetes in Docker) cluster with configurable Kubernetes version and optional cluster naming for testing and development workflows.'
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+  name:
+    description: 'Name of the kind cluster'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        if [ -n "${{ inputs.name }}" ]; then
+          kind delete cluster --name="${{ inputs.name }}" || true
+          kind create cluster --name="${{ inputs.name }}" --image=kindest/node:${{ inputs.k8s-version }}
+          kind export kubeconfig --internal --name="${{ inputs.name }}" --kubeconfig /tmp/${{ inputs.name }}.kubeconfig
+        else
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+        fi
+      shell: bash
+
+    - name: Load image
+      run: |
+        if [ -z "${{ inputs.name }}" ]; then
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+        fi
+      shell: bash

.github/actions/unit-test/README.md

@@ -0,0 +1,34 @@
+# Kubevela K8s Upgrade Unit Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade unit tests with coverage reporting and failure diagnostics.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `codecov-token` | Codecov token for uploading coverage reports | ❌ | `''` |
+| `codecov-enable` | Enable Codecov coverage upload (`'true'` or `'false'`) | ❌ | `'false'` |
+| `go-version` | Go version to use for testing | ❌ | `'1.23.8'` |
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: Unit Tests with Coverage
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela Unit Tests
+        uses: viskumar_gwre/kubevela-k8s-upgrade-unit-test-action@v1
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          go-version: '1.23.8'
+```

.github/actions/unit-test/action.yaml

@@ -0,0 +1,67 @@
+name: 'Kubevela K8s Upgrade Unit Test'
+description: 'Runs Kubevela K8s upgrade unit tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    # ========================================================================
+    # Unit Test Execution
+    # ========================================================================
+    - name: Run unit tests
+      shell: bash
+      run: |
+        echo "Running unit tests..."
+        make test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Go Environment ---"
+        go version || true
+        go env || true
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -o -name "*test*.xml" -o -name "coverage.*" | head -20 || true

.github/comment.userlist

@@ -11,4 +11,7 @@ wangyuan249
 chivalryq
 FogDong
 leejanee
-barnettZQG
+barnettZQG
+anoop2811 
+briankane 
+jguionnet

.github/workflows/definition-lint.yml

@@ -5,14 +5,20 @@ on:
     branches:
       - master
       - release-*
+    paths:
+      - 'vela-templates/definitions/**'
+      - 'vela-templates/gen_definitions.sh'
   workflow_dispatch: {}
   pull_request:
     branches:
       - master
       - release-*
+    paths:
+      - 'vela-templates/definitions/**'
+      - 'vela-templates/gen_definitions.sh'
 
 permissions:
-  contents: read
+  contents: write
 
 env:
   # Common versions
@@ -31,11 +37,41 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           submodules: true
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: linter
+
+      - name: Build vela CLI
+        run: make vela-cli
+
+      - name: Update registry definitions
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
         run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind create cluster --image=kindest/node:v1.31.9
+          cd vela-templates
+          chmod +x gen_definitions.sh
+          ./gen_definitions.sh
+        
+      - name: Check for registry changes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        id: verify-changed-files
+        run: |
+          if [ -n "$(git status --porcelain vela-templates/registry/auto-gen/)" ]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit registry changes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.verify-changed-files.outputs.changed == 'true'
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add vela-templates/registry/auto-gen/
+          git commit -m "Auto-update registry definitions from latest templates"
+          git push
 
       - name: Definition Doc generate check
         run: |

.github/workflows/e2e-multicluster-test.yml

@@ -44,7 +44,7 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        k8s-version: ["v1.31"]
+        k8s-version: ["v1.31.9"]
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
       cancel-in-progress: true
@@ -53,61 +53,31 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
         with:
-          go-version: ${{ env.GO_VERSION }}
+          name: worker
+          k8s-version: ${{ matrix.k8s-version }}
 
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind delete cluster --name worker || true
-          kind create cluster --name worker --image=kindest/node:v1.31.9
-          kind export kubeconfig --internal --name worker --kubeconfig /tmp/worker.kubeconfig
-          kind delete cluster || true
-          kind create cluster --image=kindest/node:v1.31.9
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/ 
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core-auth
-
-      - name: Run e2e multicluster tests
-        run: |
-          export PATH=$(pwd)/bin:$PATH
-          make e2e-multicluster-test
-
-      - name: Stop kubevela, get profile
-        run: |
-          make end-e2e-core-shards
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      - name: Setup master cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
-          flags: e2e-multicluster-test
-          name: codecov-umbrella
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Run upgrade multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi
 
       - name: Cleanup image
         if: ${{ always() }}

.github/workflows/e2e-test.yml

@@ -53,68 +53,26 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
       - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind delete cluster || true
-          kind create cluster --image=kindest/node:v1.31.9
+        uses: ./.github/actions/setup-kind-cluster
 
-      - name: Get Ginkgo
-        run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Run Make
-        run: make
-
-      - name: Prepare for e2e tests
-        run: |
-          make e2e-cleanup
-          make e2e-setup-core
-          helm test -n vela-system kubevela --timeout 5m
-
-      - name: Run api e2e tests
-        run: make e2e-api-test
-
-      - name: Run addons e2e tests
-        run: make e2e-addon-test
-
-      - name: Run e2e tests
-        run: make e2e-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
-          flags: e2etests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi
 
       - name: Cleanup image
         if: ${{ always() }}

.github/workflows/go.yml

@@ -97,28 +97,16 @@ jobs:
         with:
           submodules: true
 
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+        
       - name: Setup node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "14"
 
-      - name: Cache Go Dependencies
-        uses: actions/cache@v4
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind delete cluster --name kind || true
-          kind create cluster --name kind --image=kindest/node:v1.31.9 --kubeconfig ~/.kube/config
+      - name: Setup kinD
+        uses: ./.github/actions/setup-kind-cluster
 
       - name: Run cross-build
         run: make cross-build

.github/workflows/release.yml

@@ -3,7 +3,7 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
   workflow_dispatch: {}
 
 permissions:
@@ -26,6 +26,32 @@ jobs:
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
+      - name: Check disk (before)
+        run: |
+          df -h
+          sudo du -sh /usr/local/lib/android /usr/share/dotnet /opt/ghc || true
+
+      - name: Free Disk Space (Ubuntu)
+        uses: insightsengineering/disk-space-reclaimer@v1
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tools-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+          docker-images: true
+
+      # Extra prune in case your job builds/pulls images
+      - name: Deep Docker prune
+        run: |
+          docker system prune -af || true
+          docker builder prune -af || true
+
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
@@ -43,7 +69,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v2.5.0'
+          cosign-release: "v2.5.0"
 
       - name: Install syft
         uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
@@ -65,6 +91,9 @@ jobs:
           HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
           echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
 
+      - name: Check disk (after)
+        run: df -h
+
   upload-plugin-homebrew:
     name: upload-sha256sums
     needs: goreleaser
@@ -82,16 +111,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
       - name: Update kubectl plugin version in krew-index
         uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
-      - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@d3667e5ae14df19579e4414897498e3e88f2f458 # v3.10.0
-        with:
-          token: ${{ secrets.HOMEBREW_TOKEN }}
-          formula: kubevela
-          tag: ${{ github.ref }}
-          revision: ${{ github.sha }}
-          force: false
 
   provenance-vela-bins:
     name: generate provenance for binaries
@@ -103,5 +125,5 @@ jobs:
       actions: read
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
     with:
-      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true

.github/workflows/sdk-test.yml

@@ -16,11 +16,6 @@ on:
 permissions:
   contents: read
 
-env:
-  # Common versions
-  GO_VERSION: '1.23.8'
-  GOLANGCI_VERSION: 'v1.60.1'
-
 jobs:
   sdk-tests:
     runs-on: ubuntu-22.04
@@ -28,10 +23,8 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
 
       - name: Install Go tools
         run: |
@@ -39,9 +32,9 @@ jobs:
           make golangci
 
       - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind create cluster --image=kindest/node:v1.31.9
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sdk-test
 
       - name: Build CLI
         run: make vela-cli

.github/workflows/sync-api.yml

@@ -10,21 +10,16 @@ on:
 permissions:
   contents: read
 
-env:
-  GO_VERSION: '1.23.8'
-
 jobs:
   sync-core-api:
     runs-on: ubuntu-22.04
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Check out code into the Go module directory
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
       - name: Get the version
         id: get_version
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

.github/workflows/sync-sdk.yaml

@@ -14,36 +14,33 @@ on:
 permissions:
   contents: read
 
-env:
-  GO_VERSION: '1.23.8'
-
 jobs:
   sync_sdk:
     runs-on: ubuntu-22.04
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
-        with:
-          go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
-      - name: Get the version
-        id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
+      - name: Env setup
+        uses: ./.github/actions/env-setup
 
       - name: Install Go tools
         run: |
           make goimports
-          
+
       - name: Build CLI
         run: make vela-cli
 
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sync-sdk
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF}" >> $GITHUB_OUTPUT
+
       - name: Sync SDK to kubevela/kubevela-go-sdk
         run: bash ./hack/sdk/sync.sh
         env:

.github/workflows/unit-test.yml

@@ -14,10 +14,6 @@ on:
 permissions:
   contents: read
 
-env:
-  # Common versions
-  GO_VERSION: "1.23.8"
-
 jobs:
   detect-noop:
     permissions:
@@ -41,41 +37,19 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
 
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Check out code into the Go module directory
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           submodules: true
 
-      - name: Cache Go Dependencies
-        uses: actions/cache@v4
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD with Kubernetes
+        uses: ./.github/actions/setup-kind-cluster
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
         with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo sed -i 's/azure\.//' /etc/apt/sources.list
-          sudo apt-get update
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.29.0
-          kind create cluster --image=kindest/node:v1.31.9
-
-      - name: Run Make test
-        run: make test
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./coverage.txt
-          flags: core-unittests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/upgrade-e2e-multicluster-test.yml

@@ -0,0 +1,98 @@
+# =============================================================================
+# E2E Upgrade Multicluster Test Workflow
+# =============================================================================
+# This workflow performs end-to-end testing for KubeVela multicluster upgrades.
+# It tests the upgrade path from the latest released version to the current
+# development branch across multiple Kubernetes versions.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run multicluster e2e tests to verify functionality
+# =============================================================================
+
+name: E2E Upgrade Multicluster Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Global Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'  # Go version for building and testing
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-multicluster-tests:
+    name: Upgrade Multicluster Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 60  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: worker
+
+      - name: Setup KinD master clusters for multicluster testing
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run upgarde multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: false
+          codecov-token: ''

.github/workflows/upgrade-e2e-test.yml

@@ -0,0 +1,102 @@
+# =============================================================================
+# Upgrade E2E Test Workflow
+# =============================================================================
+# This workflow performs comprehensive end-to-end testing for KubeVela upgrades.
+# It validates the upgrade path from the latest stable release to the current
+# development version by running multiple test suites including API, addon,
+# and general e2e tests.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run comprehensive e2e test suites (API, addon, general)
+# 4. Validate upgrade functionality and compatibility
+# =============================================================================
+
+name: Upgrade E2E Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade E2E Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 90  # Extended timeout for comprehensive e2e testing
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Repository Setup
+      # ========================================================================
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Build vela CLI
+        run: make vela-cli
+
+      - name: Build kubectl-vela plugin
+        run: make kubectl-vela
+
+      - name: Install kustomize
+        run: make kustomize
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test

.github/workflows/upgrade-unit-test.yml

@@ -0,0 +1,83 @@
+# =============================================================================
+# Upgrade Unit Test Workflow
+# =============================================================================
+# This workflow performs unit testing for KubeVela upgrades by:
+# 1. Installing the latest stable KubeVela release
+# 2. Building and upgrading to the current development version
+# 3. Running unit tests to validate the upgrade functionality
+# =============================================================================
+
+name: Upgrade Unit Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main and release branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade Unit Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 45  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
+        with:
+          codecov-enable: false
+          codecov-token: ''

.github/workflows/webhook-upgrade-validation.yml

@@ -0,0 +1,165 @@
+name: Webhook Upgrade Validation
+
+on:
+  push:
+    branches:
+      - master
+      - release-*
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.23.8'
+
+jobs:
+  webhook-upgrade-check:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD
+        run: |
+          go install sigs.k8s.io/kind@v0.29.0
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:v1.31.9
+
+      - name: Install KubeVela CLI
+        run: curl -fsSL https://kubevela.io/script/install.sh | bash
+
+      - name: Install KubeVela baseline
+        run: |
+          vela install --set featureGates.enableCueValidation=true
+          kubectl wait --namespace vela-system --for=condition=Available deployment/kubevela-vela-core --timeout=300s
+
+      - name: Prepare failing chart changes
+        run: |
+          cat <<'CHART' > charts/vela-core/templates/defwithtemplate/resource.yaml
+          # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+          # Definition source cue file: vela-templates/definitions/internal/resource.cue
+          apiVersion: core.oam.dev/v1beta1
+          kind: TraitDefinition
+          metadata:
+            annotations:
+              definition.oam.dev/description: Add resource requests and limits on K8s pod for your workload which follows the pod spec in path 'spec.template.'
+            name: resource
+            namespace: {{ include "systemDefinitionNamespace" . }}
+          spec:
+            appliesToWorkloads:
+              - deployments.apps
+              - statefulsets.apps
+              - daemonsets.apps
+              - jobs.batch
+              - cronjobs.batch
+            podDisruptive: true
+            schematic:
+              cue:
+                template: |2
+                  let resourceContent = {
+                    resources: {
+                      if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                      }
+                      if parameter.requests != _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.requests.cpu
+                          memory: parameter.requests.memory
+                        }
+                      }
+                      if parameter.limits != _|_ {
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.limits.cpu
+                          memory: parameter.limits.memory
+                        }
+                      }
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.template != _|_ {
+                    patch: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+                    patch: spec: jobTemplate: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  parameter: {
+                    // +usage=Specify the amount of cpu for requests and limits
+                    cpu?: *1 | number | string
+                    // +usage=Specify the amount of memory for requests and limits
+                    memory?: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    // +usage=Specify the resources in requests
+                    requests?: {
+                      // +usage=Specify the amount of cpu for requests
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for requests
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                    // +usage=Specify the resources in limits
+                    limits?: {
+                      // +usage=Specify the amount of cpu for limits
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for limits
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                  }
+
+      - name: Load image
+        run: |
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+
+      - name: Run Helm upgrade (expected to fail)
+        run: |
+          set +e
+          helm upgrade \
+            --set image.repository=vela-core-test \
+            --set image.tag=$(git rev-parse --short HEAD) \
+            --set featureGates.enableCueValidation=true \
+            --wait kubevela ./charts/vela-core --debug -n vela-system
+          status=$?
+          echo "Helm upgrade exit code: ${status}"
+          if [ $status -eq 0 ]; then
+            echo "Expected helm upgrade to fail" >&2
+            exit 1
+          fi
+          echo "Helm upgrade failed as expected"
+
+      - name: Dump webhook configurations
+        if: ${{ always() }}
+        run: |
+          kubectl get mutatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+          kubectl get validatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+
+      - name: Verify webhook validation remains active
+        run: ginkgo -v --focus-file requiredparam_validation_test.go ./test/e2e-test
+
+      - name: Cleanup kind cluster
+        if: ${{ always() }}
+        run: kind delete cluster --name kind

.gitignore

@@ -35,6 +35,14 @@ vendor/
 .vscode
 .history
 
+# Debug binaries generated by VS Code/Delve
+__debug_bin*
+*/__debug_bin*
+
+# Webhook certificates generated at runtime
+k8s-webhook-server/
+options.go.bak 
+
 pkg/test/vela
 config/crd/bases
 _tmp/

charts/vela-core/README.md

@@ -100,6 +100,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |
 | `featureGates.enableCueValidation`                           | enable the strict cue validation for cue required parameter fields                                                                                                                                                               | `false` |
 | `featureGates.enableApplicationStatusMetrics`                | enable application status metrics and structured logging                                                                                                                                                                         | `false` |
+| `featureGates.validateResourcesExist`                        | enable webhook validation to check if resource types referenced in definition templates exist in the cluster                                                                                                                     | `false` |
 
 ### MultiCluster parameters
 
@@ -147,6 +148,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `affinity`                                     | Affinity                                                                                                                                                           | `{}`                 |
 | `rbac.create`                                  | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
 | `logDebug`                                     | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `devLogs`                                      | Enable formatted logging support for development purpose                                                                                                           | `false`              |
 | `logFilePath`                                  | If non-empty, write log files in this path                                                                                                                         | `""`                 |
 | `logFileMaxSize`                               | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
 | `kubeClient.qps`                               | The qps for reconcile clients                                                                                                                                      | `400`                |

charts/vela-core/templates/admission-webhooks/job-patch/clusterrole.yaml

@@ -4,7 +4,7 @@ kind: ClusterRole
 metadata:
   name:  {{ template "kubevela.fullname" . }}-admission
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission

charts/vela-core/templates/admission-webhooks/job-patch/clusterrolebinding.yaml

@@ -4,7 +4,7 @@ kind: ClusterRoleBinding
 metadata:
   name:  {{ template "kubevela.fullname" . }}-admission
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission

charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ template "kubevela.fullname" . }}-admission-patch
   namespace: {{ .Release.Namespace }}
   annotations:
-    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook": post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission-patch

charts/vela-core/templates/admission-webhooks/job-patch/role.yaml

@@ -5,7 +5,7 @@ metadata:
   name:  {{ template "kubevela.fullname" . }}-admission
   namespace: {{ .Release.Namespace }}
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission

charts/vela-core/templates/admission-webhooks/job-patch/rolebinding.yaml

@@ -5,7 +5,7 @@ metadata:
   name:  {{ template "kubevela.fullname" . }}-admission
   namespace: {{ .Release.Namespace }}
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission

charts/vela-core/templates/admission-webhooks/job-patch/serviceaccount.yaml

@@ -5,7 +5,7 @@ metadata:
   name:  {{ template "kubevela.fullname" . }}-admission
   namespace: {{ .Release.Namespace }}
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kubevela.name" . }}-admission

charts/vela-core/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -1,4 +1,14 @@
 {{- if .Values.admissionWebhooks.enabled -}}
+{{- /* Preserve existing caBundle on upgrade to avoid breaking admission if hooks fail. */}}
+{{- $mName := printf "%s-admission" (include "kubevela.fullname" .) -}}
+{{- $existing := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" "" $mName) -}}
+{{- $vals := dict "apps" "" "comps" "" -}}
+{{- if $existing -}}
+{{- range $existing.webhooks -}}
+{{- if eq .name "mutating.core.oam.dev.v1beta1.applications" -}}{{- $_ := set $vals "apps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "mutating.core.oam-dev.v1beta1.componentdefinitions" -}}{{- $_ := set $vals "comps" .clientConfig.caBundle -}}{{- end -}}
+{{- end -}}
+{{- end -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -10,7 +20,7 @@ metadata:
   {{- end }}
 webhooks:
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "apps") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -36,7 +46,7 @@ webhooks:
         resources:
           - applications
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "comps") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}

charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml

@@ -1,4 +1,16 @@
 {{- if .Values.admissionWebhooks.enabled -}}
+{{- /* Preserve existing caBundle on upgrade to avoid breaking admission if hooks fail. */}}
+{{- $vName := printf "%s-admission" (include "kubevela.fullname" .) -}}
+{{- $existing := (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" "" $vName) -}}
+{{- $vals := dict "traits" "" "apps" "" "comps" "" "policies" "" -}}
+{{- if $existing -}}
+{{- range $existing.webhooks -}}
+{{- if eq .name "validating.core.oam.dev.v1beta1.traitdefinitions" -}}{{- $_ := set $vals "traits" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam.dev.v1beta1.applications" -}}{{- $_ := set $vals "apps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam-dev.v1beta1.componentdefinitions" -}}{{- $_ := set $vals "comps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam-dev.v1beta1.policydefinitions" -}}{{- $_ := set $vals "policies" .clientConfig.caBundle -}}{{- end -}}
+{{- end -}}
+{{- end -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -10,7 +22,7 @@ metadata:
   {{- end }}
 webhooks:
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "traits") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -37,7 +49,7 @@ webhooks:
           - traitdefinitions
     timeoutSeconds: 5
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "apps") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -63,7 +75,7 @@ webhooks:
         resources:
           - applications
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "comps") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -89,7 +101,7 @@ webhooks:
         resources:
           - componentdefinitions
   - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "policies") }}
       service:
         name: {{ template "kubevela.name" . }}-webhook
         namespace: {{ .Release.Namespace }}
@@ -114,4 +126,30 @@ webhooks:
           - UPDATE
         resources:
           - policydefinitions
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validating-core-oam-dev-v1beta1-workflowstepdefinitions
+    {{- if .Values.admissionWebhooks.patch.enabled  }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: validating.core.oam-dev.v1beta1.workflowstepdefinitions
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - workflowstepdefinitions
 {{- end -}}

charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml

@@ -15,9 +15,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         output: op.#ApplyApplicationInParallel & {}
 

charts/vela-core/templates/defwithtemplate/apply-application.yaml

@@ -16,9 +16,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         // apply application
         output: op.#ApplyApplication & {}

charts/vela-core/templates/defwithtemplate/apply-deployment.yaml

@@ -13,12 +13,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        	"strings"
-        	"vela/kube"
-        	"vela/builtin"
-        )
+        import "vela/kube"
+        import "vela/builtin"
 
         output: kube.#Apply & {
         	$params: {

charts/vela-core/templates/defwithtemplate/apply-object.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        )
+        import "vela/kube"
 
         apply: kube.#Apply & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/apply-remaining.yaml

@@ -16,9 +16,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         // apply remaining components and traits
         apply: op.#ApplyRemaining & {

charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml

@@ -13,10 +13,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        	"vela/builtin"
-        )
+        import "vela/kube"
+        import "vela/builtin"
 
         apply: kube.#Apply & {
         	$params: value: {

charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml

@@ -13,12 +13,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/config"
-        	"vela/kube"
-        	"vela/builtin"
-        	"strings"
-        )
+        import "vela/config"
+        import "vela/kube"
+        import "vela/builtin"
 
         cfg: config.#CreateConfig & {
         	$params: {
@@ -87,9 +84,9 @@ spec:
         	}
         }
         providerBasic: {
-        	accessKey: string
-        	secretKey: string
-        	region:    string
+        	accessKey!: string
+        	secretKey!: string
+        	region!:    string
         }
         #AlibabaProvider: {
         	providerBasic
@@ -141,5 +138,5 @@ spec:
         	type:       "ucloud"
         	name:       *"ucloud-provider" | string
         }
-        parameter: *#AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
+        parameter: #AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
 

charts/vela-core/templates/defwithtemplate/build-push-image.yaml

@@ -13,13 +13,10 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/builtin"
-        	"vela/kube"
-        	"vela/util"
-        	"encoding/json"
-        	"strings"
-        )
+        import "vela/builtin"
+        import "vela/kube"
+        import "vela/util"
+        import "strings"
 
         url: {
         	if parameter.context.git != _|_ {

charts/vela-core/templates/defwithtemplate/check-metrics.yaml

@@ -14,10 +14,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/metrics"
-        	"vela/builtin"
-        )
+        import "vela/metrics"
+        import "vela/builtin"
 
         check: metrics.#PromCheck & {
         	$params: {

charts/vela-core/templates/defwithtemplate/clean-jobs.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        )
+        import "vela/kube"
 
         parameter: {
         	labelselector?: {...}

charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml

@@ -12,11 +12,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/builtin"
-        	"vela/query"
-        	"strconv"
-        )
+        import "vela/builtin"
+        import "vela/query"
+        import "strconv"
 
         collect: query.#CollectServiceEndpoints & {
         	$params: app: {

charts/vela-core/templates/defwithtemplate/command.yaml

@@ -16,6 +16,8 @@ spec:
   schematic:
     cue:
       template: |
+        import "list"
+
         #PatchParams: {
         	// +usage=Specify the name of the target container, if not set, use the component name
         	containerName: *"" | string
@@ -73,7 +75,7 @@ spec:
         		}
 
         		// +patchStrategy=replace
-        		args: [for a in _args if _delArgs[a] == _|_ {a}] + [for a in _addArgs if _delArgs[a] == _|_ && _argsMap[a] == _|_ {a}]
+        		args: list.Concat([[for a in _args if _delArgs[a] == _|_ {a}], [for a in _addArgs if _delArgs[a] == _|_ && _argsMap[a] == _|_ {a}]])
         	}
         }
         // +patchStrategy=open

charts/vela-core/templates/defwithtemplate/container-ports.yaml

@@ -17,10 +17,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        	"strings"
-        )
+        import "strconv"
+        import "strings"
+        import "list"
 
         #PatchParams: {
         	// +usage=Specify the name of the target container, if not set, use the component name
@@ -67,7 +66,7 @@ spec:
         			_basePortsMap: {for _basePort in _basePorts {(strings.ToLower(_basePort.protocol) + strconv.FormatInt(_basePort.containerPort, 10)): _basePort}}
         			_portsMap: {for port in _params.ports {(strings.ToLower(port.protocol) + strconv.FormatInt(port.containerPort, 10)): port}}
         			// +patchStrategy=replace
-        			ports: [for portVar in _basePorts {
+        			ports: list.Concat([[for portVar in _basePorts {
         				containerPort: portVar.containerPort
         				protocol:      portVar.protocol
         				name:          portVar.name
@@ -80,7 +79,7 @@ spec:
         						hostIP: _portsMap[_uniqueKey].hostIP
         					}
         				}
-        			}] + [for port in _params.ports if _basePortsMap[strings.ToLower(port.protocol)+strconv.FormatInt(port.containerPort, 10)] == _|_ {
+        			}], [for port in _params.ports if _basePortsMap[strings.ToLower(port.protocol)+strconv.FormatInt(port.containerPort, 10)] == _|_ {
         				if port.containerPort != _|_ {
         					containerPort: port.containerPort
         				}
@@ -93,7 +92,7 @@ spec:
         				if port.hostIP != _|_ {
         					hostIP: port.hostIP
         				}
-        			}]
+        			}]])
         		}
         	}
         }

charts/vela-core/templates/defwithtemplate/create-config.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/config"
-        )
+        import "vela/config"
 
         deploy: config.#CreateConfig & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/cron-task.yaml

@@ -11,6 +11,8 @@ spec:
   schematic:
     cue:
       template: |
+        import "list"
+
         mountsArray: {
         	pvc: *[
         		for v in parameter.volumeMounts.pvc {
@@ -130,7 +132,7 @@ spec:
         		},
         	] | []
         }
-        volumesList: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        volumesList: list.Concat([volumesArray.pvc, volumesArray.configMap, volumesArray.secret, volumesArray.emptyDir, volumesArray.hostPath])
         deDupVolumesArray: [
         	for val in [
         		for i, vi in volumesList {

charts/vela-core/templates/defwithtemplate/daemon.yaml

@@ -11,9 +11,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        )
+        import "strconv"
 
         mountsArray: [
         	if parameter.volumeMounts != _|_ && parameter.volumeMounts.pvc != _|_ for v in parameter.volumeMounts.pvc {

charts/vela-core/templates/defwithtemplate/delete-config.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/config"
-        )
+        import "vela/config"
 
         deploy: config.#DeleteConfig & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/depends-on-app.yaml

@@ -12,11 +12,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        	"vela/builtin"
-        	"encoding/yaml"
-        )
+        import "vela/kube"
+        import "vela/builtin"
+        import "encoding/yaml"
 
         dependsOn: kube.#Read & {
         	$params: value: {

charts/vela-core/templates/defwithtemplate/deploy-cloud-resource.yaml

@@ -14,9 +14,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         app: op.#DeployCloudResource & {
         	env:    parameter.env

charts/vela-core/templates/defwithtemplate/deploy.yaml

@@ -14,10 +14,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/multicluster"
-        	"vela/builtin"
-        )
+        import "vela/multicluster"
+        import "vela/builtin"
+
 
         if parameter.auto == false {
         	suspend: builtin.#Suspend & {$params: message: "Waiting approval to the deploy step \"\(context.stepName)\""}

charts/vela-core/templates/defwithtemplate/deploy2env.yaml

@@ -15,9 +15,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         app: op.#ApplyEnvBindApp & {
         	env:      parameter.env

charts/vela-core/templates/defwithtemplate/deploy2runtime.yaml

@@ -15,9 +15,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         app: op.#Steps & {
         	load: op.#Load

charts/vela-core/templates/defwithtemplate/env.yaml

@@ -16,6 +16,8 @@ spec:
   schematic:
     cue:
       template: |
+        import "list"
+
         #PatchParams: {
         	// +usage=Specify the name of the target container, if not set, use the component name
         	containerName: *"" | string
@@ -49,7 +51,7 @@ spec:
         		if _baseEnv != _|_ {
         			_baseEnvMap: {for envVar in _baseEnv {(envVar.name): envVar}}
         			// +patchStrategy=replace
-        			env: [for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
+        			env: list.Concat([[for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
         				name: envVar.name
         				if _params.env[envVar.name] != _|_ {
         					value: _params.env[envVar.name]
@@ -62,10 +64,10 @@ spec:
         						valueFrom: envVar.valueFrom
         					}
         				}
-        			}] + [for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
+        			}], [for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
         				name:  k
         				value: v
-        			}]
+        			}]])
         		}
         	}
         }

charts/vela-core/templates/defwithtemplate/export-data.yaml

@@ -14,10 +14,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        	"vela/kube"
-        )
+        import "vela/op"
+        import "vela/kube"
 
         object: {
         	apiVersion: "v1"

charts/vela-core/templates/defwithtemplate/export-service.yaml

@@ -14,10 +14,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        	"vela/kube"
-        )
+        import "vela/op"
+        import "vela/kube"
 
         meta: {
         	name:      *context.name | string

charts/vela-core/templates/defwithtemplate/export2config.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        )
+        import "vela/kube"
 
         apply: kube.#Apply & {
         	$params: {

charts/vela-core/templates/defwithtemplate/export2secret.yaml

@@ -12,11 +12,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        	"encoding/base64"
-        	"encoding/json"
-        )
+        import "vela/kube"
+        import "encoding/base64"
+        import "encoding/json"
 
         secret: {
         	data: *parameter.data | {}

charts/vela-core/templates/defwithtemplate/expose.yaml

@@ -15,10 +15,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        	"strings"
-        )
+        import "strconv"
+        import "strings"
 
         outputs: service: {
         	apiVersion: "v1"
@@ -96,21 +94,17 @@ spec:
   stage: PostDispatch
   status:
     customStatus: |-
-      message: *"" | string
       service: context.outputs.service
+      message: *"" | string
       if service.spec.type == "ClusterIP" {
       	message: "ClusterIP: \(service.spec.clusterIP)"
       }
       if service.spec.type == "LoadBalancer" {
       	status: service.status
       	isHealth: *false | bool
+      	message: *"ExternalIP: Pending" | string
       	if status != _|_ if status.loadBalancer != _|_ if status.loadBalancer.ingress != _|_ if len(status.loadBalancer.ingress) > 0 if status.loadBalancer.ingress[0].ip != _|_ {
       		isHealth: true
-      	}
-      	if !isHealth {
-      		message: "ExternalIP: Pending"
-      	}
-      	if isHealth {
       		message: "ExternalIP: \(status.loadBalancer.ingress[0].ip)"
       	}
       }

charts/vela-core/templates/defwithtemplate/gateway.yaml

@@ -17,6 +17,7 @@ spec:
       template: |
         import "strconv"
 
+
         let nameSuffix = {
         	if parameter.name != _|_ {"-" + parameter.name}
         	if parameter.name == _|_ {""}
@@ -160,13 +161,17 @@ spec:
         if parameter.name == _|_ { "" }
       }
       let ingressMetaName = context.name + nameSuffix
-      let ig  = [for i in context.outputs if (i.kind == "Ingress") && (i.metadata.name == ingressMetaName) {i}][0]
+      let igList = [for i in context.outputs if (i.kind == "Ingress") && (i.metadata.name == ingressMetaName) {i}]
+      ig: *_|_ | _
+      if len(igList) > 0 {
+        ig: igList[0]
+      }
       igs: *{} | {}
-      if ig != _|_ if ig.status != _|_ if ig.status.loadbalancer != _|_ {
+      if ig != _|_ if ig.status != _|_ if ig.status.loadbalancer != _|_ if len(ig.status.loadbalancer.ingress) > 0 {
         igs: ig.status.loadbalancer.ingress[0]
       }
       igr: *{} | {}
-      if ig != _|_ if ig.spec != _|_  {
+      if ig != _|_ if ig.spec != _|_ if len(ig.spec.rules) > 0 {
         igr: ig.spec.rules[0]
       }
       if igs == _|_ {

charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml

@@ -12,11 +12,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        	"vela/util"
-        	"encoding/base64"
-        )
+        import "vela/kube"
+        import "vela/util"
+        import "encoding/base64"
 
         output: kube.#Read & {
         	$params: value: {

charts/vela-core/templates/defwithtemplate/ingress-1-20.yaml

@@ -69,11 +69,16 @@ spec:
         message: "No loadBalancer found, visiting by using 'vela port-forward " + context.appName + "'\n"
       }
       if len(igs) > 0 {
+        let rules = context.outputs.ingress.spec.rules
+        host: *"" | string
+        if rules != _|_ if len(rules) > 0 if rules[0].host != _|_ {
+      	  host: rules[0].host
+        }
         if igs[0].ip != _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+      	  message: "Visiting URL: " + host + ", IP: " + igs[0].ip
         }
         if igs[0].ip == _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+      	  message: "Visiting URL: " + host
         }
       }
     healthPolicy: 'isHealth: len(context.outputs.service.spec.clusterIP) > 0'

charts/vela-core/templates/defwithtemplate/ingress.yaml

@@ -62,11 +62,16 @@ spec:
       	message: "No loadBalancer found, visiting by using 'vela port-forward " + context.appName + "'\n"
       }
       if len(igs) > 0 {
+      	let rules = context.outputs.ingress.spec.rules
+      	host: *"" | string
+      	if rules != _|_ if len(rules) > 0 if rules[0].host != _|_ {
+      		host: rules[0].host
+      	}
       	if igs[0].ip != _|_ {
-      		message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+      		message: "Visiting URL: " + host + ", IP: " + igs[0].ip
       	}
       	if igs[0].ip == _|_ {
-      		message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+      		message: "Visiting URL: " + host
       	}
       }
     healthPolicy: 'isHealth: len(context.outputs.service.spec.clusterIP) > 0'

charts/vela-core/templates/defwithtemplate/init-container.yaml

@@ -17,6 +17,8 @@ spec:
   schematic:
     cue:
       template: |
+        import "list"
+
         patch: spec: template: spec: {
         	// +patchKey=name
         	containers: [{
@@ -43,10 +45,10 @@ spec:
         		}
 
         		// +patchKey=name
-        		volumeMounts: [{
+        		volumeMounts: list.Concat([[{
         			name:      parameter.mountName
         			mountPath: parameter.initMountPath
-        		}] + parameter.extraVolumeMounts
+        		}], parameter.extraVolumeMounts])
         	}]
         	// +patchKey=name
         	volumes: [{

charts/vela-core/templates/defwithtemplate/k8s-objects.yaml

@@ -11,7 +11,12 @@ spec:
   schematic:
     cue:
       template: |
-        output: parameter.objects[0]
+        output: {
+        	if len(parameter.objects) > 0 {
+        		parameter.objects[0]
+        	}
+        	...
+        }
 
         outputs: {
         	for i, v in parameter.objects {

charts/vela-core/templates/defwithtemplate/list-config.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/config"
-        )
+        import "vela/config"
 
         output: config.#ListConfig & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/nocalhost.yaml

@@ -19,9 +19,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"encoding/json"
-        )
+        import "encoding/json"
 
         outputs: nocalhostService: {
         	apiVersion: "v1"

charts/vela-core/templates/defwithtemplate/notification.yaml

@@ -12,14 +12,12 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/http"
-        	"vela/email"
-        	"vela/kube"
-        	"vela/util"
-        	"encoding/base64"
-        	"encoding/json"
-        )
+        import "vela/http"
+        import "vela/email"
+        import "vela/kube"
+        import "vela/util"
+        import "encoding/base64"
+        import "encoding/json"
 
         parameter: {
         	// +usage=Please fulfill its url and message if you want to send Lark messages

charts/vela-core/templates/defwithtemplate/print-message-in-status.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/builtin"
-        )
+        import "vela/builtin"
 
         parameter: message: string
 

charts/vela-core/templates/defwithtemplate/pure-ingress.yaml

@@ -49,11 +49,16 @@ spec:
       	message: "No loadBalancer found, visiting by using 'vela port-forward " + context.appName + " --route'\n"
       }
       if len(igs) > 0 {
+      	let rules = context.outputs.ingress.spec.rules
+      	host: *"" | string
+      	if rules != _|_ if len(rules) > 0 if rules[0].host != _|_ {
+      		host: rules[0].host
+      	}
       	if igs[0].ip != _|_ {
-      		message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+      		message: "Visiting URL: " + host + ", IP: " + igs[0].ip
       	}
       	if igs[0].ip == _|_ {
-      		message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+      		message: "Visiting URL: " + host
       	}
       }
   workloadRefPath: ""

charts/vela-core/templates/defwithtemplate/read-config.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/config"
-        )
+        import "vela/config"
 
         output: config.#ReadConfig & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/read-object.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        )
+        import "vela/kube"
 
         output: kube.#Read & {
         	$params: {

charts/vela-core/templates/defwithtemplate/request.yaml

@@ -13,11 +13,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        	"vela/http"
-        	"encoding/json"
-        )
+        import "vela/op"
+        import "vela/http"
+        import "encoding/json"
 
         req: http.#HTTPDo & {
         	$params: {

charts/vela-core/templates/defwithtemplate/share-cloud-resource.yaml

@@ -14,9 +14,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"
 
         app: op.#ShareCloudResource & {
         	env:        parameter.env

charts/vela-core/templates/defwithtemplate/statefulset.yaml

@@ -11,10 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        	"strings"
-        )
+        import "strconv"
+        import "strings"
 
         mountsArray: [
         	if parameter.volumeMounts != _|_ if parameter.volumeMounts.pvc != _|_ for v in parameter.volumeMounts.pvc {

charts/vela-core/templates/defwithtemplate/suspend.yaml

@@ -12,9 +12,7 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/builtin"
-        )
+        import "vela/builtin"
 
         suspend: builtin.#Suspend & {
         	$params: parameter

charts/vela-core/templates/defwithtemplate/vela-cli.yaml

@@ -12,11 +12,9 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/kube"
-        	"vela/builtin"
-        	"vela/util"
-        )
+        import "vela/kube"
+        import "vela/builtin"
+        import "vela/util"
 
         mountsArray: [
         	if parameter.storage != _|_ && parameter.storage.secret != _|_ for v in parameter.storage.secret {
@@ -126,8 +124,6 @@ spec:
         }
 
         parameter: {
-        	// +usage=Specify the name of the addon.
-        	addonName: string
         	// +usage=Specify the vela command
         	command: [...string]
         	// +usage=Specify the image

charts/vela-core/templates/defwithtemplate/webhook.yaml

@@ -12,13 +12,11 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"vela/http"
-        	"vela/kube"
-        	"vela/util"
-        	"encoding/json"
-        	"encoding/base64"
-        )
+        import "vela/http"
+        import "vela/kube"
+        import "vela/util"
+        import "encoding/json"
+        import "encoding/base64"
 
         data: {
         	if parameter.data == _|_ {

charts/vela-core/templates/defwithtemplate/webservice.yaml

@@ -11,10 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        import (
-        	"strconv"
-        	"strings"
-        )
+        import "strconv"
+        import "strings"
 
         mountsArray: [
         	if parameter.volumeMounts != _|_ && parameter.volumeMounts.pvc != _|_ for v in parameter.volumeMounts.pvc {

charts/vela-core/templates/kubevela-controller.yaml

@@ -313,6 +313,7 @@ spec:
             - "--feature-gates=DisableWorkflowContextConfigMapCache={{- .Values.featureGates.disableWorkflowContextConfigMapCache | toString -}}"
             - "--feature-gates=EnableCueValidation={{- .Values.featureGates.enableCueValidation | toString -}}"
             - "--feature-gates=EnableApplicationStatusMetrics={{- .Values.featureGates.enableApplicationStatusMetrics | toString -}}"
+            - "--feature-gates=ValidateResourcesExist={{- .Values.featureGates.validateResourcesExist | toString -}}"
             - "--feature-gates=ValidateDefinitionPermissions={{ .Values.authorization.definitionValidationEnabled | toString -}}"
             {{ if .Values.authentication.enabled }}
             {{ if .Values.authentication.withUser }}
@@ -327,6 +328,7 @@ spec:
             - "--feature-gates=ValidateComponentWhenSharding={{- .Values.featureGates.validateComponentWhenSharding | toString -}}"
             - "--feature-gates=DisableWebhookAutoSchedule={{- .Values.featureGates.disableWebhookAutoSchedule | toString -}}"
             {{ end }}
+            - "--dev-logs={{ .Values.devLogs }}"
           image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: {{ quote .Values.image.pullPolicy }}
           resources:

charts/vela-core/values.yaml

@@ -125,6 +125,7 @@ optimize:
 ##@param featureGates.disableWorkflowContextConfigMapCache disable the workflow context's configmap informer cache
 ##@param featureGates.enableCueValidation enable the strict cue validation for cue required parameter fields
 ##@param featureGates.enableApplicationStatusMetrics enable application status metrics and structured logging
+##@param featureGates.validateResourcesExist enable webhook validation to check if resource types referenced in definition templates exist in the cluster
 ##@param
 featureGates:
   gzipResourceTracker: false
@@ -142,6 +143,7 @@ featureGates:
   disableWorkflowContextConfigMapCache: true
   enableCueValidation: false
   enableApplicationStatusMetrics: false
+  validateResourcesExist: false
 
 ## @section MultiCluster parameters
 
@@ -256,6 +258,9 @@ rbac:
 ## @param logDebug Enable debug logs for development purpose
 logDebug: false
 
+## @param devLogs Enable formatted logging support for development purpose
+devLogs: false
+
 ## @param logFilePath If non-empty, write log files in this path
 logFilePath: ""
 

cmd/core/app/color_writer.go

@@ -0,0 +1,580 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"bytes"
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"unicode"
+)
+
+const (
+	ansiReset    = "\x1b[0m"
+	ansiDate     = "\x1b[36m"
+	ansiInfo     = "\x1b[32m"
+	ansiWarn     = "\x1b[33m"
+	ansiError    = "\x1b[31m"
+	ansiFatal    = "\x1b[35m"
+	ansiDebug    = "\x1b[34m"
+	ansiThread   = "\x1b[34m"
+	ansiLocation = "\x1b[93m"
+	ansiMessage  = "\x1b[97m"
+	ansiKey      = "\x1b[96m"
+	ansiValue    = "\x1b[37m"
+)
+
+var methodPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)\b(?:caller|func|function|method)\s*[:=]\s*"?([a-zA-Z0-9_./()*-]+)`),
+}
+
+var srcIdx = newSourceIndex()
+
+type colorWriter struct {
+	dst io.Writer
+	mu  sync.Mutex
+	buf bytes.Buffer
+}
+
+func newColorWriter(dst io.Writer) io.Writer {
+	return &colorWriter{dst: dst}
+}
+
+func (w *colorWriter) Write(p []byte) (int, error) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	written := 0
+	for len(p) > 0 {
+		idx := bytes.IndexByte(p, '\n')
+		if idx == -1 {
+			_, _ = w.buf.Write(p)
+			written += len(p)
+			break
+		}
+		_, _ = w.buf.Write(p[:idx])
+		if err := w.flushLineLocked(); err != nil {
+			written += idx
+			return written, err
+		}
+		if _, err := w.dst.Write([]byte{'\n'}); err != nil {
+			written += idx + 1
+			return written, err
+		}
+		p = p[idx+1:]
+		written += idx + 1
+	}
+	return written, nil
+}
+
+func (w *colorWriter) flushLineLocked() error {
+	if w.buf.Len() == 0 {
+		return nil
+	}
+	line := w.buf.String()
+	w.buf.Reset()
+	_, err := io.WriteString(w.dst, formatColoredLine(line))
+	return err
+}
+
+func formatColoredLine(line string) string {
+	if len(line) == 0 {
+		return line
+	}
+	severity := line[0]
+	rest := line[1:]
+	headerEnd := strings.IndexByte(rest, ']')
+	if headerEnd == -1 {
+		return line
+	}
+	header := rest[:headerEnd]
+	remainder := strings.TrimSpace(rest[headerEnd+1:])
+	fields := strings.Fields(header)
+	if len(fields) < 4 {
+		return line
+	}
+
+	date := fields[0]
+	ts := fields[1]
+	pid := strings.TrimSpace(fields[2])
+	rawLocation := strings.Join(fields[3:], " ")
+	level, levelColor := mapSeverity(severity)
+	location := buildLocation(rawLocation, remainder)
+
+	sb := strings.Builder{}
+	sb.Grow(len(line) + 32)
+
+	sb.WriteString(ansiDate)
+	sb.WriteString("[")
+	sb.WriteString(formatTimestamp(date, ts))
+	sb.WriteString("]")
+	sb.WriteString(ansiReset)
+	sb.WriteString(" ")
+
+	sb.WriteString(levelColor)
+	sb.WriteString("[")
+	sb.WriteString(fmt.Sprintf("%-5s", level))
+	sb.WriteString("]")
+	sb.WriteString(ansiReset)
+	sb.WriteString(" ")
+
+	sb.WriteString(ansiThread)
+	sb.WriteString("[")
+	sb.WriteString(pid)
+	sb.WriteString("]")
+	sb.WriteString(ansiReset)
+	sb.WriteString(" ")
+
+	sb.WriteString(ansiLocation)
+	sb.WriteString("[")
+	sb.WriteString(location)
+	sb.WriteString("]")
+	sb.WriteString(ansiReset)
+
+	if remainder != "" {
+		msg, fields := splitMessageAndFields(remainder)
+		if msg != "" {
+			sb.WriteString(" ")
+			sb.WriteString(ansiMessage)
+			sb.WriteString(msg)
+			sb.WriteString(ansiReset)
+		}
+		for _, field := range fields {
+			sb.WriteString(" ")
+			sb.WriteString(ansiKey)
+			sb.WriteString(field.key)
+			sb.WriteString(ansiReset)
+			sb.WriteString("=")
+			sb.WriteString(ansiValue)
+			sb.WriteString(field.renderValue())
+			sb.WriteString(ansiReset)
+		}
+	}
+
+	return sb.String()
+}
+
+func mapSeverity(s byte) (string, string) {
+	switch s {
+	case 'I':
+		return "INFO", ansiInfo
+	case 'W':
+		return "WARN", ansiWarn
+	case 'E':
+		return "ERROR", ansiError
+	case 'F':
+		return "FATAL", ansiFatal
+	case 'D':
+		return "DEBUG", ansiDebug
+	default:
+		return string(s), ansiDebug
+	}
+}
+
+func formatTimestamp(date, ts string) string {
+	if len(date) == 4 {
+		return fmt.Sprintf("%s-%s %s", date[:2], date[2:], trimMicros(ts))
+	}
+	return strings.TrimSpace(date + " " + trimMicros(ts))
+}
+
+func trimMicros(ts string) string {
+	if dot := strings.IndexByte(ts, '.'); dot != -1 && len(ts) > dot+4 {
+		return ts[:dot+4]
+	}
+	return ts
+}
+
+func buildLocation(rawLocation, remainder string) string {
+	file, line := splitFileAndLine(rawLocation)
+	method := lookupMethod(file, line)
+	if method == "" {
+		method = extractMethodName(remainder)
+	}
+	if file == "" {
+		return rawLocation
+	}
+	if method == "" {
+		if line != "" {
+			return fmt.Sprintf("%s:%s", file, line)
+		}
+		return file
+	}
+	if line == "" {
+		return fmt.Sprintf("%s:%s", file, method)
+	}
+	return fmt.Sprintf("%s:%s:%s", file, method, line)
+}
+
+func splitFileAndLine(raw string) (string, string) {
+	trimmed := strings.TrimSpace(raw)
+	if trimmed == "" {
+		return "", ""
+	}
+	lastColon := strings.LastIndex(trimmed, ":")
+	if lastColon == -1 {
+		return trimmed, ""
+	}
+	return strings.TrimSpace(trimmed[:lastColon]), strings.TrimSpace(trimmed[lastColon+1:])
+}
+
+type kvField struct {
+	key    string
+	value  string
+	quoted bool
+}
+
+func (f kvField) renderValue() string {
+	if f.quoted {
+		return fmt.Sprintf("\"%s\"", f.value)
+	}
+	return f.value
+}
+
+func splitMessageAndFields(s string) (string, []kvField) {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return "", nil
+	}
+	idx := findFirstKVIndex(s)
+	if idx == -1 {
+		return s, nil
+	}
+	msg := strings.TrimSpace(s[:idx])
+	fields := parseKeyValues(s[idx:])
+	return msg, fields
+}
+
+func findFirstKVIndex(s string) int {
+	inQuotes := false
+	for i := 0; i < len(s); i++ {
+		ch := s[i]
+		if ch == '"' {
+			if i == 0 || s[i-1] != '\\' {
+				inQuotes = !inQuotes
+			}
+			continue
+		}
+		if inQuotes {
+			continue
+		}
+		if ch == '=' {
+			keyEnd := i
+			keyStart := keyEnd - 1
+			for keyStart >= 0 && !unicode.IsSpace(rune(s[keyStart])) {
+				keyStart--
+			}
+			key := strings.TrimSpace(s[keyStart+1 : keyEnd])
+			if isValidKey(key) {
+				return keyStart + 1
+			}
+		}
+	}
+	return -1
+}
+
+func parseKeyValues(s string) []kvField {
+	fields := make([]kvField, 0)
+	i := 0
+	for i < len(s) {
+		for i < len(s) && unicode.IsSpace(rune(s[i])) {
+			i++
+		}
+		if i >= len(s) {
+			break
+		}
+		keyStart := i
+		for i < len(s) && s[i] != '=' && !unicode.IsSpace(rune(s[i])) {
+			i++
+		}
+		keyEnd := i
+		for keyEnd > keyStart && unicode.IsSpace(rune(s[keyEnd-1])) {
+			keyEnd--
+		}
+		if i >= len(s) || s[i] != '=' {
+			for i < len(s) && !unicode.IsSpace(rune(s[i])) {
+				i++
+			}
+			continue
+		}
+		key := s[keyStart:keyEnd]
+		if !isValidKey(key) {
+			i++
+			continue
+		}
+		i++
+		for i < len(s) && unicode.IsSpace(rune(s[i])) {
+			i++
+		}
+		if i >= len(s) {
+			fields = append(fields, kvField{key: key, value: "", quoted: false})
+			break
+		}
+		quoted := false
+		var value string
+		if s[i] == '"' {
+			quoted = true
+			i++
+			start := i
+			for i < len(s) {
+				if s[i] == '"' && (i == start || s[i-1] != '\\') {
+					break
+				}
+				i++
+			}
+			value = s[start:i]
+			if i < len(s) && s[i] == '"' {
+				i++
+			}
+		} else {
+			start := i
+			for i < len(s) && !unicode.IsSpace(rune(s[i])) {
+				i++
+			}
+			value = s[start:i]
+		}
+		fields = append(fields, kvField{key: key, value: value, quoted: quoted})
+	}
+	return fields
+}
+
+func isValidKey(key string) bool {
+	if key == "" {
+		return false
+	}
+	for _, r := range key {
+		if unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-' || r == '.' {
+			continue
+		}
+		return false
+	}
+	return true
+}
+
+func extractMethodName(remainder string) string {
+	if remainder == "" {
+		return ""
+	}
+	for _, pattern := range methodPatterns {
+		if matches := pattern.FindStringSubmatch(remainder); len(matches) > 1 {
+			return simplifyMethodName(matches[1])
+		}
+	}
+	return ""
+}
+
+func simplifyMethodName(name string) string {
+	if name == "" {
+		return ""
+	}
+	name = strings.Trim(name, "\"' ")
+	if idx := strings.LastIndex(name, "/"); idx != -1 {
+		name = name[idx+1:]
+	}
+	return name
+}
+
+func lookupMethod(file, line string) string {
+	if file == "" || line == "" {
+		return ""
+	}
+	ln, err := strconv.Atoi(line)
+	if err != nil || ln <= 0 {
+		return ""
+	}
+	return srcIdx.functionAt(file, ln)
+}
+
+type funcInfo struct {
+	name      string
+	startLine int
+	endLine   int
+}
+
+type fileCache struct {
+	once  sync.Once
+	funcs []funcInfo
+}
+
+type sourceIndex struct {
+	mu    sync.Mutex
+	files map[string]*fileCache
+}
+
+func newSourceIndex() *sourceIndex {
+	return &sourceIndex{files: make(map[string]*fileCache)}
+}
+
+func (s *sourceIndex) functionAt(base string, line int) string {
+	s.mu.Lock()
+	cache, ok := s.files[base]
+	if !ok {
+		cache = &fileCache{}
+		s.files[base] = cache
+	}
+	s.mu.Unlock()
+
+	cache.once.Do(func() {
+		cache.funcs = loadFunctionsFor(base)
+	})
+	for _, fn := range cache.funcs {
+		if line >= fn.startLine && line <= fn.endLine {
+			return fn.name
+		}
+	}
+	return ""
+}
+
+func loadFunctionsFor(base string) []funcInfo {
+	paths := findSourceFiles(base)
+	if len(paths) == 0 {
+		return nil
+	}
+	infos := make([]funcInfo, 0, len(paths)*4)
+	for _, path := range paths {
+		fset := token.NewFileSet()
+		fileAst, err := parser.ParseFile(fset, path, nil, 0)
+		if err != nil {
+			continue
+		}
+		for _, decl := range fileAst.Decls {
+			fn, ok := decl.(*ast.FuncDecl)
+			if !ok || fn.Name == nil {
+				continue
+			}
+			start := fset.Position(fn.Pos()).Line
+			end := fset.Position(fn.End()).Line
+			name := fn.Name.Name
+			if recv := receiverType(fn); recv != "" {
+				name = fmt.Sprintf("%s.%s", recv, name)
+			}
+			infos = append(infos, funcInfo{name: name, startLine: start, endLine: end})
+		}
+	}
+	return infos
+}
+
+func receiverType(fn *ast.FuncDecl) string {
+	if fn.Recv == nil || len(fn.Recv.List) == 0 {
+		return ""
+	}
+	return typeString(fn.Recv.List[0].Type)
+}
+
+func typeString(expr ast.Expr) string {
+	switch v := expr.(type) {
+	case *ast.Ident:
+		return v.Name
+	case *ast.StarExpr:
+		return typeString(v.X)
+	case *ast.SelectorExpr:
+		return v.Sel.Name
+	case *ast.IndexExpr:
+		return typeString(v.X)
+	case *ast.IndexListExpr:
+		return typeString(v.X)
+	case *ast.ParenExpr:
+		return typeString(v.X)
+	default:
+		return ""
+	}
+}
+
+var (
+	searchRootsOnce sync.Once
+	cachedRoots     []string
+)
+
+func findSourceFiles(base string) []string {
+	matches := make([]string, 0)
+	seen := make(map[string]struct{})
+	for _, root := range sourceRoots() {
+		if root == "" {
+			continue
+		}
+		lookupFilesInRoot(root, base, seen, &matches)
+	}
+	return matches
+}
+
+func sourceRoots() []string {
+	searchRootsOnce.Do(func() {
+		roots := make([]string, 0, 4)
+		if env := os.Getenv("VELA_SOURCE_ROOT"); env != "" {
+			for _, item := range strings.Split(env, string(os.PathListSeparator)) {
+				if trimmed := strings.TrimSpace(item); trimmed != "" {
+					roots = append(roots, trimmed)
+				}
+			}
+		}
+		if cwd, err := os.Getwd(); err == nil {
+			roots = append(roots, cwd)
+		}
+		cachedRoots = dedupeStrings(roots)
+	})
+	return cachedRoots
+}
+
+func lookupFilesInRoot(root, base string, seen map[string]struct{}, matches *[]string) {
+	_ = filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			// Continue scanning on error.
+			//nolint:nilerr
+			return nil
+		}
+		if d.IsDir() {
+			name := d.Name()
+			if name == "vendor" || name == "node_modules" || strings.HasPrefix(name, ".") {
+				if root == path {
+					return nil
+				}
+				return filepath.SkipDir
+			}
+			return nil
+		}
+		if d.Name() == base {
+			if _, ok := seen[path]; !ok {
+				seen[path] = struct{}{}
+				*matches = append(*matches, path)
+			}
+		}
+		return nil
+	})
+}
+
+func dedupeStrings(in []string) []string {
+	seen := make(map[string]struct{}, len(in))
+	out := make([]string, 0, len(in))
+	for _, v := range in {
+		if _, ok := seen[v]; ok {
+			continue
+		}
+		seen[v] = struct{}{}
+		out = append(out, v)
+	}
+	return out
+}

cmd/core/app/config/admission.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"github.com/spf13/pflag"
+
+	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
+)
+
+// AdmissionConfig contains admission control configuration.
+type AdmissionConfig struct {
+	// Fields will be populated based on what standardcontroller.AddAdmissionFlags sets
+}
+
+// NewAdmissionConfig creates a new AdmissionConfig with defaults.
+func NewAdmissionConfig() *AdmissionConfig {
+	return &AdmissionConfig{}
+}
+
+// AddFlags registers admission configuration flags.
+func (c *AdmissionConfig) AddFlags(fs *pflag.FlagSet) {
+	standardcontroller.AddAdmissionFlags(fs)
+}

cmd/core/app/config/application.go

@@ -0,0 +1,56 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"time"
+
+	"github.com/spf13/pflag"
+
+	commonconfig "github.com/oam-dev/kubevela/pkg/controller/common"
+)
+
+// ApplicationConfig contains application-specific configuration.
+type ApplicationConfig struct {
+	ReSyncPeriod time.Duration
+}
+
+// NewApplicationConfig creates a new ApplicationConfig with defaults.
+func NewApplicationConfig() *ApplicationConfig {
+	return &ApplicationConfig{
+		ReSyncPeriod: commonconfig.ApplicationReSyncPeriod,
+	}
+}
+
+// AddFlags registers application configuration flags.
+func (c *ApplicationConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.DurationVar(&c.ReSyncPeriod,
+		"application-re-sync-period",
+		c.ReSyncPeriod,
+		"Re-sync period for application to re-sync, also known as the state-keep interval.")
+}
+
+// SyncToApplicationGlobals syncs the parsed configuration values to application package global variables.
+// This should be called after flag parsing to ensure the application controller uses the configured values.
+//
+// NOTE: This method exists for backward compatibility with legacy code that depends on global
+// variables in the commonconfig package. Ideally, configuration should be injected rather than using globals.
+//
+// The flow is: CLI flags -> ApplicationConfig struct fields -> commonconfig globals (via this method)
+func (c *ApplicationConfig) SyncToApplicationGlobals() {
+	commonconfig.ApplicationReSyncPeriod = c.ReSyncPeriod
+}

cmd/core/app/config/client.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	pkgclient "github.com/kubevela/pkg/controller/client"
+	"github.com/spf13/pflag"
+)
+
+// ClientConfig contains controller client configuration.
+// This wraps the external package's client configuration flags.
+type ClientConfig struct {
+	// Note: The actual configuration is managed by the pkgclient package
+	// This is a wrapper to maintain consistency with our config pattern
+}
+
+// NewClientConfig creates a new ClientConfig with defaults.
+func NewClientConfig() *ClientConfig {
+	return &ClientConfig{}
+}
+
+// AddFlags registers client configuration flags.
+// Delegates to the external package's flag registration.
+func (c *ClientConfig) AddFlags(fs *pflag.FlagSet) {
+	pkgclient.AddTimeoutControllerClientFlags(fs)
+}

cmd/core/app/config/controller.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"github.com/spf13/pflag"
+
+	oamcontroller "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev"
+)
+
+// ControllerConfig wraps the oamcontroller.Args configuration.
+// While this appears to duplicate the Args struct, it serves as the new home for
+// controller flag registration after the AddFlags method was moved here from
+// the oamcontroller package during refactoring.
+type ControllerConfig struct {
+	// Embed the existing Args struct to reuse its fields
+	oamcontroller.Args
+}
+
+// NewControllerConfig creates a new ControllerConfig with defaults.
+func NewControllerConfig() *ControllerConfig {
+	return &ControllerConfig{
+		Args: oamcontroller.Args{
+			RevisionLimit:                                50,
+			AppRevisionLimit:                             10,
+			DefRevisionLimit:                             20,
+			AutoGenWorkloadDefinition:                    true,
+			ConcurrentReconciles:                         4,
+			IgnoreAppWithoutControllerRequirement:        false,
+			IgnoreDefinitionWithoutControllerRequirement: false,
+		},
+	}
+}
+
+// AddFlags registers controller configuration flags.
+// This method was moved here from oamcontroller.Args during refactoring
+// to centralize configuration management.
+func (c *ControllerConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.IntVar(&c.RevisionLimit, "revision-limit", c.RevisionLimit,
+		"RevisionLimit is the maximum number of revisions that will be maintained. The default value is 50.")
+	fs.IntVar(&c.AppRevisionLimit, "application-revision-limit", c.AppRevisionLimit,
+		"application-revision-limit is the maximum number of application useless revisions that will be maintained, if the useless revisions exceed this number, older ones will be GCed first.The default value is 10.")
+	fs.IntVar(&c.DefRevisionLimit, "definition-revision-limit", c.DefRevisionLimit,
+		"definition-revision-limit is the maximum number of component/trait definition useless revisions that will be maintained, if the useless revisions exceed this number, older ones will be GCed first.The default value is 20.")
+	fs.BoolVar(&c.AutoGenWorkloadDefinition, "autogen-workload-definition", c.AutoGenWorkloadDefinition,
+		"Automatic generated workloadDefinition which componentDefinition refers to.")
+	fs.IntVar(&c.ConcurrentReconciles, "concurrent-reconciles", c.ConcurrentReconciles,
+		"concurrent-reconciles is the concurrent reconcile number of the controller. The default value is 4")
+	fs.BoolVar(&c.IgnoreAppWithoutControllerRequirement, "ignore-app-without-controller-version", c.IgnoreAppWithoutControllerRequirement,
+		"If true, application controller will not process the app without 'app.oam.dev/controller-version-require' annotation")
+	fs.BoolVar(&c.IgnoreDefinitionWithoutControllerRequirement, "ignore-definition-without-controller-version", c.IgnoreDefinitionWithoutControllerRequirement,
+		"If true, trait/component/workflowstep definition controller will not process the definition without 'definition.oam.dev/controller-version-require' annotation")
+}

cmd/core/app/config/cue.go

@@ -0,0 +1,61 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"github.com/kubevela/pkg/cue/cuex"
+	"github.com/spf13/pflag"
+)
+
+// CUEConfig contains CUE language configuration.
+type CUEConfig struct {
+	EnableExternalPackage      bool
+	EnableExternalPackageWatch bool
+}
+
+// NewCUEConfig creates a new CUEConfig with defaults.
+func NewCUEConfig() *CUEConfig {
+	return &CUEConfig{
+		EnableExternalPackage:      cuex.EnableExternalPackageForDefaultCompiler,
+		EnableExternalPackageWatch: cuex.EnableExternalPackageWatchForDefaultCompiler,
+	}
+}
+
+// AddFlags registers CUE configuration flags.
+func (c *CUEConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&c.EnableExternalPackage,
+		"enable-external-package-for-default-compiler",
+		c.EnableExternalPackage,
+		"Enable loading third-party CUE packages into the default CUE compiler. When enabled, external CUE packages can be imported and used in CUE templates.")
+	fs.BoolVar(&c.EnableExternalPackageWatch,
+		"enable-external-package-watch-for-default-compiler",
+		c.EnableExternalPackageWatch,
+		"Enable watching for changes in external CUE packages and automatically reload them when modified. Requires enable-external-package-for-default-compiler to be enabled.")
+}
+
+// SyncToCUEGlobals syncs the parsed configuration values to CUE package global variables.
+// This should be called after flag parsing to ensure the CUE compiler uses the configured values.
+//
+// NOTE: This method exists for backward compatibility with legacy code that depends on global
+// variables in the cuex package. Ideally, the CUE compiler configuration should be injected
+// rather than relying on globals.
+//
+// The flow is: CLI flags -> CUEConfig struct fields -> cuex globals (via this method)
+func (c *CUEConfig) SyncToCUEGlobals() {
+	cuex.EnableExternalPackageForDefaultCompiler = c.EnableExternalPackage
+	cuex.EnableExternalPackageWatchForDefaultCompiler = c.EnableExternalPackageWatch
+}

cmd/core/app/config/feature.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"github.com/spf13/pflag"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+)
+
+// FeatureConfig contains feature gate configuration.
+// This wraps the Kubernetes feature gate system.
+type FeatureConfig struct {
+	// Note: The actual configuration is managed by the utilfeature package
+	// This is a wrapper to maintain consistency with our config pattern
+}
+
+// NewFeatureConfig creates a new FeatureConfig with defaults.
+func NewFeatureConfig() *FeatureConfig {
+	return &FeatureConfig{}
+}
+
+// AddFlags registers feature gate configuration flags.
+// Delegates to the Kubernetes feature gate system.
+func (c *FeatureConfig) AddFlags(fs *pflag.FlagSet) {
+	utilfeature.DefaultMutableFeatureGate.AddFlag(fs)
+}

cmd/core/app/config/klog.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	utillog "github.com/kubevela/pkg/util/log"
+	"github.com/spf13/pflag"
+)
+
+// KLogConfig contains klog configuration.
+// This wraps the Kubernetes logging configuration.
+type KLogConfig struct {
+	// Reference to observability config for log settings
+	observability *ObservabilityConfig
+}
+
+// NewKLogConfig creates a new KLogConfig.
+func NewKLogConfig(observability *ObservabilityConfig) *KLogConfig {
+	return &KLogConfig{
+		observability: observability,
+	}
+}
+
+// AddFlags registers klog configuration flags.
+func (c *KLogConfig) AddFlags(fs *pflag.FlagSet) {
+	// Add base klog flags
+	utillog.AddFlags(fs)
+}

cmd/core/app/config/kubernetes.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"time"
+
+	"github.com/spf13/pflag"
+)
+
+// KubernetesConfig contains Kubernetes API client configuration.
+type KubernetesConfig struct {
+	QPS                float64
+	Burst              int
+	InformerSyncPeriod time.Duration
+}
+
+// NewKubernetesConfig creates a new KubernetesConfig with defaults.
+func NewKubernetesConfig() *KubernetesConfig {
+	return &KubernetesConfig{
+		QPS:                50,
+		Burst:              100,
+		InformerSyncPeriod: 10 * time.Hour,
+	}
+}
+
+// AddFlags registers Kubernetes configuration flags.
+func (c *KubernetesConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.Float64Var(&c.QPS, "kube-api-qps", c.QPS,
+		"the qps for reconcile clients. Low qps may lead to low throughput. High qps may give stress to api-server. Raise this value if concurrent-reconciles is set to be high.")
+	fs.IntVar(&c.Burst, "kube-api-burst", c.Burst,
+		"the burst for reconcile clients. Recommend setting it qps*2.")
+	fs.DurationVar(&c.InformerSyncPeriod, "informer-sync-period", c.InformerSyncPeriod,
+		"The re-sync period for informer in controller-runtime. This is a system-level configuration.")
+}

cmd/core/app/config/multicluster.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"time"
+
+	pkgmulticluster "github.com/kubevela/pkg/multicluster"
+	"github.com/spf13/pflag"
+)
+
+// MultiClusterConfig contains multi-cluster configuration.
+type MultiClusterConfig struct {
+	EnableClusterGateway   bool
+	EnableClusterMetrics   bool
+	ClusterMetricsInterval time.Duration
+}
+
+// NewMultiClusterConfig creates a new MultiClusterConfig with defaults.
+func NewMultiClusterConfig() *MultiClusterConfig {
+	return &MultiClusterConfig{
+		EnableClusterGateway:   false,
+		EnableClusterMetrics:   false,
+		ClusterMetricsInterval: 15 * time.Second,
+	}
+}
+
+// AddFlags registers multi-cluster configuration flags.
+func (c *MultiClusterConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&c.EnableClusterGateway, "enable-cluster-gateway", c.EnableClusterGateway,
+		"Enable cluster-gateway to use multicluster, disabled by default.")
+	fs.BoolVar(&c.EnableClusterMetrics, "enable-cluster-metrics", c.EnableClusterMetrics,
+		"Enable cluster-metrics-management to collect metrics from clusters with cluster-gateway, disabled by default. When this param is enabled, enable-cluster-gateway should be enabled")
+	fs.DurationVar(&c.ClusterMetricsInterval, "cluster-metrics-interval", c.ClusterMetricsInterval,
+		"The interval that ClusterMetricsMgr will collect metrics from clusters, default value is 15 seconds.")
+
+	// Also register additional multicluster flags from external package
+	pkgmulticluster.AddFlags(fs)
+}