xds: update envoy and udpa to later versions to get agentless changes (#7122)

2020-06-12 09:44:40 -07:00 · 2020-06-12 09:44:40 -07:00 · 4077414e23
parent 7f3a602255
commit 4077414e23
105 changed files with 2284 additions and 1294 deletions
--- a/xds/third_party/envoy/import.sh
+++ b/xds/third_party/envoy/import.sh
@ -18,7 +18,7 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=b16ce6d5ea0d2da73e764d145623e7367dc59ed3
+VERSION=440899714143b6a143917cbd8e3f0ccba0847cd4
 GIT_REPO="https://github.com/envoyproxy/envoy.git"
 GIT_BASE_DIR=envoy
 SOURCE_PROTO_BASE_DIR=envoy/api
@ -27,6 +27,9 @@ FILES=(
 envoy/annotations/deprecation.proto
 envoy/annotations/resource.proto
 envoy/api/v2/auth/cert.proto
 envoy/api/v2/auth/common.proto
 envoy/api/v2/auth/secret.proto
 envoy/api/v2/auth/tls.proto
 envoy/api/v2/cds.proto
 envoy/api/v2/cluster.proto
 envoy/api/v2/cluster/circuit_breaker.proto
@ -36,6 +39,7 @@ envoy/api/v2/core/address.proto
 envoy/api/v2/core/backoff.proto
 envoy/api/v2/core/base.proto
 envoy/api/v2/core/config_source.proto
 envoy/api/v2/core/event_service_config.proto
 envoy/api/v2/core/grpc_service.proto
 envoy/api/v2/core/health_check.proto
 envoy/api/v2/core/http_uri.proto
@ -67,10 +71,13 @@ envoy/config/core/v3/address.proto
 envoy/config/core/v3/backoff.proto
 envoy/config/core/v3/base.proto
 envoy/config/core/v3/config_source.proto
 envoy/config/core/v3/event_service_config.proto
 envoy/config/core/v3/extension.proto
 envoy/config/core/v3/grpc_service.proto
 envoy/config/core/v3/health_check.proto
 envoy/config/core/v3/http_uri.proto
 envoy/config/core/v3/protocol.proto
 envoy/config/core/v3/proxy_protocol.proto
 envoy/config/core/v3/socket_option.proto
 envoy/config/endpoint/v3/endpoint.proto
 envoy/config/endpoint/v3/endpoint_components.proto
@ -84,9 +91,19 @@ envoy/config/listener/v3/listener.proto
 envoy/config/listener/v3/listener_components.proto
 envoy/config/listener/v3/udp_listener_config.proto
 envoy/config/route/v3/route_components.proto
 envoy/config/trace/v2/http_tracer.proto
 envoy/config/trace/v2/trace.proto
 envoy/config/trace/v2/datadog.proto
 envoy/config/trace/v2/dynamic_ot.proto
 envoy/config/trace/v2/lightstep.proto
 envoy/config/trace/v2/opencensus.proto
 envoy/config/trace/v2/service.proto
 envoy/config/trace/v2/zipkin.proto
 envoy/config/rbac/v2/rbac.proto
 envoy/extensions/transport_sockets/tls/v3/cert.proto
 envoy/extensions/transport_sockets/tls/v3/common.proto
 envoy/extensions/transport_sockets/tls/v3/secret.proto
 envoy/extensions/transport_sockets/tls/v3/tls.proto
 envoy/service/discovery/v2/ads.proto
 envoy/service/discovery/v2/sds.proto
 envoy/service/load_stats/v2/lrs.proto
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto
@ -2,475 +2,15 @@ syntax = "proto3";
 package envoy.api.v2.auth;
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
 import "envoy/type/matcher/string.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/migrate.proto";
-import "validate/validate.proto";
+import "udpa/annotations/status.proto";
 import public "envoy/api/v2/auth/common.proto";
 import public "envoy/api/v2/auth/secret.proto";
 import public "envoy/api/v2/auth/tls.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.auth";
 option java_outer_classname = "CertProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.transport_sockets.tls.v3";
 // [#protodoc-title: Common TLS configuration]
 message TlsParameters {
  enum TlsProtocol {
    // Envoy will choose the optimal TLS version.
    TLS_AUTO = 0;
    // TLS 1.0
    TLSv1_0 = 1;
    // TLS 1.1
    TLSv1_1 = 2;
    // TLS 1.2
    TLSv1_2 = 3;
    // TLS 1.3
    TLSv1_3 = 4;
  }
  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
  // If specified, the TLS listener will only support the specified `cipher list
  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
  // specified, the default list will be used.
  //
  // In non-FIPS builds, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   ECDHE-ECDSA-AES128-GCM-SHA256
  //   ECDHE-RSA-AES128-GCM-SHA256
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  repeated string cipher_suites = 3;
  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves will be used.
  //
  // In non-FIPS builds, the default curves are:
  //
  // .. code-block:: none
  //
  //   X25519
  //   P-256
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
  //
  // .. code-block:: none
  //
  //   P-256
  repeated string ecdh_curves = 4;
 }
 // BoringSSL private key method configuration. The private key methods are used for external
 // (potentially asynchronous) signing and decryption operations. Some use cases for private key
 // methods would be TPM support and TLS acceleration.
 message PrivateKeyProvider {
  // Private key method provider name. The name must match a
  // supported private key method provider type.
  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
  // Private key method provider specific configuration.
  oneof config_type {
    google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
    google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
  }
 }
 // [#next-free-field: 7]
 message TlsCertificate {
  // The TLS certificate chain.
  core.DataSource certificate_chain = 1;
  // The TLS private key.
  core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
  // <envoy_api_field_auth.TlsCertificate.private_key>` and
  // :ref:`private_key_provider
  // <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
  // error.
  PrivateKeyProvider private_key_provider = 6;
  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
  core.DataSource password = 3 [(udpa.annotations.sensitive) = true];
  // [#not-implemented-hide:]
  core.DataSource ocsp_staple = 4;
  // [#not-implemented-hide:]
  repeated core.DataSource signed_certificate_timestamp = 5;
 }
 message TlsSessionTicketKeys {
  // Keys for encrypting and decrypting TLS session tickets. The
  // first key in the array contains the key to encrypt all new sessions created by this context.
  // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
  // by, for example, putting the new key first, and the previous key second.
  //
  // If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
  // is not specified, the TLS library will still support resuming sessions via tickets, but it will
  // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
  // or on different hosts.
  //
  // Each key must contain exactly 80 bytes of cryptographically-secure random data. For
  // example, the output of ``openssl rand 80``.
  //
  // .. attention::
  //
  //   Using this feature has serious security considerations and risks. Improper handling of keys
  //   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
  //   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
  //   discussion. To minimize the risk, you must:
  //
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
  repeated core.DataSource keys = 1
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 // [#next-free-field: 11]
 message CertificateValidationContext {
  // Peer certificate verification mode.
  enum TrustChainVerification {
    // Perform default certificate verification (e.g., against CA / verification lists)
    VERIFY_TRUST_CHAIN = 0;
    // Connections where the certificate fails verification will be permitted.
    // For HTTP connections, the result of certificate verification can be used in route matching. (
    // see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
    ACCEPT_UNTRUSTED = 1;
  }
  // TLS certificate data containing certificate authority certificates to use in verifying
  // a presented peer certificate (e.g. server certificate for clusters or client certificate
  // for listeners). If not specified and a peer certificate is presented it will not be
  // verified. By default, a client certificate is optional, unless one of the additional
  // options (:ref:`require_client_certificate
  // <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
  // :ref:`match_subject_alt_names
  // <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
  // that the presented peer certificate has not been revoked by one of the included CRLs.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  core.DataSource trusted_ca = 1;
  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
  // matches one of the specified values.
  //
  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
  //     | openssl pkey -pubin -outform DER
  //     | openssl dgst -sha256 -binary
  //     | openssl enc -base64
  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
  //
  // This is the format used in HTTP Public Key Pinning.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  //
  // .. attention::
  //
  //   This option is preferred over :ref:`verify_certificate_hash
  //   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
  //   because SPKI is tied to a private key, so it doesn't change when the certificate
  //   is renewed using the same private key.
  repeated string verify_certificate_spki = 3
      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
  //
  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
  //
  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
  //
  // Both of those formats are acceptable.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  repeated string verify_certificate_hash = 2
      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
  // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified values.
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
  repeated string verify_subject_alt_name = 4 [deprecated = true];
  // An optional list of Subject Alternative name matchers. Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified matches.
  //
  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
  // it should be configured as shown below.
  //
  // .. code-block:: yaml
  //
  //  match_subject_alt_names:
  //    exact: "api.example.com"
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
  repeated type.matcher.StringMatcher match_subject_alt_names = 9;
  // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;
  // [#not-implemented-hide:] Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
  // An optional `certificate revocation list
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
  // multiple CRLs, all of them will be used.
  core.DataSource crl = 7;
  // If specified, Envoy will not reject expired certificates.
  bool allow_expired_certificate = 8;
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
 }
 // TLS context shared by both client and server TLS contexts.
 // [#next-free-field: 9]
 message CommonTlsContext {
  message CombinedCertificateValidationContext {
    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 2
        [(validate.rules).message = {required: true}];
  }
  reserved 5;
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;
  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
  // used for clients that support ECDSA.
  repeated TlsCertificate tls_certificates = 2;
  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 1}];
  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 7;
    // Combined certificate validation context holds a default CertificateValidationContext
    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
    // and default CertificateValidationContext are merged into a new CertificateValidationContext
    // for validation. This merge is done by Message::MergeFrom(), so dynamic
    // CertificateValidationContext overwrites singular fields in default
    // CertificateValidationContext, and concatenates repeated fields to default
    // CertificateValidationContext, and logical OR is applied to boolean fields.
    CombinedCertificateValidationContext combined_validation_context = 8;
  }
  // Supplies the list of ALPN protocols that the listener should expose. In
  // practice this is likely to be set to one of two values (see the
  // :ref:`codec_type
  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
  // parameter in the HTTP connection manager for more information):
  //
  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
  // * "http/1.1" If the listener is only going to support HTTP/1.1.
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
 }
 message UpstreamTlsContext {
  // Common TLS context settings.
  //
  // .. attention::
  //
  //   Server certificate verification is not enabled by default. Configure
  //   :ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
  //   verification.
  CommonTlsContext common_tls_context = 1;
  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::
  //
  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
  bool allow_renegotiation = 3;
  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
  // for TLSv1.2 and older) to store for the purpose of session resumption.
  //
  // Defaults to 1, setting this to 0 disables session resumption.
  google.protobuf.UInt32Value max_session_keys = 4;
 }
 // [#next-free-field: 7]
 message DownstreamTlsContext {
  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;
  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;
  // If specified, Envoy will reject connections without a valid and matching SNI.
  // [#not-implemented-hide:]
  google.protobuf.BoolValue require_sni = 3;
  oneof session_ticket_keys_type {
    // TLS session ticket key settings.
    TlsSessionTicketKeys session_ticket_keys = 4;
    // Config for fetching TLS session ticket keys via SDS API.
    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
  }
  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
  // <https://tools.ietf.org/html/rfc5077#section-5.6>`
  // only seconds could be specified (fractional seconds are going to be ignored).
  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
    lt {seconds: 4294967296}
    gte {}
  }];
 }
 message GenericSecret {
  // Secret of generic type and is available to filters.
  core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
 }
 message SdsSecretConfig {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1;
  core.ConfigSource sds_config = 2;
 }
 // [#next-free-field: 6]
 message Secret {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;
  oneof type {
    TlsCertificate tls_certificate = 2;
    TlsSessionTicketKeys session_ticket_keys = 3;
    CertificateValidationContext validation_context = 4;
    GenericSecret generic_secret = 5;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto
@ -0,0 +1,327 @@
 syntax = "proto3";
 package envoy.api.v2.auth;
 import "envoy/api/v2/core/base.proto";
 import "envoy/type/matcher/string.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.auth";
 option java_outer_classname = "CommonProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.transport_sockets.tls.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Common TLS configuration]
 message TlsParameters {
  enum TlsProtocol {
    // Envoy will choose the optimal TLS version.
    TLS_AUTO = 0;
    // TLS 1.0
    TLSv1_0 = 1;
    // TLS 1.1
    TLSv1_1 = 2;
    // TLS 1.2
    TLSv1_2 = 3;
    // TLS 1.3
    TLSv1_3 = 4;
  }
  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
  // If specified, the TLS listener will only support the specified `cipher list
  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
  // specified, the default list will be used.
  //
  // In non-FIPS builds, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   ECDHE-ECDSA-AES128-GCM-SHA256
  //   ECDHE-RSA-AES128-GCM-SHA256
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  repeated string cipher_suites = 3;
  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves will be used.
  //
  // In non-FIPS builds, the default curves are:
  //
  // .. code-block:: none
  //
  //   X25519
  //   P-256
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
  //
  // .. code-block:: none
  //
  //   P-256
  repeated string ecdh_curves = 4;
 }
 // BoringSSL private key method configuration. The private key methods are used for external
 // (potentially asynchronous) signing and decryption operations. Some use cases for private key
 // methods would be TPM support and TLS acceleration.
 message PrivateKeyProvider {
  // Private key method provider name. The name must match a
  // supported private key method provider type.
  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
  // Private key method provider specific configuration.
  oneof config_type {
    google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
    google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
  }
 }
 // [#next-free-field: 7]
 message TlsCertificate {
  // The TLS certificate chain.
  core.DataSource certificate_chain = 1;
  // The TLS private key.
  core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
  // <envoy_api_field_auth.TlsCertificate.private_key>` and
  // :ref:`private_key_provider
  // <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
  // error.
  PrivateKeyProvider private_key_provider = 6;
  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
  core.DataSource password = 3 [(udpa.annotations.sensitive) = true];
  // [#not-implemented-hide:]
  core.DataSource ocsp_staple = 4;
  // [#not-implemented-hide:]
  repeated core.DataSource signed_certificate_timestamp = 5;
 }
 message TlsSessionTicketKeys {
  // Keys for encrypting and decrypting TLS session tickets. The
  // first key in the array contains the key to encrypt all new sessions created by this context.
  // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
  // by, for example, putting the new key first, and the previous key second.
  //
  // If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
  // is not specified, the TLS library will still support resuming sessions via tickets, but it will
  // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
  // or on different hosts.
  //
  // Each key must contain exactly 80 bytes of cryptographically-secure random data. For
  // example, the output of ``openssl rand 80``.
  //
  // .. attention::
  //
  //   Using this feature has serious security considerations and risks. Improper handling of keys
  //   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
  //   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
  //   discussion. To minimize the risk, you must:
  //
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
  repeated core.DataSource keys = 1
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 // [#next-free-field: 11]
 message CertificateValidationContext {
  // Peer certificate verification mode.
  enum TrustChainVerification {
    // Perform default certificate verification (e.g., against CA / verification lists)
    VERIFY_TRUST_CHAIN = 0;
    // Connections where the certificate fails verification will be permitted.
    // For HTTP connections, the result of certificate verification can be used in route matching. (
    // see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
    ACCEPT_UNTRUSTED = 1;
  }
  // TLS certificate data containing certificate authority certificates to use in verifying
  // a presented peer certificate (e.g. server certificate for clusters or client certificate
  // for listeners). If not specified and a peer certificate is presented it will not be
  // verified. By default, a client certificate is optional, unless one of the additional
  // options (:ref:`require_client_certificate
  // <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
  // :ref:`match_subject_alt_names
  // <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
  // that the presented peer certificate has not been revoked by one of the included CRLs.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  core.DataSource trusted_ca = 1;
  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
  // matches one of the specified values.
  //
  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
  //     | openssl pkey -pubin -outform DER
  //     | openssl dgst -sha256 -binary
  //     | openssl enc -base64
  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
  //
  // This is the format used in HTTP Public Key Pinning.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  //
  // .. attention::
  //
  //   This option is preferred over :ref:`verify_certificate_hash
  //   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
  //   because SPKI is tied to a private key, so it doesn't change when the certificate
  //   is renewed using the same private key.
  repeated string verify_certificate_spki = 3
      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
  //
  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
  //
  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
  //
  // Both of those formats are acceptable.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  repeated string verify_certificate_hash = 2
      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
  // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified values.
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
  repeated string verify_subject_alt_name = 4 [deprecated = true];
  // An optional list of Subject Alternative name matchers. Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified matches.
  //
  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
  // it should be configured as shown below.
  //
  // .. code-block:: yaml
  //
  //  match_subject_alt_names:
  //    exact: "api.example.com"
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
  repeated type.matcher.StringMatcher match_subject_alt_names = 9;
  // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;
  // [#not-implemented-hide:] Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
  // An optional `certificate revocation list
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
  // multiple CRLs, all of them will be used.
  core.DataSource crl = 7;
  // If specified, Envoy will not reject expired certificates.
  bool allow_expired_certificate = 8;
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto
@ -0,0 +1,50 @@
 syntax = "proto3";
 package envoy.api.v2.auth;
 import "envoy/api/v2/auth/common.proto";
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.auth";
 option java_outer_classname = "SecretProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.transport_sockets.tls.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Secrets configuration]
 message GenericSecret {
  // Secret of generic type and is available to filters.
  core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
 }
 message SdsSecretConfig {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1;
  core.ConfigSource sds_config = 2;
 }
 // [#next-free-field: 6]
 message Secret {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;
  oneof type {
    TlsCertificate tls_certificate = 2;
    TlsSessionTicketKeys session_ticket_keys = 3;
    CertificateValidationContext validation_context = 4;
    GenericSecret generic_secret = 5;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto
@ -0,0 +1,152 @@
 syntax = "proto3";
 package envoy.api.v2.auth;
 import "envoy/api/v2/auth/common.proto";
 import "envoy/api/v2/auth/secret.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.auth";
 option java_outer_classname = "TlsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.transport_sockets.tls.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: TLS transport socket]
 // [#extension: envoy.transport_sockets.tls]
 // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
 message UpstreamTlsContext {
  // Common TLS context settings.
  //
  // .. attention::
  //
  //   Server certificate verification is not enabled by default. Configure
  //   :ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
  //   verification.
  CommonTlsContext common_tls_context = 1;
  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::
  //
  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
  bool allow_renegotiation = 3;
  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
  // for TLSv1.2 and older) to store for the purpose of session resumption.
  //
  // Defaults to 1, setting this to 0 disables session resumption.
  google.protobuf.UInt32Value max_session_keys = 4;
 }
 // [#next-free-field: 8]
 message DownstreamTlsContext {
  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;
  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;
  // If specified, Envoy will reject connections without a valid and matching SNI.
  // [#not-implemented-hide:]
  google.protobuf.BoolValue require_sni = 3;
  oneof session_ticket_keys_type {
    // TLS session ticket key settings.
    TlsSessionTicketKeys session_ticket_keys = 4;
    // Config for fetching TLS session ticket keys via SDS API.
    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
    // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
    // server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
    // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
    // the keys specified through either :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
    // or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
    // If this config is set to false and no keys are explicitly configured, the TLS server will issue
    // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
    // implication that sessions cannot be resumed across hot restarts or on different hosts.
    bool disable_stateless_session_resumption = 7;
  }
  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
  // <https://tools.ietf.org/html/rfc5077#section-5.6>`
  // only seconds could be specified (fractional seconds are going to be ignored).
  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
    lt {seconds: 4294967296}
    gte {}
  }];
 }
 // TLS context shared by both client and server TLS contexts.
 // [#next-free-field: 9]
 message CommonTlsContext {
  message CombinedCertificateValidationContext {
    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 2
        [(validate.rules).message = {required: true}];
  }
  reserved 5;
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;
  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
  // used for clients that support ECDSA.
  repeated TlsCertificate tls_certificates = 2;
  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 1}];
  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 7;
    // Combined certificate validation context holds a default CertificateValidationContext
    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
    // and default CertificateValidationContext are merged into a new CertificateValidationContext
    // for validation. This merge is done by Message::MergeFrom(), so dynamic
    // CertificateValidationContext overwrites singular fields in default
    // CertificateValidationContext, and concatenates repeated fields to default
    // CertificateValidationContext, and logical OR is applied to boolean fields.
    CombinedCertificateValidationContext combined_validation_context = 8;
  }
  // Supplies the list of ALPN protocols that the listener should expose. In
  // practice this is likely to be set to one of two values (see the
  // :ref:`codec_type
  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
  // parameter in the HTTP connection manager for more information):
  //
  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
  // * "http/1.1" If the listener is only going to support HTTP/1.1.
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto
@ -8,6 +8,7 @@ import "google/api/annotations.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import public "envoy/api/v2/cluster.proto";
@ -16,6 +17,7 @@ option java_outer_classname = "CdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.cluster.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: CDS]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
@ -2,7 +2,7 @@ syntax = "proto3";
 package envoy.api.v2;
-import "envoy/api/v2/auth/cert.proto";
+import "envoy/api/v2/auth/tls.proto";
 import "envoy/api/v2/cluster/circuit_breaker.proto";
 import "envoy/api/v2/cluster/filter.proto";
 import "envoy/api/v2/cluster/outlier_detection.proto";
@ -21,12 +21,14 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "ClusterProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Cluster configuration]
@ -354,7 +356,7 @@ message Cluster {
  }
  // Common configuration for all load balancer implementations.
-  // [#next-free-field: 7]
+  // [#next-free-field: 8]
  message CommonLbConfig {
    // Configuration for :ref:`zone aware routing
    // <arch_overview_load_balancing_zone_aware_routing>`.
@ -384,6 +386,13 @@ message Cluster {
    message LocalityWeightedLbConfig {
    }
    // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
    message ConsistentHashingLbConfig {
      // If set to `true`, the cluster will use hostname instead of the resolved
      // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address.
      bool use_hostname_for_hashing = 1;
    }
    // Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.
    // If not specified, the default is 50%.
    // To disable panic mode, set to 0%.
@ -438,6 +447,9 @@ message Cluster {
    // If set to `true`, the cluster manager will drain all existing
    // connections to upstream hosts whenever hosts are added or removed from the cluster.
    bool close_connections_on_host_set_change = 6;
    //Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
    ConsistentHashingLbConfig consistent_hashing_lb_config = 7;
  }
  message RefreshRate {
@ -459,7 +471,7 @@ message Cluster {
  reserved 12, 15;
  // Configuration to use different transport sockets for different endpoints.
-  // The entry of *envoy.transport_socket* in the
+  // The entry of *envoy.transport_socket_match* in the
  // :ref:`LbEndpoint.Metadata <envoy_api_field_endpoint.LbEndpoint.metadata>`
  // is used to match against the transport sockets as they appear in the list. The first
  // :ref:`match <envoy_api_msg_Cluster.TransportSocketMatch>` is used.
@ -479,14 +491,14 @@ message Cluster {
  //    transport_socket:
  //      name: envoy.transport_sockets.raw_buffer
  //
-  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
+  // Connections to the endpoints whose metadata value under *envoy.transport_socket_match*
  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
  //
  // If a :ref:`socket match <envoy_api_msg_Cluster.TransportSocketMatch>` with empty match
  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
  // socket match in case above.
  //
-  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
+  // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any
  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
  // *transport_socket* specified in this cluster.
  //
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto
@ -8,6 +8,7 @@ import "envoy/type/percent.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -16,6 +17,7 @@ option java_multiple_files = true;
 option csharp_namespace = "Envoy.Api.V2.ClusterNS";
 option ruby_package = "Envoy.Api.V2.ClusterNS";
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Circuit breakers]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto
@ -5,6 +5,7 @@ package envoy.api.v2.cluster;
 import "google/protobuf/any.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -13,6 +14,7 @@ option java_multiple_files = true;
 option csharp_namespace = "Envoy.Api.V2.ClusterNS";
 option ruby_package = "Envoy.Api.V2.ClusterNS";
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Upstream filters]
 // Upstream filters apply to the connections to the upstream cluster hosts.
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto
@ -6,6 +6,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -14,6 +15,7 @@ option java_multiple_files = true;
 option csharp_namespace = "Envoy.Api.V2.ClusterNS";
 option ruby_package = "Envoy.Api.V2.ClusterNS";
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Outlier detection]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto
@ -7,12 +7,14 @@ import "envoy/api/v2/core/socket_option.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "AddressProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Network addresses]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto
@ -5,12 +5,14 @@ package envoy.api.v2.core;
 import "google/protobuf/duration.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "BackoffProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Backoff Strategy]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto
@ -14,6 +14,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 import public "envoy/api/v2/core/socket_option.proto";
@ -22,6 +23,7 @@ option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "BaseProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Common types]
@ -230,6 +232,15 @@ message RuntimeUInt32 {
  string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
 }
 // Runtime derived double with a default when not specified.
 message RuntimeDouble {
  // Default value if runtime value is not available.
  double default_value = 1;
  // Runtime key to get value for comparison. This value is used if defined.
  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
 }
 // Runtime derived bool with a default when not specified.
 message RuntimeFeatureFlag {
  // Default value if runtime value is not available.
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto
@ -9,12 +9,14 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "ConfigSourceProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Configuration sources]
@ -55,10 +57,6 @@ message ApiConfigSource {
    // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
    // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
    // with every update, the xDS server only sends what has changed since the last update.
    //
    // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
    // Do not use for other xDSes.
    // [#comment:TODO(fredlas) update/remove this warning when appropriate.]
    DELTA_GRPC = 3;
  }
@ -133,6 +131,8 @@ message ConfigSource {
    option (validate.required) = true;
    // Path on the filesystem to source and watch for configuration updates.
    // When sourcing configuration for :ref:`secret <envoy_api_msg_auth.Secret>`,
    // the certificate and key files are also watched for updates.
    //
    // .. note::
    //
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto
@ -0,0 +1,26 @@
 syntax = "proto3";
 package envoy.api.v2.core;
 import "envoy/api/v2/core/grpc_service.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "EventServiceConfigProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#not-implemented-hide:]
 // Configuration of the event reporting service endpoint.
 message EventServiceConfig {
  oneof config_source_specifier {
    option (validate.required) = true;
    // Specifies the gRPC service that hosts the event reporting service.
    GrpcService grpc_service = 1;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto
@ -9,15 +9,16 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "GrpcServiceProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: gRPC services]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.api.v2.core;
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/event_service_config.proto";
 import "envoy/type/http.proto";
 import "envoy/type/matcher/string.proto";
 import "envoy/type/range.proto";
@ -14,12 +15,14 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "HealthCheckProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Health check]
 // * Health checking :ref:`architecture overview <arch_overview_health_checking>`.
@ -52,7 +55,7 @@ enum HealthStatus {
  DEGRADED = 5;
 }
-// [#next-free-field: 22]
+// [#next-free-field: 23]
 message HealthCheck {
  // Describes the encoding of the payload bytes in the payload.
  message Payload {
@ -71,7 +74,8 @@ message HealthCheck {
  message HttpHealthCheck {
    // The value of the host header in the HTTP health check request. If
    // left empty (default value), the name of the cluster this health check is associated
-    // with will be used.
+    // with will be used. The host header can be customized for a specific endpoint by setting the
    // :ref:`hostname <envoy_api_field_endpoint.Endpoint.HealthCheckConfig.hostname>` field.
    string host = 1;
    // Specifies the HTTP path that will be requested during health checking. For example
@ -158,7 +162,8 @@ message HealthCheck {
    // The value of the :authority header in the gRPC health check request. If
    // left empty (default value), the name of the cluster this health check is associated
-    // with will be used.
+    // with will be used. The authority header can be customized for a specific endpoint by setting
    // the :ref:`hostname <envoy_api_field_endpoint.Endpoint.HealthCheckConfig.hostname>` field.
    string authority = 2;
  }
@ -288,6 +293,11 @@ message HealthCheck {
  // If empty, no event log will be written.
  string event_log_path = 17;
  // [#not-implemented-hide:]
  // The gRPC service for the health check event service.
  // If empty, health check events won't be sent to a remote endpoint.
  EventServiceConfig event_service = 22;
  // If set to true, health check failure events will always be logged. If set to false, only the
  // initial health check failure event will be logged.
  // The default value is false.
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto
@ -5,12 +5,14 @@ package envoy.api.v2.core;
 import "google/protobuf/duration.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "HttpUriProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP Service URI ]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto
@ -6,12 +6,14 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "ProtocolProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Protocol options]
@ -32,9 +34,30 @@ message UpstreamHttpProtocolOptions {
  bool auto_san_validation = 2;
 }
 // [#next-free-field: 6]
 message HttpProtocolOptions {
  // Action to take when Envoy receives client request with header names containing underscore
  // characters.
  // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented
  // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore
  // characters.
  enum HeadersWithUnderscoresAction {
    // Allow headers with underscores. This is the default behavior.
    ALLOW = 0;
    // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
    // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter
    // is incremented for each rejected request.
    REJECT_REQUEST = 1;
    // Drop the header with name containing underscores. The header is dropped before the filter chain is
    // invoked and as such filters will not see dropped headers. The
    // "httpN.dropped_headers_with_underscores" is incremented for each dropped header.
    DROP_HEADER = 2;
  }
  // The idle timeout for connections. The idle timeout is defined as the
-  // period in which there are no active requests. If not set, there is no idle timeout. When the
+  // period in which there are no active requests. When the
  // idle timeout is reached the connection will be closed. If the connection is an HTTP/2
  // downstream connection a drain sequence will occur prior to closing the connection, see
  // :ref:`drain_timeout
@ -62,9 +85,12 @@ message HttpProtocolOptions {
  // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
  // reset independent of any other timeouts. If not specified, this value is not set.
  // The current implementation implements this timeout on downstream connections only.
  // [#comment:TODO(shikugawa): add this functionality to upstream.]
  google.protobuf.Duration max_stream_duration = 4;
  // Action to take when a client request with a header name containing underscore characters is received.
  // If this setting is not specified, the value defaults to ALLOW.
  // Note: upstream responses are not affected by this setting.
  HeadersWithUnderscoresAction headers_with_underscores_action = 5;
 }
 // [#next-free-field: 6]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto
@ -3,12 +3,14 @@ syntax = "proto3";
 package envoy.api.v2.core;
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.core";
 option java_outer_classname = "SocketOptionProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Socket Option ]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto
@ -8,11 +8,13 @@ import "google/protobuf/any.proto";
 import "google/rpc/status.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "DiscoveryProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.discovery.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Common discovery API components]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto
@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 import public "envoy/api/v2/endpoint.proto";
@ -19,6 +20,7 @@ option java_outer_classname = "EdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.endpoint.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: EDS]
 // Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto
@ -10,12 +10,14 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "EndpointProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Endpoint configuration]
 // Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`
@ -34,6 +36,7 @@ message ClusterLoadAssignment {
  // Load balancing policy settings.
  // [#next-free-field: 6]
  message Policy {
    // [#not-implemented-hide:]
    message DropOverload {
      // Identifier for the policy specifying the drop.
      string category = 1 [(validate.rules).string = {min_bytes: 1}];
@ -63,6 +66,7 @@ message ClusterLoadAssignment {
    //    "throttle"_drop = 60%
    //    "lb"_drop = 20%  // 50% of the remaining 'actual' load, which is 40%.
    //    actual_outgoing_load = 20% // remaining after applying all categories.
    // [#not-implemented-hide:]
    repeated DropOverload drop_overloads = 2;
    // Priority levels and localities are considered overprovisioned with this
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto
@ -2,6 +2,8 @@ syntax = "proto3";
 package envoy.api.v2.endpoint;
 import "udpa/annotations/status.proto";
 import public "envoy/api/v2/endpoint/endpoint_components.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto
@ -9,12 +9,14 @@ import "envoy/api/v2/core/health_check.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
 option java_outer_classname = "EndpointComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Endpoints]
@ -29,6 +31,13 @@ message Endpoint {
    // check port. Setting this with a non-zero value allows an upstream host
    // to have different health check address port.
    uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
    // By default, the host header for L7 health checks is controlled by cluster level configuration
    // (see: :ref:`host <envoy_api_field_core.HealthCheck.HttpHealthCheck.host>` and
    // :ref:`authority <envoy_api_field_core.HealthCheck.GrpcHealthCheck.authority>`). Setting this
    // to a non-empty value allows overriding the cluster level configuration for a specific
    // endpoint.
    string hostname = 2;
  }
  // The upstream host address.
@ -50,6 +59,12 @@ message Endpoint {
  //   This takes into effect only for upstream clusters with
  //   :ref:`active health checking <arch_overview_health_checking>` enabled.
  HealthCheckConfig health_check_config = 2;
  // The hostname associated with this endpoint. This hostname is not used for routing or address
  // resolution. If provided, it will be associated with the endpoint, and can be used for features
  // that require a hostname, like
  // :ref:`auto_host_rewrite <envoy_api_field_route.RouteAction.auto_host_rewrite>`.
  string hostname = 3;
 }
 // An Endpoint that Envoy can route traffic to.
@ -82,7 +97,8 @@ message LbEndpoint {
  // percentage of traffic for the endpoint. This percentage is then further
  // weighted by the endpoint's locality's load balancing weight from
  // LocalityLbEndpoints. If unspecified, each host is presumed to have equal
-  // weight in a locality.
+  // weight in a locality. The sum of the weights of all endpoints in the
  // endpoint's locality must not exceed uint32_t maximal value (4294967295).
  google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
 }
@ -101,7 +117,8 @@ message LocalityLbEndpoints {
  // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
  // balancing weight for a locality is divided by the sum of the weights of all
  // localities  at the same priority level to produce the effective percentage
-  // of traffic for the locality.
+  // of traffic for the locality. The sum of the weights of all localities at
  // the same priority level must not exceed uint32_t maximal value (4294967295).
  //
  // Locality weights are only considered when :ref:`locality weighted load
  // balancing <arch_overview_load_balancing_locality_weighted_lb>` is
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto
@ -9,12 +9,14 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
 option java_outer_classname = "LoadReportProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // These are stats Envoy reports to GLB every so often. Report frequency is
 // defined by
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto
@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 import public "envoy/api/v2/listener.proto";
@ -19,6 +20,7 @@ option java_outer_classname = "LdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.listener.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Listener]
 // Listener :ref:`configuration overview <config_listeners>`
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto
@ -7,6 +7,7 @@ import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/socket_option.proto";
 import "envoy/api/v2/listener/listener_components.proto";
 import "envoy/api/v2/listener/udp_listener_config.proto";
 import "envoy/config/filter/accesslog/v2/accesslog.proto";
 import "envoy/config/listener/v2/api_listener.proto";
 import "google/api/annotations.proto";
@ -14,17 +15,19 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "ListenerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Listener configuration]
 // Listener :ref:`configuration overview <config_listeners>`
-// [#next-free-field: 22]
+// [#next-free-field: 23]
 message Listener {
  enum DrainType {
    // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
@ -237,4 +240,8 @@ message Listener {
  // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket
  // <https://github.com/torvalds/linux/commit/40a1227ea845a37ab197dd1caffb60b047fa36b1>`_.
  bool reuse_port = 21;
  // Configuration for :ref:`access logs <arch_overview_access_logs>`
  // emitted by this listener.
  repeated config.filter.accesslog.v2.AccessLog access_log = 22;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto
@ -2,6 +2,8 @@ syntax = "proto3";
 package envoy.api.v2.listener;
 import "udpa/annotations/status.proto";
 import public "envoy/api/v2/listener/listener_components.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.listener";
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto
@ -2,7 +2,7 @@ syntax = "proto3";
 package envoy.api.v2.listener;
-import "envoy/api/v2/auth/cert.proto";
+import "envoy/api/v2/auth/tls.proto";
 import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/core/base.proto";
 import "envoy/type/range.proto";
@ -12,6 +12,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.listener";
@ -20,6 +21,7 @@ option java_multiple_files = true;
 option csharp_namespace = "Envoy.Api.V2.ListenerNS";
 option ruby_package = "Envoy.Api.V2.ListenerNS";
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Listener components]
 // Listener :ref:`configuration overview <config_listeners>`
@ -207,9 +209,32 @@ message FilterChain {
  string name = 7;
 }
 // [#not-implemented-hide:]
 // Listener filter chain match configuration. This is a recursive structure which allows complex
 // nested match configurations to be built using various logical operators.
 //
 // Examples:
 //
 // * Matches if the destination port is 3306.
 //
 // .. code-block:: yaml
 //
 //  destination_port_range:
 //   start: 3306
 //   end: 3307
 //
 // * Matches if the destination port is 3306 or 15000.
 //
 // .. code-block:: yaml
 //
 //  or_match:
 //    rules:
 //      - destination_port_range:
 //          start: 3306
 //          end: 3306
 //      - destination_port_range:
 //          start: 15000
 //          end: 15001
 //
 // [#next-free-field: 6]
 message ListenerFilterChainMatchPredicate {
  // A set of match configurations used for logical operations.
@ -255,17 +280,8 @@ message ListenerFilter {
    google.protobuf.Any typed_config = 3;
  }
-  // [#not-implemented-hide:]
+  // Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
-  // Decide when to disable this listener filter on incoming traffic.
+  // See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_listener.ListenerFilterChainMatchPredicate>`
-  // Example:
+  // for further examples.
  // 0. always enable filter
  //    don't set `filter_disabled`
  // 1. disable when the destination port is 3306
  //    rule.destination_port_range = Int32Range {start = 3306, end = 3307}
  // 2. disable when the destination port is 3306 or 15000
  //    rule.or_match = MatchSet.rules [
  //       rule.destination_port_range = Int32Range {start = 3306, end = 3307},
  //       rule.destination_port_range = Int32Range {start = 15000, end = 15001},
  //    ]
  ListenerFilterChainMatchPredicate filter_disabled = 4;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto
@ -6,6 +6,7 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.listener";
 option java_outer_classname = "UdpListenerConfigProto";
@ -13,6 +14,7 @@ option java_multiple_files = true;
 option csharp_namespace = "Envoy.Api.V2.ListenerNS";
 option ruby_package = "Envoy.Api.V2.ListenerNS";
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: UDP Listener Config]
 // Listener :ref:`configuration overview <config_listeners>`
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto
@ -9,6 +9,7 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 import public "envoy/api/v2/route.proto";
@ -18,6 +19,7 @@ option java_outer_classname = "RdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: RDS]
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto
@ -9,12 +9,14 @@ import "envoy/api/v2/route/route_components.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "RouteProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP route configuration]
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto
@ -2,6 +2,8 @@ syntax = "proto3";
 package envoy.api.v2.route;
 import "udpa/annotations/status.proto";
 import public "envoy/api/v2/route/route_components.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.route";
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
@ -16,12 +16,14 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2.route";
 option java_outer_classname = "RouteComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP route components]
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
@ -1274,7 +1276,7 @@ message Tracing {
 // statistics are perfect in the sense that they are emitted on the downstream
 // side such that they include network level failures.
 //
-// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_stats>`.
+// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_vcluster_stats>`.
 //
 // .. note::
 //
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto
@ -3,12 +3,14 @@ syntax = "proto3";
 package envoy.api.v2;
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.api.v2";
 option java_outer_classname = "ScopedRouteProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP scoped routing configuration]
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
@ -8,6 +8,7 @@ import "google/api/annotations.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import public "envoy/api/v2/scoped_route.proto";
@ -16,6 +17,7 @@ option java_outer_classname = "SrdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: SRDS]
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
--- a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto
@ -9,13 +9,14 @@ import "envoy/type/v3/percent.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.accesslog.v3";
 option java_outer_classname = "AccesslogProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Common access log types]
@ -239,6 +240,8 @@ message ResponseFlagFilter {
        in: "SI"
        in: "IH"
        in: "DPE"
        in: "UMSDR"
        in: "RFCF"
      }
    }
  }];
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto
@ -7,13 +7,14 @@ import "envoy/type/v3/percent.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.cluster.v3";
 option java_outer_classname = "CircuitBreakerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Circuit breakers]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto
@ -18,14 +18,15 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/versioning.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.cluster.v3";
 option java_outer_classname = "ClusterProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Cluster configuration]
@ -373,7 +374,7 @@ message Cluster {
  }
  // Common configuration for all load balancer implementations.
-  // [#next-free-field: 7]
+  // [#next-free-field: 8]
  message CommonLbConfig {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.Cluster.CommonLbConfig";
@ -411,6 +412,16 @@ message Cluster {
          "envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig";
    }
    // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
    message ConsistentHashingLbConfig {
      option (udpa.annotations.versioning).previous_message_type =
          "envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig";
      // If set to `true`, the cluster will use hostname instead of the resolved
      // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address.
      bool use_hostname_for_hashing = 1;
    }
    // Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.
    // If not specified, the default is 50%.
    // To disable panic mode, set to 0%.
@ -465,6 +476,9 @@ message Cluster {
    // If set to `true`, the cluster manager will drain all existing
    // connections to upstream hosts whenever hosts are added or removed from the cluster.
    bool close_connections_on_host_set_change = 6;
    //Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
    ConsistentHashingLbConfig consistent_hashing_lb_config = 7;
  }
  message RefreshRate {
@ -490,7 +504,7 @@ message Cluster {
  reserved "hosts", "tls_context", "extension_protocol_options";
  // Configuration to use different transport sockets for different endpoints.
-  // The entry of *envoy.transport_socket* in the
+  // The entry of *envoy.transport_socket_match* in the
  // :ref:`LbEndpoint.Metadata <envoy_api_field_config.endpoint.v3.LbEndpoint.metadata>`
  // is used to match against the transport sockets as they appear in the list. The first
  // :ref:`match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used.
@ -510,14 +524,14 @@ message Cluster {
  //    transport_socket:
  //      name: envoy.transport_sockets.raw_buffer
  //
-  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
+  // Connections to the endpoints whose metadata value under *envoy.transport_socket_match*
  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
  //
  // If a :ref:`socket match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` with empty match
  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
  // socket match in case above.
  //
-  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
+  // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any
  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
  // *transport_socket* specified in this cluster.
  //
@ -533,6 +547,10 @@ message Cluster {
  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
  //
  // This field can be used to specify custom transport socket configurations for health
  // checks by adding matching key/value pairs in a health check's
  // :ref:`transport socket match criteria <envoy_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>` field.
  //
  // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]
  repeated TransportSocketMatch transport_socket_matches = 43;
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto
@ -4,13 +4,14 @@ package envoy.config.cluster.v3;
 import "google/protobuf/any.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.cluster.v3";
 option java_outer_classname = "FilterProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Upstream filters]
 // Upstream filters apply to the connections to the upstream cluster hosts.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto
@ -5,13 +5,14 @@ package envoy.config.cluster.v3;
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.cluster.v3";
 option java_outer_classname = "OutlierDetectionProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Outlier detection]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto
@ -6,13 +6,14 @@ import "envoy/config/core/v3/socket_option.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "AddressProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Network addresses]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto
@ -4,13 +4,14 @@ package envoy.config.core.v3;
 import "google/protobuf/duration.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "BackoffProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Backoff Strategy]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto
@ -13,13 +13,14 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "BaseProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Common types]
@ -238,6 +239,17 @@ message RuntimeUInt32 {
  string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
 }
 // Runtime derived double with a default when not specified.
 message RuntimeDouble {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble";
  // Default value if runtime value is not available.
  double default_value = 1;
  // Runtime key to get value for comparison. This value is used if defined.
  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
 }
 // Runtime derived bool with a default when not specified.
 message RuntimeFeatureFlag {
  option (udpa.annotations.versioning).previous_message_type =
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto
@ -7,14 +7,15 @@ import "envoy/config/core/v3/grpc_service.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/versioning.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "ConfigSourceProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Configuration sources]
@ -57,10 +58,6 @@ message ApiConfigSource {
    // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
    // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
    // with every update, the xDS server only sends what has changed since the last update.
    //
    // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
    // Do not use for other xDSes.
    // [#comment:TODO(fredlas) update/remove this warning when appropriate.]
    DELTA_GRPC = 3;
  }
@ -143,6 +140,8 @@ message ConfigSource {
    option (validate.required) = true;
    // Path on the filesystem to source and watch for configuration updates.
    // When sourcing configuration for :ref:`secret <envoy_api_msg_extensions.transport_sockets.tls.v3.Secret>`,
    // the certificate and key files are also watched for updates.
    //
    // .. note::
    //
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto
@ -0,0 +1,28 @@
 syntax = "proto3";
 package envoy.config.core.v3;
 import "envoy/config/core/v3/grpc_service.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "EventServiceConfigProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#not-implemented-hide:]
 // Configuration of the event reporting service endpoint.
 message EventServiceConfig {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.core.EventServiceConfig";
  oneof config_source_specifier {
    option (validate.required) = true;
    // Specifies the gRPC service that hosts the event reporting service.
    GrpcService grpc_service = 1;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto
@ -0,0 +1,30 @@
 syntax = "proto3";
 package envoy.config.core.v3;
 import "google/protobuf/any.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "ExtensionProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Extension configuration]
 // Message type for extension configuration.
 // [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.].
 message TypedExtensionConfig {
  // The name of an extension. This is not used to select the extension, instead
  // it serves the role of an opaque identifier.
  string name = 1 [(validate.rules).string = {min_len: 1}];
  // The typed config for the extension. The type URL will be used to identify
  // the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*,
  // the inner type URL of *TypedStruct* will be utilized. See the
  // :ref:`extension configuration overview
  // <config_overview_extension_configuration>` for further details.
  google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto
@ -8,15 +8,17 @@ import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "GrpcServiceProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: gRPC services]
@ -36,7 +38,7 @@ message GrpcService {
    string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
  }
-  // [#next-free-field: 7]
+  // [#next-free-field: 8]
  message GoogleGrpc {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.core.GrpcService.GoogleGrpc";
@ -231,6 +233,10 @@ message GrpcService {
    // Additional configuration for site-specific customizations of the Google
    // gRPC library.
    google.protobuf.Struct config = 6;
    // How many bytes each stream can buffer internally.
    // If not set an implementation defined default is applied (1MiB).
    google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7;
  }
  reserved 4;
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.core.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/event_service_config.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http.proto";
 import "envoy/type/v3/range.proto";
@ -12,14 +13,15 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/versioning.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "HealthCheckProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Health check]
 // * Health checking :ref:`architecture overview <arch_overview_health_checking>`.
@ -52,7 +54,7 @@ enum HealthStatus {
  DEGRADED = 5;
 }
-// [#next-free-field: 22]
+// [#next-free-field: 24]
 message HealthCheck {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
@ -83,12 +85,15 @@ message HealthCheck {
    // The value of the host header in the HTTP health check request. If
    // left empty (default value), the name of the cluster this health check is associated
-    // with will be used.
+    // with will be used. The host header can be customized for a specific endpoint by setting the
-    string host = 1;
+    // :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
    string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
    // Specifies the HTTP path that will be requested during health checking. For example
    // */healthcheck*.
-    string path = 2 [(validate.rules).string = {min_bytes: 1}];
+    string path = 2 [
      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
    ];
    // [#not-implemented-hide:] HTTP specific payload.
    Payload send = 3;
@ -105,7 +110,9 @@ message HealthCheck {
    // Specifies a list of HTTP headers that should be removed from each request that is sent to the
    // health checked cluster.
-    repeated string request_headers_to_remove = 8;
+    repeated string request_headers_to_remove = 8 [(validate.rules).repeated = {
      items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}
    }];
    // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
    // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
@ -164,8 +171,10 @@ message HealthCheck {
    // The value of the :authority header in the gRPC health check request. If
    // left empty (default value), the name of the cluster this health check is associated
-    // with will be used.
+    // with will be used. The authority header can be customized for a specific endpoint by setting
-    string authority = 2;
+    // the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
    string authority = 2
        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
  }
  // Custom health check.
@ -302,6 +311,11 @@ message HealthCheck {
  // If empty, no event log will be written.
  string event_log_path = 17;
  // [#not-implemented-hide:]
  // The gRPC service for the health check event service.
  // If empty, health check events won't be sent to a remote endpoint.
  EventServiceConfig event_service = 22;
  // If set to true, health check failure events will always be logged. If set to false, only the
  // initial health check failure event will be logged.
  // The default value is false.
@ -309,4 +323,36 @@ message HealthCheck {
  // This allows overriding the cluster TLS settings, just for health check connections.
  TlsOptions tls_options = 21;
  // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's
  // :ref:`tranport socket matches <envoy_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.
  // For example, the following match criteria
  //
  // .. code-block:: yaml
  //
  //  transport_socket_match_criteria:
  //    useMTLS: true
  //
  // Will match the following :ref:`cluster socket match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>`
  //
  // .. code-block:: yaml
  //
  //  transport_socket_matches:
  //  - name: "useMTLS"
  //    match:
  //      useMTLS: true
  //    transport_socket:
  //      name: envoy.transport_sockets.tls
  //      config: { ... } # tls socket configuration
  //
  // If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the
  // :ref:`LbEndpoint.Metadata <envoy_api_field_config.endpoint.v3.LbEndpoint.metadata>`.
  // This allows using different transport socket capabilities for health checking versus proxying to the
  // endpoint.
  //
  // If the key/values pairs specified do not match any
  // :ref:`transport socket matches <envoy_api_field_config.cluster.v3.Cluster.transport_socket_matches>`,
  // the cluster's :ref:`transport socket <envoy_api_field_config.cluster.v3.Cluster.transport_socket>`
  // will be used for health check socket configuration.
  google.protobuf.Struct transport_socket_match_criteria = 23;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto
@ -4,13 +4,14 @@ package envoy.config.core.v3;
 import "google/protobuf/duration.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "HttpUriProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: HTTP Service URI ]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto
@ -5,13 +5,14 @@ package envoy.config.core.v3;
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "ProtocolProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Protocol options]
@ -37,12 +38,33 @@ message UpstreamHttpProtocolOptions {
  bool auto_san_validation = 2;
 }
 // [#next-free-field: 6]
 message HttpProtocolOptions {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.core.HttpProtocolOptions";
  // Action to take when Envoy receives client request with header names containing underscore
  // characters.
  // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented
  // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore
  // characters.
  enum HeadersWithUnderscoresAction {
    // Allow headers with underscores. This is the default behavior.
    ALLOW = 0;
    // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
    // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter
    // is incremented for each rejected request.
    REJECT_REQUEST = 1;
    // Drop the header with name containing underscores. The header is dropped before the filter chain is
    // invoked and as such filters will not see dropped headers. The
    // "httpN.dropped_headers_with_underscores" is incremented for each dropped header.
    DROP_HEADER = 2;
  }
  // The idle timeout for connections. The idle timeout is defined as the
-  // period in which there are no active requests. If not set, there is no idle timeout. When the
+  // period in which there are no active requests. When the
  // idle timeout is reached the connection will be closed. If the connection is an HTTP/2
  // downstream connection a drain sequence will occur prior to closing the connection, see
  // :ref:`drain_timeout
@ -70,9 +92,12 @@ message HttpProtocolOptions {
  // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
  // reset independent of any other timeouts. If not specified, this value is not set.
  // The current implementation implements this timeout on downstream connections only.
  // [#comment:TODO(shikugawa): add this functionality to upstream.]
  google.protobuf.Duration max_stream_duration = 4;
  // Action to take when a client request with a header name containing underscore characters is received.
  // If this setting is not specified, the value defaults to ALLOW.
  // Note: upstream responses are not affected by this setting.
  HeadersWithUnderscoresAction headers_with_underscores_action = 5;
 }
 // [#next-free-field: 6]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto
@ -0,0 +1,26 @@
 syntax = "proto3";
 package envoy.config.core.v3;
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "ProxyProtocolProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Proxy Protocol]
 message ProxyProtocolConfig {
  enum Version {
    // PROXY protocol version 1. Human readable format.
    V1 = 0;
    // PROXY protocol version 2. Binary format.
    V2 = 1;
  }
  // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details
  Version version = 1;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto
@ -2,13 +2,14 @@ syntax = "proto3";
 package envoy.config.core.v3;
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "SocketOptionProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Socket Option ]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto
@ -9,13 +9,14 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.endpoint.v3";
 option java_outer_classname = "EndpointProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Endpoint configuration]
 // Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`
@ -39,6 +40,7 @@ message ClusterLoadAssignment {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.ClusterLoadAssignment.Policy";
    // [#not-implemented-hide:]
    message DropOverload {
      option (udpa.annotations.versioning).previous_message_type =
          "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload";
@ -73,6 +75,7 @@ message ClusterLoadAssignment {
    //    "throttle"_drop = 60%
    //    "lb"_drop = 20%  // 50% of the remaining 'actual' load, which is 40%.
    //    actual_outgoing_load = 20% // remaining after applying all categories.
    // [#not-implemented-hide:]
    repeated DropOverload drop_overloads = 2;
    // Priority levels and localities are considered overprovisioned with this
--- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto
@ -8,13 +8,14 @@ import "envoy/config/core/v3/health_check.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.endpoint.v3";
 option java_outer_classname = "EndpointComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Endpoints]
@ -34,6 +35,13 @@ message Endpoint {
    // check port. Setting this with a non-zero value allows an upstream host
    // to have different health check address port.
    uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
    // By default, the host header for L7 health checks is controlled by cluster level configuration
    // (see: :ref:`host <envoy_api_field_config.core.v3.HealthCheck.HttpHealthCheck.host>` and
    // :ref:`authority <envoy_api_field_config.core.v3.HealthCheck.GrpcHealthCheck.authority>`). Setting this
    // to a non-empty value allows overriding the cluster level configuration for a specific
    // endpoint.
    string hostname = 2;
  }
  // The upstream host address.
@ -55,6 +63,12 @@ message Endpoint {
  //   This takes into effect only for upstream clusters with
  //   :ref:`active health checking <arch_overview_health_checking>` enabled.
  HealthCheckConfig health_check_config = 2;
  // The hostname associated with this endpoint. This hostname is not used for routing or address
  // resolution. If provided, it will be associated with the endpoint, and can be used for features
  // that require a hostname, like
  // :ref:`auto_host_rewrite <envoy_api_field_config.route.v3.RouteAction.auto_host_rewrite>`.
  string hostname = 3;
 }
 // An Endpoint that Envoy can route traffic to.
@ -89,7 +103,8 @@ message LbEndpoint {
  // percentage of traffic for the endpoint. This percentage is then further
  // weighted by the endpoint's locality's load balancing weight from
  // LocalityLbEndpoints. If unspecified, each host is presumed to have equal
-  // weight in a locality.
+  // weight in a locality. The sum of the weights of all endpoints in the
  // endpoint's locality must not exceed uint32_t maximal value (4294967295).
  google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
 }
@ -111,7 +126,8 @@ message LocalityLbEndpoints {
  // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
  // balancing weight for a locality is divided by the sum of the weights of all
  // localities  at the same priority level to produce the effective percentage
-  // of traffic for the locality.
+  // of traffic for the locality. The sum of the weights of all localities at
  // the same priority level must not exceed uint32_t maximal value (4294967295).
  //
  // Locality weights are only considered when :ref:`locality weighted load
  // balancing <arch_overview_load_balancing_locality_weighted_lb>` is
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
@ -10,12 +10,14 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2";
 option java_outer_classname = "AccesslogProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.accesslog.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Common access log types]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto
@ -8,12 +8,14 @@ import "google/protobuf/duration.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.filter.fault.v2";
 option java_outer_classname = "FaultProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.common.fault.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Common fault injection types]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto
@ -9,12 +9,14 @@ import "envoy/type/percent.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.filter.http.fault.v2";
 option java_outer_classname = "FaultProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.http.fault.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -7,7 +7,7 @@ import "envoy/api/v2/core/protocol.proto";
 import "envoy/api/v2/route.proto";
 import "envoy/api/v2/scoped_route.proto";
 import "envoy/config/filter/accesslog/v2/accesslog.proto";
-import "envoy/config/trace/v2/trace.proto";
+import "envoy/config/trace/v2/http_tracer.proto";
 import "envoy/type/percent.proto";
 import "envoy/type/tracing/v2/custom_tag.proto";
@ -18,6 +18,7 @@ import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2";
@ -25,12 +26,13 @@ option java_outer_classname = "HttpConnectionManagerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.filters.network.http_connection_manager.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP connection manager]
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]
-// [#next-free-field: 36]
+// [#next-free-field: 37]
 message HttpConnectionManager {
  enum CodecType {
    // For every new connection, the connection manager will determine which
@ -159,9 +161,15 @@ message HttpConnectionManager {
    repeated type.tracing.v2.CustomTag custom_tags = 8;
    // Configuration for an external tracing provider.
-    // If not specified, Envoy will fall back to using tracing provider configuration
+    // If not specified, no tracing will be performed.
-    // from the bootstrap config.
+    //
-    // [#not-implemented-hide:]
+    // .. attention::
    //   Please be aware that *envoy.tracers.opencensus* provider can only be configured once
    //   in Envoy lifetime.
    //   Any attempts to reconfigure it or to use different configurations for different HCM filters
    //   will be rejected.
    //   Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes
    //   on OpenCensus side.
    trace.v2.Tracing.Http provider = 9;
  }
@ -224,7 +232,7 @@ message HttpConnectionManager {
    // Determines if upgrades are enabled or disabled by default. Defaults to true.
    // This can be overridden on a per-route basis with :ref:`cluster
    // <envoy_api_field_route.RouteAction.upgrade_configs>` as documented in the
-    // :ref:`upgrade documentation <arch_overview_websocket>`.
+    // :ref:`upgrade documentation <arch_overview_upgrades>`.
    google.protobuf.BoolValue enabled = 3;
  }
@ -254,8 +262,8 @@ message HttpConnectionManager {
  }
  // A list of individual HTTP filters that make up the filter chain for
-  // requests made to the connection manager. Order matters as the filters are
+  // requests made to the connection manager. :ref:`Order matters <arch_overview_http_filters_ordering>`
-  // processed sequentially as request events happen.
+  // as the filters are processed sequentially as request events happen.
  repeated HttpFilter http_filters = 5;
  // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent`
@ -334,7 +342,7 @@ message HttpConnectionManager {
  // timeout, although per-route idle timeout overrides will continue to apply.
  google.protobuf.Duration stream_idle_timeout = 24;
-  // A timeout for idle requests managed by the connection manager.
+  // The amount of time that Envoy will wait for the entire request to be received.
  // The timer is activated when the request is initiated, and is disarmed when the last byte of the
  // request is sent upstream (i.e. all decoding filters have processed the request), OR when the
  // response is initiated. If not specified or set to 0, this timeout is disabled.
@ -491,6 +499,18 @@ message HttpConnectionManager {
  // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of
  // `HTTP spec <https://tools.ietf.org/html/rfc3986>` and is provided for convenience.
  bool merge_slashes = 33;
  // The configuration of the request ID extension. This includes operations such as
  // generation, validation, and associated tracing operations.
  //
  // If not set, Envoy uses the default UUID-based behavior:
  //
  // 1. Request ID is propagated using *x-request-id* header.
  //
  // 2. Request ID is a universally unique identifier (UUID).
  //
  // 3. Tracing decision (sampled, forced, etc) is set in 14th byte of the UUID.
  RequestIDExtension request_id_extension = 36;
 }
 message Rds {
@ -640,3 +660,8 @@ message HttpFilter {
    google.protobuf.Any typed_config = 4;
  }
 }
 message RequestIDExtension {
  // Request ID extension specific configuration.
  google.protobuf.Any typed_config = 1;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto
@ -5,11 +5,13 @@ package envoy.config.listener.v2;
 import "google/protobuf/any.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.config.listener.v2";
 option java_outer_classname = "ApiListenerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: API listener]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto
@ -4,11 +4,13 @@ package envoy.config.listener.v3;
 import "google/protobuf/any.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "ApiListenerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: API listener]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto
@ -2,6 +2,7 @@ syntax = "proto3";
 package envoy.config.listener.v3;
 import "envoy/config/accesslog/v3/accesslog.proto";
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/socket_option.proto";
@ -13,18 +14,20 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "ListenerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Listener configuration]
 // Listener :ref:`configuration overview <config_listeners>`
-// [#next-free-field: 22]
+// [#next-free-field: 23]
 message Listener {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
@ -106,7 +109,8 @@ message Listener {
  // Soft limit on size of the listener’s new connection read and write buffers.
  // If unspecified, an implementation defined default is applied (1MiB).
-  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
+  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5
      [(udpa.annotations.security).configure_for_untrusted_downstream = true];
  // Listener metadata.
  core.v3.Metadata metadata = 6;
@ -232,4 +236,8 @@ message Listener {
  // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket
  // <https://github.com/torvalds/linux/commit/40a1227ea845a37ab197dd1caffb60b047fa36b1>`_.
  bool reuse_port = 21;
  // Configuration for :ref:`access logs <arch_overview_access_logs>`
  // emitted by this listener.
  repeated accesslog.v3.AccessLog access_log = 22;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto
@ -10,13 +10,14 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "ListenerComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Listener components]
 // Listener :ref:`configuration overview <config_listeners>`
@ -207,9 +208,32 @@ message FilterChain {
  string name = 7;
 }
 // [#not-implemented-hide:]
 // Listener filter chain match configuration. This is a recursive structure which allows complex
 // nested match configurations to be built using various logical operators.
 //
 // Examples:
 //
 // * Matches if the destination port is 3306.
 //
 // .. code-block:: yaml
 //
 //  destination_port_range:
 //   start: 3306
 //   end: 3307
 //
 // * Matches if the destination port is 3306 or 15000.
 //
 // .. code-block:: yaml
 //
 //  or_match:
 //    rules:
 //      - destination_port_range:
 //          start: 3306
 //          end: 3306
 //      - destination_port_range:
 //          start: 15000
 //          end: 15001
 //
 // [#next-free-field: 6]
 message ListenerFilterChainMatchPredicate {
  option (udpa.annotations.versioning).previous_message_type =
@ -266,17 +290,8 @@ message ListenerFilter {
    google.protobuf.Any typed_config = 3;
  }
-  // [#not-implemented-hide:]
+  // Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
-  // Decide when to disable this listener filter on incoming traffic.
+  // See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate>`
-  // Example:
+  // for further examples.
  // 0. always enable filter
  //    don't set `filter_disabled`
  // 1. disable when the destination port is 3306
  //    rule.destination_port_range = Int32Range {start = 3306, end = 3307}
  // 2. disable when the destination port is 3306 or 15000
  //    rule.or_match = MatchSet.rules [
  //       rule.destination_port_range = Int32Range {start = 3306, end = 3307},
  //       rule.destination_port_range = Int32Range {start = 15000, end = 15001},
  //    ]
  ListenerFilterChainMatchPredicate filter_disabled = 4;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto
@ -5,11 +5,13 @@ package envoy.config.listener.v3;
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "UdpListenerConfigProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: UDP Listener Config]
 // Listener :ref:`configuration overview <config_listeners>`
--- a/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto
@ -10,11 +10,13 @@ import "envoy/type/matcher/string.proto";
 import "google/api/expr/v1alpha1/syntax.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.rbac.v2";
 option java_outer_classname = "RbacProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Role Based Access Control (RBAC)]
@ -168,7 +170,7 @@ message Permission {
 }
 // Principal defines an identity or a group of identities for a downstream subject.
-// [#next-free-field: 10]
+// [#next-free-field: 12]
 message Principal {
  // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context,
  // each are applied with the associated behavior.
@ -202,7 +204,21 @@ message Principal {
    Authenticated authenticated = 4;
    // A CIDR block that describes the downstream IP.
-    api.v2.core.CidrRange source_ip = 5;
+    // This address will honor proxy protocol, but will not honor XFF.
    api.v2.core.CidrRange source_ip = 5 [deprecated = true];
    // A CIDR block that describes the downstream remote/origin address.
    // Note: This is always the physical peer even if the
    // :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` is inferred
    // from for example the x-forwarder-for header, proxy protocol, etc.
    api.v2.core.CidrRange direct_remote_ip = 10;
    // A CIDR block that describes the downstream remote/origin address.
    // Note: This may not be the physical peer and could be different from the
    // :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>`.
    // E.g, if the remote ip is inferred from for example the x-forwarder-for header,
    // proxy protocol, etc.
    api.v2.core.CidrRange remote_ip = 11;
    // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
    // available for HTTP request.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto
@ -3,6 +3,8 @@ syntax = "proto3";
 package envoy.config.route.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/proxy_protocol.proto";
 import "envoy/type/matcher/v3/regex.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/tracing/v3/custom_tag.proto";
@ -14,14 +16,15 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/versioning.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.route.v3";
 option java_outer_classname = "RouteComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: HTTP route components]
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
@ -107,7 +110,9 @@ message VirtualHost {
  // Specifies a list of HTTP headers that should be removed from each request
  // handled by this virtual host.
-  repeated string request_headers_to_remove = 13;
+  repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Specifies a list of HTTP headers that should be added to each response
  // handled by this virtual host. Headers specified at this level are applied
@ -251,7 +256,9 @@ message Route {
  // Specifies a list of HTTP headers that should be removed from each request
  // matching this route.
-  repeated string request_headers_to_remove = 12;
+  repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Specifies a set of headers that will be added to responses to requests
  // matching this route. Headers specified at this level are applied before
@ -365,7 +372,7 @@ message WeightedCluster {
  string runtime_key_prefix = 2;
 }
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message RouteMatch {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch";
@ -387,6 +394,10 @@ message RouteMatch {
    google.protobuf.BoolValue validated = 2;
  }
  // An extensible message for matching CONNECT requests.
  message ConnectMatcher {
  }
  reserved 5, 3;
  reserved "regex";
@ -415,6 +426,17 @@ message RouteMatch {
    // on :path, etc. The issue with that is it is unclear how to generically deal with query string
    // stripping. This needs more thought.]
    type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
    // If this is used as the matcher, the matcher will only match CONNECT requests.
    // Note that this will not match HTTP/2 upgrade-style CONNECT requests
    // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style
    // upgrades.
    // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2,
    // where CONNECT requests may have a path, the path matchers will work if
    // there is a path present.
    // Note that CONNECT support is currently considered alpha in Envoy.
    // [#comment:TODO(htuch): Replace the above comment with an alpha tag.
    ConnectMatcher connect_matcher = 12;
  }
  // Indicates that prefix/path matching should be case insensitive. The default
@ -515,7 +537,7 @@ message CorsPolicy {
  core.v3.RuntimeFractionalPercent shadow_enabled = 10;
 }
-// [#next-free-field: 34]
+// [#next-free-field: 35]
 message RouteAction {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction";
@ -528,7 +550,10 @@ message RouteAction {
  }
  // Configures :ref:`internal redirect <arch_overview_internal_redirects>` behavior.
  // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.]
  enum InternalRedirectAction {
    option deprecated = true;
    PASS_THROUGH_INTERNAL_REDIRECT = 0;
    HANDLE_INTERNAL_REDIRECT = 1;
  }
@ -700,6 +725,13 @@ message RouteAction {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.route.RouteAction.UpgradeConfig";
    // Configuration for sending data upstream as a raw data payload. This is used for
    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
    message ConnectConfig {
      // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream.
      core.v3.ProxyProtocolConfig proxy_protocol_config = 1;
    }
    // The case-insensitive name of this upgrade, e.g. "websocket".
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type] will be proxied upstream.
@ -708,6 +740,12 @@ message RouteAction {
    // Determines if upgrades are available on this route. Defaults to true.
    google.protobuf.BoolValue enabled = 2;
    // Configuration for sending data upstream as a raw data payload. This is used for
    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
    // Note that CONNECT support is currently considered alpha in Envoy.
    // [#comment:TODO(htuch): Replace the above comment with an alpha tag.
    ConnectConfig connect_config = 3;
  }
  reserved 12, 18, 19, 16, 22, 21, 10;
@ -952,7 +990,13 @@ message RouteAction {
  repeated UpgradeConfig upgrade_configs = 25;
-  InternalRedirectAction internal_redirect_action = 26;
+  // If present, Envoy will try to follow an upstream redirect response instead of proxying the
  // response back to the downstream. An upstream redirect response is defined
  // by :ref:`redirect_response_codes
  // <envoy_api_field_config.route.v3.InternalRedirectPolicy.redirect_response_codes>`.
  InternalRedirectPolicy internal_redirect_policy = 34;
  InternalRedirectAction internal_redirect_action = 26 [deprecated = true];
  // An internal redirect is handled, iff the number of previous internal redirects that a
  // downstream request has encountered is lower than this value, and
@ -968,7 +1012,7 @@ message RouteAction {
  // will pass the redirect back to downstream.
  //
  // If not specified, at most one redirect will be followed.
-  google.protobuf.UInt32Value max_internal_redirects = 31;
+  google.protobuf.UInt32Value max_internal_redirects = 31 [deprecated = true];
  // Indicates that the route has a hedge policy. Note that if this is set,
  // it'll take precedence over the virtual host level hedge policy entirely
@ -1265,7 +1309,7 @@ message Tracing {
 // statistics are perfect in the sense that they are emitted on the downstream
 // side such that they include network level failures.
 //
-// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_stats>`.
+// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_vcluster_stats>`.
 //
 // .. note::
 //
@ -1351,6 +1395,11 @@ message RateLimit {
      // The key to use in the descriptor entry.
      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
      // If set to true, Envoy skips the descriptor while calling rate limiting service
      // when header is not present in the request. By default it skips calling the
      // rate limiting service if this header is not present in the request.
      bool skip_if_absent = 3;
    }
    // The following descriptor entry is appended to the descriptor and is populated using the
@ -1559,3 +1608,30 @@ message QueryParameterMatcher {
    bool present_match = 6;
  }
 }
 // HTTP Internal Redirect :ref:`architecture overview <arch_overview_internal_redirects>`.
 message InternalRedirectPolicy {
  // An internal redirect is not handled, unless the number of previous internal redirects that a
  // downstream request has encountered is lower than this value.
  // In the case where a downstream request is bounced among multiple routes by internal redirect,
  // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy
  // <envoy_api_field_config.route.v3.RouteAction.internal_redirect_policy>`
  // will pass the redirect back to downstream.
  //
  // If not specified, at most one redirect will be followed.
  google.protobuf.UInt32Value max_internal_redirects = 1;
  // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified,
  // only 302 will be treated as internal redirect.
  // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored.
  repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}];
  // Specifies a list of predicates that are queried when an upstream response is deemed
  // to trigger an internal redirect by all other criteria. Any predicate in the list can reject
  // the redirect, causing the response to be proxied to downstream.
  repeated core.v3.TypedExtensionConfig predicates = 3;
  // Allow internal redirect to follow a target URI with a different scheme than the value of
  // x-forwarded-proto. The default is false.
  bool allow_cross_scheme_redirect = 4;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto
@ -0,0 +1,23 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "DatadogProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Datadog tracer]
 // Configuration for the Datadog tracer.
 // [#extension: envoy.tracers.datadog]
 message DatadogConfig {
  // The cluster to use for submitting traces to the Datadog agent.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // The name used for the service when traces are generated by envoy.
  string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto
@ -0,0 +1,29 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "google/protobuf/struct.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "DynamicOtProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Dynamically loadable OpenTracing tracer]
 // DynamicOtConfig is used to dynamically load a tracer from a shared library
 // that implements the `OpenTracing dynamic loading API
 // <https://github.com/opentracing/opentracing-cpp>`_.
 // [#extension: envoy.tracers.dynamic_ot]
 message DynamicOtConfig {
  // Dynamic library implementing the `OpenTracing API
  // <https://github.com/opentracing/opentracing-cpp>`_.
  string library = 1 [(validate.rules).string = {min_bytes: 1}];
  // The configuration to use when creating a tracer from the given dynamic
  // library.
  google.protobuf.Struct config = 2;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto
@ -0,0 +1,65 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "HttpTracerProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Tracing]
 // Tracing :ref:`architecture overview <arch_overview_tracing>`.
 // The tracing configuration specifies settings for an HTTP tracer provider used by Envoy.
 //
 // Envoy may support other tracers in the future, but right now the HTTP tracer is the only one
 // supported.
 //
 // .. attention::
 //
 //   Use of this message type has been deprecated in favor of direct use of
 //   :ref:`Tracing.Http <envoy_api_msg_config.trace.v2.Tracing.Http>`.
 message Tracing {
  // Configuration for an HTTP tracer provider used by Envoy.
  //
  // The configuration is defined by the
  // :ref:`HttpConnectionManager.Tracing <envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing>`
  // :ref:`provider <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing.provider>`
  // field.
  message Http {
    // The name of the HTTP trace driver to instantiate. The name must match a
    // supported HTTP trace driver. Built-in trace drivers:
    //
    // - *envoy.tracers.lightstep*
    // - *envoy.tracers.zipkin*
    // - *envoy.tracers.dynamic_ot*
    // - *envoy.tracers.datadog*
    // - *envoy.tracers.opencensus*
    // - *envoy.tracers.xray*
    string name = 1 [(validate.rules).string = {min_bytes: 1}];
    // Trace driver specific configuration which depends on the driver being instantiated.
    // See the trace drivers for examples:
    //
    // - :ref:`LightstepConfig <envoy_api_msg_config.trace.v2.LightstepConfig>`
    // - :ref:`ZipkinConfig <envoy_api_msg_config.trace.v2.ZipkinConfig>`
    // - :ref:`DynamicOtConfig <envoy_api_msg_config.trace.v2.DynamicOtConfig>`
    // - :ref:`DatadogConfig <envoy_api_msg_config.trace.v2.DatadogConfig>`
    // - :ref:`OpenCensusConfig <envoy_api_msg_config.trace.v2.OpenCensusConfig>`
    // - :ref:`AWS X-Ray <envoy_api_msg_config.trace.v2alpha.XRayConfig>`
    oneof config_type {
      google.protobuf.Struct config = 2 [deprecated = true];
      google.protobuf.Any typed_config = 3;
    }
  }
  // Provides configuration for the HTTP tracer.
  Http http = 1;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto
@ -0,0 +1,43 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "LightstepProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: LightStep tracer]
 // Configuration for the LightStep tracer.
 // [#extension: envoy.tracers.lightstep]
 message LightstepConfig {
  // Available propagation modes
  enum PropagationMode {
    // Propagate trace context in the single header x-ot-span-context.
    ENVOY = 0;
    // Propagate trace context using LightStep's native format.
    LIGHTSTEP = 1;
    // Propagate trace context using the b3 format.
    B3 = 2;
    // Propagation trace context using the w3 trace-context standard.
    TRACE_CONTEXT = 3;
  }
  // The cluster manager cluster that hosts the LightStep collectors.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // File containing the access token to the `LightStep
  // <https://lightstep.com/>`_ API.
  string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
  // Propagation modes to use by LightStep's tracer.
  repeated PropagationMode propagation_modes = 3
      [(validate.rules).repeated = {items {enum {defined_only: true}}}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto
@ -0,0 +1,93 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "envoy/api/v2/core/grpc_service.proto";
 import "opencensus/proto/trace/v1/trace_config.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "OpencensusProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: OpenCensus tracer]
 // Configuration for the OpenCensus tracer.
 // [#next-free-field: 15]
 // [#extension: envoy.tracers.opencensus]
 message OpenCensusConfig {
  enum TraceContext {
    // No-op default, no trace context is utilized.
    NONE = 0;
    // W3C Trace-Context format "traceparent:" header.
    TRACE_CONTEXT = 1;
    // Binary "grpc-trace-bin:" header.
    GRPC_TRACE_BIN = 2;
    // "X-Cloud-Trace-Context:" header.
    CLOUD_TRACE_CONTEXT = 3;
    // X-B3-* headers.
    B3 = 4;
  }
  reserved 7;
  // Configures tracing, e.g. the sampler, max number of annotations, etc.
  opencensus.proto.trace.v1.TraceConfig trace_config = 1;
  // Enables the stdout exporter if set to true. This is intended for debugging
  // purposes.
  bool stdout_exporter_enabled = 2;
  // Enables the Stackdriver exporter if set to true. The project_id must also
  // be set.
  bool stackdriver_exporter_enabled = 3;
  // The Cloud project_id to use for Stackdriver tracing.
  string stackdriver_project_id = 4;
  // (optional) By default, the Stackdriver exporter will connect to production
  // Stackdriver. If stackdriver_address is non-empty, it will instead connect
  // to this address, which is in the gRPC format:
  // https://github.com/grpc/grpc/blob/master/doc/naming.md
  string stackdriver_address = 10;
  // (optional) The gRPC server that hosts Stackdriver tracing service. Only
  // Google gRPC is supported. If :ref:`target_uri <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.target_uri>`
  // is not provided, the default production Stackdriver address will be used.
  api.v2.core.GrpcService stackdriver_grpc_service = 13;
  // Enables the Zipkin exporter if set to true. The url and service name must
  // also be set.
  bool zipkin_exporter_enabled = 5;
  // The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans"
  string zipkin_url = 6;
  // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or
  // ocagent_grpc_service must also be set.
  bool ocagent_exporter_enabled = 11;
  // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC
  // format: https://github.com/grpc/grpc/blob/master/doc/naming.md
  // [#comment:TODO: deprecate this field]
  string ocagent_address = 12;
  // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported.
  // This is only used if the ocagent_address is left empty.
  api.v2.core.GrpcService ocagent_grpc_service = 14;
  // List of incoming trace context headers we will accept. First one found
  // wins.
  repeated TraceContext incoming_trace_context = 8;
  // List of outgoing trace context headers we will produce.
  repeated TraceContext outgoing_trace_context = 9;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto
@ -0,0 +1,21 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "envoy/api/v2/core/grpc_service.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "ServiceProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Trace Service]
 // Configuration structure.
 message TraceServiceConfig {
  // The upstream gRPC cluster that hosts the metrics service.
  api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto
@ -2,223 +2,16 @@ syntax = "proto3";
 package envoy.config.trace.v2;
-import "envoy/api/v2/core/grpc_service.proto";
+import "udpa/annotations/status.proto";
-import "google/protobuf/any.proto";
+import public "envoy/config/trace/v2/datadog.proto";
-import "google/protobuf/struct.proto";
+import public "envoy/config/trace/v2/dynamic_ot.proto";
-import "google/protobuf/wrappers.proto";
+import public "envoy/config/trace/v2/http_tracer.proto";
-
+import public "envoy/config/trace/v2/lightstep.proto";
-import "opencensus/proto/trace/v1/trace_config.proto";
+import public "envoy/config/trace/v2/opencensus.proto";
-
+import public "envoy/config/trace/v2/service.proto";
-import "envoy/annotations/deprecation.proto";
+import public "envoy/config/trace/v2/zipkin.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "TraceProto";
 option java_multiple_files = true;
 // [#protodoc-title: Tracing]
 // Tracing :ref:`architecture overview <arch_overview_tracing>`.
 // The tracing configuration specifies global
 // settings for the HTTP tracer used by Envoy. The configuration is defined by
 // the :ref:`Bootstrap <envoy_api_msg_config.bootstrap.v2.Bootstrap>` :ref:`tracing
 // <envoy_api_field_config.bootstrap.v2.Bootstrap.tracing>` field. Envoy may support other tracers
 // in the future, but right now the HTTP tracer is the only one supported.
 message Tracing {
  message Http {
    // The name of the HTTP trace driver to instantiate. The name must match a
    // supported HTTP trace driver. Built-in trace drivers:
    //
    // - *envoy.tracers.lightstep*
    // - *envoy.tracers.zipkin*
    // - *envoy.tracers.dynamic_ot*
    // - *envoy.tracers.datadog*
    // - *envoy.tracers.opencensus*
    // - *envoy.tracers.xray*
    string name = 1 [(validate.rules).string = {min_bytes: 1}];
    // Trace driver specific configuration which depends on the driver being instantiated.
    // See the trace drivers for examples:
    //
    // - :ref:`LightstepConfig <envoy_api_msg_config.trace.v2.LightstepConfig>`
    // - :ref:`ZipkinConfig <envoy_api_msg_config.trace.v2.ZipkinConfig>`
    // - :ref:`DynamicOtConfig <envoy_api_msg_config.trace.v2.DynamicOtConfig>`
    // - :ref:`DatadogConfig <envoy_api_msg_config.trace.v2.DatadogConfig>`
    // - :ref:`OpenCensusConfig <envoy_api_msg_config.trace.v2.OpenCensusConfig>`
    // - :ref:`AWS X-Ray <envoy_api_msg_config.trace.v2alpha.XRayConfig>`
    oneof config_type {
      google.protobuf.Struct config = 2 [deprecated = true];
      google.protobuf.Any typed_config = 3;
    }
  }
  // Provides configuration for the HTTP tracer.
  Http http = 1;
 }
 // Configuration for the LightStep tracer.
 // [#extension: envoy.tracers.lightstep]
 message LightstepConfig {
  // The cluster manager cluster that hosts the LightStep collectors.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // File containing the access token to the `LightStep
  // <https://lightstep.com/>`_ API.
  string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
 }
 // Configuration for the Zipkin tracer.
 // [#extension: envoy.tracers.zipkin]
 // [#next-free-field: 6]
 message ZipkinConfig {
  // Available Zipkin collector endpoint versions.
  enum CollectorEndpointVersion {
    // Zipkin API v1, JSON over HTTP.
    // [#comment: The default implementation of Zipkin client before this field is added was only v1
    // and the way user configure this was by not explicitly specifying the version. Consequently,
    // before this is added, the corresponding Zipkin collector expected to receive v1 payload.
    // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when
    // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field,
    // since in Zipkin realm this v1 version is considered to be not preferable anymore.]
    HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
    // Zipkin API v2, JSON over HTTP.
    HTTP_JSON = 1;
    // Zipkin API v2, protobuf over HTTP.
    HTTP_PROTO = 2;
    // [#not-implemented-hide:]
    GRPC = 3;
  }
  // The cluster manager cluster that hosts the Zipkin collectors. Note that the
  // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
  // resources <envoy_api_field_config.bootstrap.v2.Bootstrap.StaticResources.clusters>`.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // The API endpoint of the Zipkin service where the spans will be sent. When
  // using a standard Zipkin installation, the API endpoint is typically
  // /api/v1/spans, which is the default value.
  string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
  // Determines whether a 128bit trace id will be used when creating a new
  // trace instance. The default value is false, which will result in a 64 bit trace id being used.
  bool trace_id_128bit = 3;
  // Determines whether client and server spans will share the same span context.
  // The default value is true.
  google.protobuf.BoolValue shared_span_context = 4;
  // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
  // used.
  CollectorEndpointVersion collector_endpoint_version = 5;
 }
 // DynamicOtConfig is used to dynamically load a tracer from a shared library
 // that implements the `OpenTracing dynamic loading API
 // <https://github.com/opentracing/opentracing-cpp>`_.
 // [#extension: envoy.tracers.dynamic_ot]
 message DynamicOtConfig {
  // Dynamic library implementing the `OpenTracing API
  // <https://github.com/opentracing/opentracing-cpp>`_.
  string library = 1 [(validate.rules).string = {min_bytes: 1}];
  // The configuration to use when creating a tracer from the given dynamic
  // library.
  google.protobuf.Struct config = 2;
 }
 // Configuration for the Datadog tracer.
 // [#extension: envoy.tracers.datadog]
 message DatadogConfig {
  // The cluster to use for submitting traces to the Datadog agent.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // The name used for the service when traces are generated by envoy.
  string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
 }
 // Configuration for the OpenCensus tracer.
 // [#next-free-field: 15]
 // [#extension: envoy.tracers.opencensus]
 message OpenCensusConfig {
  enum TraceContext {
    // No-op default, no trace context is utilized.
    NONE = 0;
    // W3C Trace-Context format "traceparent:" header.
    TRACE_CONTEXT = 1;
    // Binary "grpc-trace-bin:" header.
    GRPC_TRACE_BIN = 2;
    // "X-Cloud-Trace-Context:" header.
    CLOUD_TRACE_CONTEXT = 3;
    // X-B3-* headers.
    B3 = 4;
  }
  reserved 7;
  // Configures tracing, e.g. the sampler, max number of annotations, etc.
  opencensus.proto.trace.v1.TraceConfig trace_config = 1;
  // Enables the stdout exporter if set to true. This is intended for debugging
  // purposes.
  bool stdout_exporter_enabled = 2;
  // Enables the Stackdriver exporter if set to true. The project_id must also
  // be set.
  bool stackdriver_exporter_enabled = 3;
  // The Cloud project_id to use for Stackdriver tracing.
  string stackdriver_project_id = 4;
  // (optional) By default, the Stackdriver exporter will connect to production
  // Stackdriver. If stackdriver_address is non-empty, it will instead connect
  // to this address, which is in the gRPC format:
  // https://github.com/grpc/grpc/blob/master/doc/naming.md
  string stackdriver_address = 10;
  // (optional) The gRPC server that hosts Stackdriver tracing service. Only
  // Google gRPC is supported. If :ref:`target_uri <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.target_uri>`
  // is not provided, the default production Stackdriver address will be used.
  api.v2.core.GrpcService stackdriver_grpc_service = 13;
  // Enables the Zipkin exporter if set to true. The url and service name must
  // also be set.
  bool zipkin_exporter_enabled = 5;
  // The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans"
  string zipkin_url = 6;
  // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or
  // ocagent_grpc_service must also be set.
  bool ocagent_exporter_enabled = 11;
  // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC
  // format: https://github.com/grpc/grpc/blob/master/doc/naming.md
  // [#comment:TODO: deprecate this field]
  string ocagent_address = 12;
  // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported.
  // This is only used if the ocagent_address is left empty.
  api.v2.core.GrpcService ocagent_grpc_service = 14;
  // List of incoming trace context headers we will accept. First one found
  // wins.
  repeated TraceContext incoming_trace_context = 8;
  // List of outgoing trace context headers we will produce.
  repeated TraceContext outgoing_trace_context = 9;
 }
 // Configuration structure.
 message TraceServiceConfig {
  // The upstream gRPC cluster that hosts the metrics service.
  api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto
@ -0,0 +1,64 @@
 syntax = "proto3";
 package envoy.config.trace.v2;
 import "google/protobuf/wrappers.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.config.trace.v2";
 option java_outer_classname = "ZipkinProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Zipkin tracer]
 // Configuration for the Zipkin tracer.
 // [#extension: envoy.tracers.zipkin]
 // [#next-free-field: 6]
 message ZipkinConfig {
  // Available Zipkin collector endpoint versions.
  enum CollectorEndpointVersion {
    // Zipkin API v1, JSON over HTTP.
    // [#comment: The default implementation of Zipkin client before this field is added was only v1
    // and the way user configure this was by not explicitly specifying the version. Consequently,
    // before this is added, the corresponding Zipkin collector expected to receive v1 payload.
    // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when
    // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field,
    // since in Zipkin realm this v1 version is considered to be not preferable anymore.]
    HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
    // Zipkin API v2, JSON over HTTP.
    HTTP_JSON = 1;
    // Zipkin API v2, protobuf over HTTP.
    HTTP_PROTO = 2;
    // [#not-implemented-hide:]
    GRPC = 3;
  }
  // The cluster manager cluster that hosts the Zipkin collectors. Note that the
  // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
  // resources <envoy_api_field_config.bootstrap.v2.Bootstrap.StaticResources.clusters>`.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // The API endpoint of the Zipkin service where the spans will be sent. When
  // using a standard Zipkin installation, the API endpoint is typically
  // /api/v1/spans, which is the default value.
  string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
  // Determines whether a 128bit trace id will be used when creating a new
  // trace instance. The default value is false, which will result in a 64 bit trace id being used.
  bool trace_id_128bit = 3;
  // Determines whether client and server spans will share the same span context.
  // The default value is true.
  google.protobuf.BoolValue shared_span_context = 4;
  // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
  // used.
  CollectorEndpointVersion collector_endpoint_version = 5;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto
@ -2,499 +2,12 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
-import "envoy/config/core/v3/base.proto";
+import "udpa/annotations/status.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/type/matcher/v3/string.proto";
-import "google/protobuf/any.proto";
+import public "envoy/extensions/transport_sockets/tls/v3/common.proto";
-import "google/protobuf/duration.proto";
+import public "envoy/extensions/transport_sockets/tls/v3/secret.proto";
-import "google/protobuf/struct.proto";
+import public "envoy/extensions/transport_sockets/tls/v3/tls.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "CertProto";
 option java_multiple_files = true;
 // [#protodoc-title: Common TLS configuration]
 message TlsParameters {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters";
  enum TlsProtocol {
    // Envoy will choose the optimal TLS version.
    TLS_AUTO = 0;
    // TLS 1.0
    TLSv1_0 = 1;
    // TLS 1.1
    TLSv1_1 = 2;
    // TLS 1.2
    TLSv1_2 = 3;
    // TLS 1.3
    TLSv1_3 = 4;
  }
  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
  // If specified, the TLS listener will only support the specified `cipher list
  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
  // specified, the default list will be used.
  //
  // In non-FIPS builds, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   ECDHE-ECDSA-AES128-GCM-SHA256
  //   ECDHE-RSA-AES128-GCM-SHA256
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  repeated string cipher_suites = 3;
  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves will be used.
  //
  // In non-FIPS builds, the default curves are:
  //
  // .. code-block:: none
  //
  //   X25519
  //   P-256
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
  //
  // .. code-block:: none
  //
  //   P-256
  repeated string ecdh_curves = 4;
 }
 // BoringSSL private key method configuration. The private key methods are used for external
 // (potentially asynchronous) signing and decryption operations. Some use cases for private key
 // methods would be TPM support and TLS acceleration.
 message PrivateKeyProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.PrivateKeyProvider";
  reserved 2;
  reserved "config";
  // Private key method provider name. The name must match a
  // supported private key method provider type.
  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
  // Private key method provider specific configuration.
  oneof config_type {
    google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
  }
 }
 // [#next-free-field: 7]
 message TlsCertificate {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate";
  // The TLS certificate chain.
  config.core.v3.DataSource certificate_chain = 1;
  // The TLS private key.
  config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
  // :ref:`private_key_provider
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
  // error.
  PrivateKeyProvider private_key_provider = 6;
  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
  config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true];
  // [#not-implemented-hide:]
  config.core.v3.DataSource ocsp_staple = 4;
  // [#not-implemented-hide:]
  repeated config.core.v3.DataSource signed_certificate_timestamp = 5;
 }
 message TlsSessionTicketKeys {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.TlsSessionTicketKeys";
  // Keys for encrypting and decrypting TLS session tickets. The
  // first key in the array contains the key to encrypt all new sessions created by this context.
  // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
  // by, for example, putting the new key first, and the previous key second.
  //
  // If :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
  // is not specified, the TLS library will still support resuming sessions via tickets, but it will
  // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
  // or on different hosts.
  //
  // Each key must contain exactly 80 bytes of cryptographically-secure random data. For
  // example, the output of ``openssl rand 80``.
  //
  // .. attention::
  //
  //   Using this feature has serious security considerations and risks. Improper handling of keys
  //   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
  //   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
  //   discussion. To minimize the risk, you must:
  //
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
  repeated config.core.v3.DataSource keys = 1
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 // [#next-free-field: 11]
 message CertificateValidationContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.CertificateValidationContext";
  // Peer certificate verification mode.
  enum TrustChainVerification {
    // Perform default certificate verification (e.g., against CA / verification lists)
    VERIFY_TRUST_CHAIN = 0;
    // Connections where the certificate fails verification will be permitted.
    // For HTTP connections, the result of certificate verification can be used in route matching. (
    // see :ref:`validated <envoy_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
    ACCEPT_UNTRUSTED = 1;
  }
  reserved 4;
  reserved "verify_subject_alt_name";
  // TLS certificate data containing certificate authority certificates to use in verifying
  // a presented peer certificate (e.g. server certificate for clusters or client certificate
  // for listeners). If not specified and a peer certificate is presented it will not be
  // verified. By default, a client certificate is optional, unless one of the additional
  // options (:ref:`require_client_certificate
  // <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
  // :ref:`match_subject_alt_names
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>`) is also
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
  // that the presented peer certificate has not been revoked by one of the included CRLs.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  config.core.v3.DataSource trusted_ca = 1;
  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
  // matches one of the specified values.
  //
  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
  //     | openssl pkey -pubin -outform DER
  //     | openssl dgst -sha256 -binary
  //     | openssl enc -base64
  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
  //
  // This is the format used in HTTP Public Key Pinning.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  //
  // .. attention::
  //
  //   This option is preferred over :ref:`verify_certificate_hash
  //   <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
  //   because SPKI is tied to a private key, so it doesn't change when the certificate
  //   is renewed using the same private key.
  repeated string verify_certificate_spki = 3
      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
  //
  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
  //
  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
  //
  // Both of those formats are acceptable.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  repeated string verify_certificate_hash = 2
      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
  // An optional list of Subject Alternative name matchers. Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified matches.
  //
  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
  // it should be configured as shown below.
  //
  // .. code-block:: yaml
  //
  //  match_subject_alt_names:
  //    exact: "api.example.com"
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
  repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
  // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;
  // [#not-implemented-hide:] Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
  // An optional `certificate revocation list
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
  // multiple CRLs, all of them will be used.
  config.core.v3.DataSource crl = 7;
  // If specified, Envoy will not reject expired certificates.
  bool allow_expired_certificate = 8;
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
 }
 // TLS context shared by both client and server TLS contexts.
 // [#next-free-field: 9]
 message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
  message CombinedCertificateValidationContext {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 2
        [(validate.rules).message = {required: true}];
  }
  reserved 5;
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;
  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
  // used for clients that support ECDSA.
  repeated TlsCertificate tls_certificates = 2;
  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 1}];
  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;
    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 7;
    // Combined certificate validation context holds a default CertificateValidationContext
    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
    // and default CertificateValidationContext are merged into a new CertificateValidationContext
    // for validation. This merge is done by Message::MergeFrom(), so dynamic
    // CertificateValidationContext overwrites singular fields in default
    // CertificateValidationContext, and concatenates repeated fields to default
    // CertificateValidationContext, and logical OR is applied to boolean fields.
    CombinedCertificateValidationContext combined_validation_context = 8;
  }
  // Supplies the list of ALPN protocols that the listener should expose. In
  // practice this is likely to be set to one of two values (see the
  // :ref:`codec_type
  // <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>`
  // parameter in the HTTP connection manager for more information):
  //
  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
  // * "http/1.1" If the listener is only going to support HTTP/1.1.
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
 }
 message UpstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.UpstreamTlsContext";
  // Common TLS context settings.
  //
  // .. attention::
  //
  //   Server certificate verification is not enabled by default. Configure
  //   :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
  //   verification.
  CommonTlsContext common_tls_context = 1;
  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::
  //
  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
  bool allow_renegotiation = 3;
  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
  // for TLSv1.2 and older) to store for the purpose of session resumption.
  //
  // Defaults to 1, setting this to 0 disables session resumption.
  google.protobuf.UInt32Value max_session_keys = 4;
 }
 // [#next-free-field: 7]
 message DownstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.DownstreamTlsContext";
  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;
  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;
  // If specified, Envoy will reject connections without a valid and matching SNI.
  // [#not-implemented-hide:]
  google.protobuf.BoolValue require_sni = 3;
  oneof session_ticket_keys_type {
    // TLS session ticket key settings.
    TlsSessionTicketKeys session_ticket_keys = 4;
    // Config for fetching TLS session ticket keys via SDS API.
    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
  }
  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
  // <https://tools.ietf.org/html/rfc5077#section-5.6>`
  // only seconds could be specified (fractional seconds are going to be ignored).
  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
    lt {seconds: 4294967296}
    gte {}
  }];
 }
 message GenericSecret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";
  // Secret of generic type and is available to filters.
  config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
 }
 message SdsSecretConfig {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1;
  config.core.v3.ConfigSource sds_config = 2;
 }
 // [#next-free-field: 6]
 message Secret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;
  oneof type {
    TlsCertificate tls_certificate = 2;
    TlsSessionTicketKeys session_ticket_keys = 3;
    CertificateValidationContext validation_context = 4;
    GenericSecret generic_secret = 5;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -0,0 +1,334 @@
 syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "CommonProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Common TLS configuration]
 message TlsParameters {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters";
  enum TlsProtocol {
    // Envoy will choose the optimal TLS version.
    TLS_AUTO = 0;
    // TLS 1.0
    TLSv1_0 = 1;
    // TLS 1.1
    TLSv1_1 = 2;
    // TLS 1.2
    TLSv1_2 = 3;
    // TLS 1.3
    TLSv1_3 = 4;
  }
  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
  // If specified, the TLS listener will only support the specified `cipher list
  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
  // specified, the default list will be used.
  //
  // In non-FIPS builds, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
  //
  // .. code-block:: none
  //
  //   ECDHE-ECDSA-AES128-GCM-SHA256
  //   ECDHE-RSA-AES128-GCM-SHA256
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
  //   AES128-GCM-SHA256
  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
  //   AES256-GCM-SHA384
  //   AES256-SHA
  repeated string cipher_suites = 3;
  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves will be used.
  //
  // In non-FIPS builds, the default curves are:
  //
  // .. code-block:: none
  //
  //   X25519
  //   P-256
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
  //
  // .. code-block:: none
  //
  //   P-256
  repeated string ecdh_curves = 4;
 }
 // BoringSSL private key method configuration. The private key methods are used for external
 // (potentially asynchronous) signing and decryption operations. Some use cases for private key
 // methods would be TPM support and TLS acceleration.
 message PrivateKeyProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.PrivateKeyProvider";
  reserved 2;
  reserved "config";
  // Private key method provider name. The name must match a
  // supported private key method provider type.
  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
  // Private key method provider specific configuration.
  oneof config_type {
    google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
  }
 }
 // [#next-free-field: 7]
 message TlsCertificate {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate";
  // The TLS certificate chain.
  config.core.v3.DataSource certificate_chain = 1;
  // The TLS private key.
  config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
  // :ref:`private_key_provider
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
  // error.
  PrivateKeyProvider private_key_provider = 6;
  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
  config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true];
  // [#not-implemented-hide:]
  config.core.v3.DataSource ocsp_staple = 4;
  // [#not-implemented-hide:]
  repeated config.core.v3.DataSource signed_certificate_timestamp = 5;
 }
 message TlsSessionTicketKeys {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.TlsSessionTicketKeys";
  // Keys for encrypting and decrypting TLS session tickets. The
  // first key in the array contains the key to encrypt all new sessions created by this context.
  // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
  // by, for example, putting the new key first, and the previous key second.
  //
  // If :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
  // is not specified, the TLS library will still support resuming sessions via tickets, but it will
  // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
  // or on different hosts.
  //
  // Each key must contain exactly 80 bytes of cryptographically-secure random data. For
  // example, the output of ``openssl rand 80``.
  //
  // .. attention::
  //
  //   Using this feature has serious security considerations and risks. Improper handling of keys
  //   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
  //   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
  //   discussion. To minimize the risk, you must:
  //
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
  repeated config.core.v3.DataSource keys = 1
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 // [#next-free-field: 11]
 message CertificateValidationContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.CertificateValidationContext";
  // Peer certificate verification mode.
  enum TrustChainVerification {
    // Perform default certificate verification (e.g., against CA / verification lists)
    VERIFY_TRUST_CHAIN = 0;
    // Connections where the certificate fails verification will be permitted.
    // For HTTP connections, the result of certificate verification can be used in route matching. (
    // see :ref:`validated <envoy_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
    ACCEPT_UNTRUSTED = 1;
  }
  reserved 4;
  reserved "verify_subject_alt_name";
  // TLS certificate data containing certificate authority certificates to use in verifying
  // a presented peer certificate (e.g. server certificate for clusters or client certificate
  // for listeners). If not specified and a peer certificate is presented it will not be
  // verified. By default, a client certificate is optional, unless one of the additional
  // options (:ref:`require_client_certificate
  // <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
  // :ref:`match_subject_alt_names
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>`) is also
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
  // that the presented peer certificate has not been revoked by one of the included CRLs.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  config.core.v3.DataSource trusted_ca = 1;
  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
  // matches one of the specified values.
  //
  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
  //     | openssl pkey -pubin -outform DER
  //     | openssl dgst -sha256 -binary
  //     | openssl enc -base64
  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
  //
  // This is the format used in HTTP Public Key Pinning.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  //
  // .. attention::
  //
  //   This option is preferred over :ref:`verify_certificate_hash
  //   <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
  //   because SPKI is tied to a private key, so it doesn't change when the certificate
  //   is renewed using the same private key.
  repeated string verify_certificate_spki = 3
      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
  //
  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
  //
  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
  // can be generated with the following command:
  //
  // .. code-block:: bash
  //
  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
  //
  // Both of those formats are acceptable.
  //
  // When both:
  // :ref:`verify_certificate_hash
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
  // :ref:`verify_certificate_spki
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  repeated string verify_certificate_hash = 2
      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
  // An optional list of Subject Alternative name matchers. Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified matches.
  //
  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
  // it should be configured as shown below.
  //
  // .. code-block:: yaml
  //
  //  match_subject_alt_names:
  //    exact: "api.example.com"
  //
  // .. attention::
  //
  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
  //   therefore this option must be used together with :ref:`trusted_ca
  //   <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
  repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
  // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;
  // [#not-implemented-hide:] Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
  // An optional `certificate revocation list
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
  // multiple CRLs, all of them will be used.
  config.core.v3.DataSource crl = 7;
  // If specified, Envoy will not reject expired certificates.
  bool allow_expired_certificate = 8;
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto
@ -0,0 +1,54 @@
 syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/extensions/transport_sockets/tls/v3/common.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "SecretProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Secrets configuration]
 message GenericSecret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";
  // Secret of generic type and is available to filters.
  config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
 }
 message SdsSecretConfig {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1;
  config.core.v3.ConfigSource sds_config = 2;
 }
 // [#next-free-field: 6]
 message Secret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;
  oneof type {
    TlsCertificate tls_certificate = 2;
    TlsSessionTicketKeys session_ticket_keys = 3;
    CertificateValidationContext validation_context = 4;
    GenericSecret generic_secret = 5;
  }
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto
@ -0,0 +1,204 @@
 syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 import "envoy/config/core/v3/extension.proto";
 import "envoy/extensions/transport_sockets/tls/v3/common.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "TlsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: TLS transport socket]
 // [#extension: envoy.transport_sockets.tls]
 // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
 message UpstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.UpstreamTlsContext";
  // Common TLS context settings.
  //
  // .. attention::
  //
  //   Server certificate verification is not enabled by default. Configure
  //   :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
  //   verification.
  CommonTlsContext common_tls_context = 1;
  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::
  //
  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
  bool allow_renegotiation = 3;
  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
  // for TLSv1.2 and older) to store for the purpose of session resumption.
  //
  // Defaults to 1, setting this to 0 disables session resumption.
  google.protobuf.UInt32Value max_session_keys = 4;
 }
 // [#next-free-field: 8]
 message DownstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.DownstreamTlsContext";
  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;
  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;
  // If specified, Envoy will reject connections without a valid and matching SNI.
  // [#not-implemented-hide:]
  google.protobuf.BoolValue require_sni = 3;
  oneof session_ticket_keys_type {
    // TLS session ticket key settings.
    TlsSessionTicketKeys session_ticket_keys = 4;
    // Config for fetching TLS session ticket keys via SDS API.
    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
    // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
    // server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
    // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
    // the keys specified through either :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
    // or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
    // If this config is set to false and no keys are explicitly configured, the TLS server will issue
    // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
    // implication that sessions cannot be resumed across hot restarts or on different hosts.
    bool disable_stateless_session_resumption = 7;
  }
  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
  // <https://tools.ietf.org/html/rfc5077#section-5.6>`
  // only seconds could be specified (fractional seconds are going to be ignored).
  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
    lt {seconds: 4294967296}
    gte {}
  }];
 }
 // TLS context shared by both client and server TLS contexts.
 // [#next-free-field: 11]
 message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
  // Config for Certificate provider to get certificates. This provider should allow certificates to be
  // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
  message CertificateProvider {
    // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
    // a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
    string name = 1 [(validate.rules).string = {min_bytes: 1}];
    // Provider specific config.
    // Note: an implementation is expected to dedup multiple instances of the same config
    // to maintain a single certificate-provider instance. The sharing can happen, for
    // example, among multiple clusters or between the tls_certificate and validation_context
    // certificate providers of a cluster.
    // This config could be supplied inline or (in future) a named xDS resource.
    oneof config {
      option (validate.required) = true;
      config.core.v3.TypedExtensionConfig typed_config = 2;
    }
  }
  message CombinedCertificateValidationContext {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];
    // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
    // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
    // Only to be used when validation_context_certificate_provider is not used.
    SdsSecretConfig validation_context_sds_secret_config = 2 [
      (validate.rules).message = {required: true},
      (udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"
    ];
    // Certificate provider for fetching validation context - only to be used when
    // validation_context_sds_secret_config is not used.
    // [#not-implemented-hide:]
    CertificateProvider validation_context_certificate_provider = 3
        [(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"];
  }
  reserved 5;
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;
  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
  // used for clients that support ECDSA.
  repeated TlsCertificate tls_certificates = 2;
  // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
  // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 1}];
  // Certificate provider for fetching TLS certificates.
  // [#not-implemented-hide:]
  CertificateProvider tls_certificate_certificate_provider = 9;
  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;
    // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
    // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
    SdsSecretConfig validation_context_sds_secret_config = 7;
    // Combined certificate validation context holds a default CertificateValidationContext
    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
    // and default CertificateValidationContext are merged into a new CertificateValidationContext
    // for validation. This merge is done by Message::MergeFrom(), so dynamic
    // CertificateValidationContext overwrites singular fields in default
    // CertificateValidationContext, and concatenates repeated fields to default
    // CertificateValidationContext, and logical OR is applied to boolean fields.
    CombinedCertificateValidationContext combined_validation_context = 8;
    // Certificate provider for fetching validation context.
    // [#not-implemented-hide:]
    CertificateProvider validation_context_certificate_provider = 10;
  }
  // Supplies the list of ALPN protocols that the listener should expose. In
  // practice this is likely to be set to one of two values (see the
  // :ref:`codec_type
  // <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>`
  // parameter in the HTTP connection manager for more information):
  //
  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
  // * "http/1.1" If the listener is only going to support HTTP/1.1.
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto
@ -4,10 +4,13 @@ package envoy.service.discovery.v2;
 import "envoy/api/v2/discovery.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.service.discovery.v2";
 option java_outer_classname = "AdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Aggregated Discovery Service (ADS)]
--- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto
@ -8,12 +8,14 @@ import "google/api/annotations.proto";
 import "envoy/annotations/resource.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.service.discovery.v2";
 option java_outer_classname = "SdsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.service.secret.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Secret Discovery Service (SDS)]
--- a/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto
@ -7,12 +7,14 @@ import "envoy/api/v2/endpoint/load_report.proto";
 import "google/protobuf/duration.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.service.load_stats.v2";
 option java_outer_classname = "LrsProto";
 option java_multiple_files = true;
 option java_generic_services = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Load reporting service]
@ -64,7 +66,13 @@ message LoadStatsRequest {
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 message LoadStatsResponse {
  // Clusters to report stats for.
-  repeated string clusters = 1 [(validate.rules).repeated = {min_items: 1}];
+  // Not populated if *send_all_clusters* is true.
  repeated string clusters = 1;
  // If true, the client should send all clusters it knows about.
  // Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their
  // :ref:`client_features<envoy_api_field_core.Node.client_features>` field will honor this field.
  bool send_all_clusters = 4;
  // The minimum interval of time to collect stats over. This is only a minimum for two reasons:
  // 1. There may be some delay from when the timer fires until stats sampling occurs.
--- a/xds/third_party/envoy/src/main/proto/envoy/type/http.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/http.proto
@ -2,9 +2,12 @@ syntax = "proto3";
 package envoy.type;
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "HttpProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: HTTP]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto
@ -4,11 +4,13 @@ package envoy.type.matcher;
 import "envoy/type/matcher/value.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "MetadataProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Metadata matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto
@ -4,11 +4,13 @@ package envoy.type.matcher;
 import "envoy/type/range.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "NumberProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Number matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto
@ -4,11 +4,13 @@ package envoy.type.matcher;
 import "envoy/type/matcher/string.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "PathProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Path matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
@ -4,11 +4,13 @@ package envoy.type.matcher;
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "RegexProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Regex matcher]
@ -22,7 +24,10 @@ message RegexMatcher {
    // compiled regex is to evaluate. A regex that has a program size greater than the configured
    // value will fail to compile. In this case, the configured max program size can be increased
    // or the regex can be simplified. If not specified, the default is 100.
-    google.protobuf.UInt32Value max_program_size = 1;
+    //
    // This field is deprecated; regexp validation should be performed on the management server
    // instead of being done by each individual client.
    google.protobuf.UInt32Value max_program_size = 1 [deprecated = true];
  }
  oneof engine_type {
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
@ -5,11 +5,13 @@ package envoy.type.matcher;
 import "envoy/type/matcher/regex.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "StringProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: String matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto
@ -4,13 +4,14 @@ package envoy.type.matcher.v3;
 import "google/protobuf/wrappers.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher.v3";
 option java_outer_classname = "RegexProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Regex matcher]
@ -29,7 +30,10 @@ message RegexMatcher {
    // compiled regex is to evaluate. A regex that has a program size greater than the configured
    // value will fail to compile. In this case, the configured max program size can be increased
    // or the regex can be simplified. If not specified, the default is 100.
-    google.protobuf.UInt32Value max_program_size = 1;
+    //
    // This field is deprecated; regexp validation should be performed on the management server
    // instead of being done by each individual client.
    google.protobuf.UInt32Value max_program_size = 1 [deprecated = true];
  }
  oneof engine_type {
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto
@ -4,14 +4,15 @@ package envoy.type.matcher.v3;
 import "envoy/type/matcher/v3/regex.proto";
 import "udpa/annotations/versioning.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher.v3";
 option java_outer_classname = "StringProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: String matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto
@ -5,11 +5,13 @@ package envoy.type.matcher;
 import "envoy/type/matcher/number.proto";
 import "envoy/type/matcher/string.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.matcher";
 option java_outer_classname = "ValueProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Value matcher]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto
@ -3,12 +3,14 @@ syntax = "proto3";
 package envoy.type.metadata.v2;
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.metadata.v2";
 option java_outer_classname = "MetadataProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3";
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Metadata]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto
@ -2,13 +2,14 @@ syntax = "proto3";
 package envoy.type.metadata.v3;
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.metadata.v3";
 option java_outer_classname = "MetadataProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Metadata]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto
@ -2,11 +2,13 @@ syntax = "proto3";
 package envoy.type;
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "PercentProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Percent]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/range.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/range.proto
@ -2,9 +2,12 @@ syntax = "proto3";
 package envoy.type;
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "RangeProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Range]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto
@ -2,9 +2,12 @@ syntax = "proto3";
 package envoy.type;
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "SemanticVersionProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Semantic Version]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto
@ -4,11 +4,13 @@ package envoy.type.tracing.v2;
 import "envoy/type/metadata/v2/metadata.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.tracing.v2";
 option java_outer_classname = "CustomTagProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Custom Tag]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto
@ -4,13 +4,14 @@ package envoy.type.tracing.v3;
 import "envoy/type/metadata/v3/metadata.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.tracing.v3";
 option java_outer_classname = "CustomTagProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Custom Tag]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto
@ -2,9 +2,12 @@ syntax = "proto3";
 package envoy.type.v3;
 import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.type.v3";
 option java_outer_classname = "HttpProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: HTTP]
--- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto
@ -2,13 +2,14 @@ syntax = "proto3";
 package envoy.type.v3;
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.type.v3";
 option java_outer_classname = "PercentProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Percent]
--- a/Show More
+++ b/Show More