xds: import latest envoy and udpa protos to get new fields (#7747)

2020-12-22 12:22:40 -08:00 · 2020-12-22 12:22:40 -08:00 · e530e10648
parent 5212e3c6df
commit e530e10648
46 changed files with 482 additions and 224 deletions
--- a/xds/third_party/envoy/import.sh
+++ b/xds/third_party/envoy/import.sh
@ -18,7 +18,7 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=1c27396b1f7e756ba79eed72b47f485d44da1d41
+VERSION=af17f954653afcab6a189673e3500b2e988f1aef
 GIT_REPO="https://github.com/envoyproxy/envoy.git"
 GIT_BASE_DIR=envoy
 SOURCE_PROTO_BASE_DIR=envoy/api
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
@ -352,6 +352,10 @@ message Cluster {
    //   This header isn't sanitized by default, so enabling this feature allows HTTP clients to
    //   route traffic to arbitrary hosts and/or ports, which may have serious security
    //   consequences.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    bool use_http_header = 1;
  }
@ -677,10 +681,16 @@ message Cluster {
  // :ref:`STRICT_DNS<envoy_api_enum_value_Cluster.DiscoveryType.STRICT_DNS>`
  // and :ref:`LOGICAL_DNS<envoy_api_enum_value_Cluster.DiscoveryType.LOGICAL_DNS>`
  // this setting is ignored.
  // Setting this value causes failure if the
  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
  repeated core.Address dns_resolvers = 18;
  // [#next-major-version: Reconcile DNS options in a single message.]
  // Always use TCP queries instead of UDP queries for DNS lookups.
  // Setting this value causes failure if the
  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
  // server startup. Apple' API only uses UDP for DNS resolution.
  bool use_tcp_for_dns_lookups = 45;
  // If specified, outlier detection will be enabled for this upstream cluster.
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
@ -756,6 +756,10 @@ message RouteAction {
    //
    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    string cluster_header = 2
        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
@ -866,6 +870,10 @@ message RouteAction {
    //
    //   Pay attention to the potential security implications of using this option. Provided header
    //   must come from trusted source.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    string auto_host_rewrite_header = 29 [
      (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false},
      (udpa.annotations.field_migrate).rename = "host_rewrite_header"
--- a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto
@ -164,7 +164,7 @@ message RuntimeFilter {
  // Runtime key to get an optional overridden numerator for use in the
  // *percent_sampled* field. If found in runtime, this value will replace the
  // default numerator.
-  string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 1 [(validate.rules).string = {min_len: 1}];
  // The default sampling percentage. If not specified, defaults to 0% with
  // denominator of 100.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto
@ -19,8 +19,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
-import "udpa/core/v1/collection_entry.proto";
+import "xds/core/v3/collection_entry.proto";
-import "udpa/core/v1/resource_locator.proto";
+import "xds/core/v3/resource_locator.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
@ -39,7 +39,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Cluster list collections. Entries are *Cluster* resources or references.
 // [#not-implemented-hide:]
 message ClusterCollection {
-  udpa.core.v1.CollectionEntry entries = 1;
+  xds.core.v3.CollectionEntry entries = 1;
 }
 // Configuration for a single upstream cluster.
@ -170,7 +170,7 @@ message Cluster {
        "envoy.api.v2.Cluster.CustomClusterType";
    // The type of the cluster to instantiate. The name must match a supported cluster type.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // Cluster specific configuration which depends on the cluster being instantiated.
    // See the supported cluster for further documentation.
@ -192,7 +192,7 @@ message Cluster {
    // Resource locator for EDS. This is mutually exclusive to *service_name*.
    // [#not-implemented-hide:]
-    udpa.core.v1.ResourceLocator eds_resource_locator = 3
+    xds.core.v3.ResourceLocator eds_resource_locator = 3
        [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
  }
@ -436,6 +436,10 @@ message Cluster {
    //   This header isn't sanitized by default, so enabling this feature allows HTTP clients to
    //   route traffic to arbitrary hosts and/or ports, which may have serious security
    //   consequences.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    bool use_http_header = 1;
  }
@ -700,7 +704,7 @@ message Cluster {
  // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name
  // <envoy_api_field_config.cluster.v3.Cluster.alt_stat_name>` is not provided.
  // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // An optional alternative to the cluster name to be used while emitting stats.
  // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be
@ -829,10 +833,16 @@ message Cluster {
  // :ref:`STRICT_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
  // and :ref:`LOGICAL_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
  // this setting is ignored.
  // Setting this value causes failure if the
  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
  repeated core.v3.Address dns_resolvers = 18;
  // [#next-major-version: Reconcile DNS options in a single message.]
  // Always use TCP queries instead of UDP queries for DNS lookups.
  // Setting this value causes failure if the
  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
  // server startup. Apple' API only uses UDP for DNS resolution.
  bool use_tcp_for_dns_lookups = 45;
  // If specified, outlier detection will be enabled for this upstream cluster.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto
@ -21,7 +21,7 @@ message Filter {
  // The name of the filter to instantiate. The name must match a
  // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // Filter specific configuration which depends on the filter being
  // instantiated. See the supported filters for further documentation.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto
@ -24,7 +24,7 @@ message Pipe {
  // abstract namespace. The starting '@' is replaced by a null byte by Envoy.
  // Paths starting with '@' will result in an error in environments other than
  // Linux.
-  string path = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path = 1 [(validate.rules).string = {min_len: 1}];
  // The mode for the Pipe. Not applicable for abstract sockets.
  uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}];
@ -32,6 +32,7 @@ message Pipe {
 // [#not-implemented-hide:] The address represents an envoy internal listener.
 // TODO(lambdai): Make this address available for listener and endpoint.
 // TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.
 message EnvoyInternalAddress {
  oneof address_name_specifier {
    option (validate.required) = true;
@ -63,7 +64,7 @@ message SocketAddress {
  // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
  // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
  // via :ref:`resolver_name <envoy_api_field_config.core.v3.SocketAddress.resolver_name>`.
-  string address = 2 [(validate.rules).string = {min_bytes: 1}];
+  string address = 2 [(validate.rules).string = {min_len: 1}];
  oneof port_specifier {
    option (validate.required) = true;
@ -152,7 +153,7 @@ message CidrRange {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange";
  // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
  // Length of prefix, e.g. 0, 32.
  google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto
@ -237,7 +237,16 @@ message RuntimeUInt32 {
  uint32 default_value = 2;
  // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 3 [(validate.rules).string = {min_len: 1}];
 }
 // Runtime derived percentage with a default when not specified.
 message RuntimePercent {
  // Default value if runtime value is not available.
  type.v3.Percent default_value = 1;
  // Runtime key to get value for comparison. This value is used if defined.
  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Runtime derived double with a default when not specified.
@ -248,7 +257,7 @@ message RuntimeDouble {
  double default_value = 1;
  // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Runtime derived bool with a default when not specified.
@ -262,7 +271,7 @@ message RuntimeFeatureFlag {
  // Runtime key to get value for comparison. This value is used if defined. The boolean value must
  // be represented via its
  // `canonical JSON encoding <https://developers.google.com/protocol-buffers/docs/proto3#json>`_.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Header name/value pair.
@ -272,7 +281,7 @@ message HeaderValue {
  // Header name.
  string key = 1
      [(validate.rules).string =
-           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
+           {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
  // Header value.
  //
@ -304,6 +313,13 @@ message HeaderMap {
  repeated HeaderValue headers = 1;
 }
 // A directory that is watched for changes, e.g. by inotify on Linux. Move/rename
 // events inside this directory trigger the watch.
 message WatchedDirectory {
  // Directory path to watch.
  string path = 1 [(validate.rules).string = {min_len: 1}];
 }
 // Data source consisting of either a file or an inline value.
 message DataSource {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource";
@ -312,13 +328,13 @@ message DataSource {
    option (validate.required) = true;
    // Local filesystem data source.
-    string filename = 1 [(validate.rules).string = {min_bytes: 1}];
+    string filename = 1 [(validate.rules).string = {min_len: 1}];
    // Bytes inlined in the configuration.
    bytes inline_bytes = 2 [(validate.rules).bytes = {min_len: 1}];
    // String inlined in the configuration.
-    string inline_string = 3 [(validate.rules).string = {min_bytes: 1}];
+    string inline_string = 3 [(validate.rules).string = {min_len: 1}];
  }
 }
@ -345,7 +361,7 @@ message RemoteDataSource {
  HttpUri http_uri = 1 [(validate.rules).message = {required: true}];
  // SHA256 string for verifying data.
-  string sha256 = 2 [(validate.rules).string = {min_bytes: 1}];
+  string sha256 = 2 [(validate.rules).string = {min_len: 1}];
  // Retry policy for fetching remote data.
  RetryPolicy retry_policy = 3;
@ -379,7 +395,7 @@ message TransportSocket {
  // The name of the transport socket to instantiate. The name must match a supported transport
  // socket implementation.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // Implementation specific configuration which depends on the implementation being instantiated.
  // See the supported transport socket implementations for further documentation.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto
@ -7,7 +7,7 @@ import "envoy/config/core/v3/grpc_service.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
-import "udpa/core/v1/authority.proto";
+import "xds/core/v3/authority.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
@ -153,11 +153,11 @@ message ConfigSource {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource";
  // Authorities that this config source may be used for. An authority specified
-  // in a *udpa.core.v1.ResourceLocator* is resolved to a *ConfigSource* prior
+  // in a *xds.core.v3.ResourceLocator* is resolved to a *ConfigSource* prior
  // to configuration fetch. This field provides the association between
  // authority name and configuration source.
  // [#not-implemented-hide:]
-  repeated udpa.core.v1.Authority authorities = 7;
+  repeated xds.core.v3.Authority authorities = 7;
  oneof config_source_specifier {
    option (validate.required) = true;
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto
@ -35,13 +35,13 @@ message GrpcService {
    // The name of the upstream gRPC cluster. SSL credentials will be supplied
    // in the :ref:`Cluster <envoy_api_msg_config.cluster.v3.Cluster>` :ref:`transport_socket
    // <envoy_api_field_config.cluster.v3.Cluster.transport_socket>`.
-    string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
    // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.
    // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.
    string authority = 2
        [(validate.rules).string =
-             {min_bytes: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
+             {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
  }
  // [#next-free-field: 9]
@ -160,10 +160,10 @@ message GrpcService {
        // The path of subject token, a security token that represents the
        // identity of the party on behalf of whom the request is being made.
-        string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_path = 6 [(validate.rules).string = {min_len: 1}];
        // Type of the subject token.
-        string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_type = 7 [(validate.rules).string = {min_len: 1}];
        // The path of actor token, a security token that represents the identity
        // of the acting party. The acting party is authorized to use the
@ -230,7 +230,7 @@ message GrpcService {
    // The target URI when using the `Google C++ gRPC client
    // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in
    // :ref:`channel_credentials <envoy_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials>`.
-    string target_uri = 1 [(validate.rules).string = {min_bytes: 1}];
+    string target_uri = 1 [(validate.rules).string = {min_len: 1}];
    ChannelCredentials channel_credentials = 2;
@ -247,7 +247,7 @@ message GrpcService {
    //
    //    streams_total, Counter, Total number of streams opened
    //    streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code>
-    string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}];
+    string stat_prefix = 4 [(validate.rules).string = {min_len: 1}];
    // The name of the Google gRPC credentials factory to use. This must have been registered with
    // Envoy. If this is empty, a default credentials factory will be used that sets up channel
@ -286,8 +286,10 @@ message GrpcService {
  // request.
  google.protobuf.Duration timeout = 3;
-  // Additional metadata to include in streams initiated to the GrpcService.
+  // Additional metadata to include in streams initiated to the GrpcService. This can be used for
-  // This can be used for scenarios in which additional ad hoc authorization
+  // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to
-  // headers (e.g. ``x-foo-bar: baz-key``) are to be injected.
+  // be injected. For more information, including details on header value syntax, see the
  // documentation on :ref:`custom request headers
  // <config_http_conn_man_headers_custom_request_headers>`.
  repeated HeaderValue initial_metadata = 5;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto
@ -54,7 +54,7 @@ enum HealthStatus {
  DEGRADED = 5;
 }
-// [#next-free-field: 24]
+// [#next-free-field: 25]
 message HealthCheck {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
@ -67,7 +67,7 @@ message HealthCheck {
      option (validate.required) = true;
      // Hex encoded payload. E.g., "000000FF".
-      string text = 1 [(validate.rules).string = {min_bytes: 1}];
+      string text = 1 [(validate.rules).string = {min_len: 1}];
      // [#not-implemented-hide:] Binary payload.
      bytes binary = 2;
@ -91,9 +91,8 @@ message HealthCheck {
    // Specifies the HTTP path that will be requested during health checking. For example
    // */healthcheck*.
-    string path = 2 [
+    string path = 2
-      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
    ];
    // [#not-implemented-hide:] HTTP specific payload.
    Payload send = 3;
@ -187,7 +186,7 @@ message HealthCheck {
    reserved "config";
    // The registered name of the custom health checker.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // A custom health checker specific configuration which depends on the custom health checker
    // being instantiated. See :api:`envoy/config/health_checker` for reference.
@ -285,6 +284,21 @@ message HealthCheck {
  // The default value for "no traffic interval" is 60 seconds.
  google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}];
  // The "no traffic healthy interval" is a special health check interval that
  // is used for hosts that are currently passing active health checking
  // (including new hosts) when the cluster has received no traffic.
  //
  // This is useful for when we want to send frequent health checks with
  // `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once
  // a host in the cluster is marked as healthy.
  //
  // Once a cluster has been used for traffic routing, Envoy will shift back to using the
  // standard health check interval that is defined.
  //
  // If no_traffic_healthy_interval is not set, it will default to the
  // no traffic interval and send that interval regardless of health state.
  google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}];
  // The "unhealthy interval" is a health check interval that is used for hosts that are marked as
  // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the
  // standard health check interval that is defined.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto
@ -27,7 +27,7 @@ message HttpUri {
  //
  //    uri: https://www.googleapis.com/oauth2/v1/certs
  //
-  string uri = 1 [(validate.rules).string = {min_bytes: 1}];
+  string uri = 1 [(validate.rules).string = {min_len: 1}];
  // Specify how `uri` is to be fetched. Today, this requires an explicit
  // cluster, but in the future we may support dynamic cluster creation or
@ -45,7 +45,7 @@ message HttpUri {
    //
    //    cluster: jwks_cluster
    //
-    string cluster = 2 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 2 [(validate.rules).string = {min_len: 1}];
  }
  // Sets the maximum duration in milliseconds that a response can take to arrive upon request.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto
@ -2,6 +2,8 @@ syntax = "proto3";
 package envoy.config.core.v3;
 import "envoy/type/v3/percent.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
@ -177,7 +179,27 @@ message Http1ProtocolOptions {
  google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7;
 }
-// [#next-free-field: 15]
+message KeepaliveSettings {
  // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive.
  google.protobuf.Duration interval = 1 [(validate.rules).duration = {
    required: true
    gte {nanos: 1000000}
  }];
  // How long to wait for a response to a keepalive PING. If a response is not received within this
  // time period, the connection will be aborted.
  google.protobuf.Duration timeout = 2 [(validate.rules).duration = {
    required: true
    gte {nanos: 1000000}
  }];
  // A random jitter amount as a percentage of interval that will be added to each interval.
  // A value of zero means there will be no jitter.
  // The default value is 15%.
  type.v3.Percent interval_jitter = 3;
 }
 // [#next-free-field: 16]
 message Http2ProtocolOptions {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.core.Http2ProtocolOptions";
@ -248,7 +270,8 @@ message Http2ProtocolOptions {
  // be written into the socket). Exceeding this limit triggers flood mitigation and connection is
  // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due
  // to flood mitigation. The default limit is 10000.
-  // [#comment:TODO: implement same limits for upstream outbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
  google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}];
  // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM,
@ -256,7 +279,8 @@ message Http2ProtocolOptions {
  // this limit triggers flood mitigation and connection is terminated. The
  // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood
  // mitigation. The default limit is 1000.
-  // [#comment:TODO: implement same limits for upstream outbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
  google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}];
  // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an
@ -265,7 +289,8 @@ message Http2ProtocolOptions {
  // stat tracks the number of connections terminated due to flood mitigation.
  // Setting this to 0 will terminate connection upon receiving first frame with an empty payload
  // and no end stream flag. The default limit is 1.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
  google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9;
  // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number
@ -276,7 +301,8 @@ message Http2ProtocolOptions {
  //
  // the connection is terminated. The ``http2.inbound_priority_frames_flood`` stat tracks
  // the number of connections terminated due to flood mitigation. The default limit is 100.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
  google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10;
  // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number
@ -290,7 +316,8 @@ message Http2ProtocolOptions {
  // the number of connections terminated due to flood mitigation. The default limit is 10.
  // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control,
  // but more complex implementations that try to estimate available bandwidth require at least 2.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
  google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11
      [(validate.rules).uint32 = {gte: 1}];
@ -345,6 +372,10 @@ message Http2ProtocolOptions {
  // <https://www.iana.org/assignments/http2-parameters/http2-parameters.xhtml#settings>`_ for
  // standardized identifiers.
  repeated SettingsParameter custom_settings_parameters = 13;
  // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer
  // does not respond within the configured timeout, the connection will be aborted.
  KeepaliveSettings connection_keepalive = 15;
 }
 // [#not-implemented-hide:]
--- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto
@ -36,7 +36,7 @@ message SubstitutionFormatString {
    //
    //   upstream connect error:503:path=/foo
    //
-    string text_format = 1 [(validate.rules).string = {min_bytes: 1}];
+    string text_format = 1 [(validate.rules).string = {min_len: 1}];
    // Specify a format with command operators to form a JSON string.
    // Its details is described in :ref:`format dictionary<config_access_log_format_dictionaries>`.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto
@ -46,7 +46,7 @@ message ClusterLoadAssignment {
          "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload";
      // Identifier for the policy specifying the drop.
-      string category = 1 [(validate.rules).string = {min_bytes: 1}];
+      string category = 1 [(validate.rules).string = {min_len: 1}];
      // Percentage of traffic that should be dropped for the category.
      type.v3.FractionalPercent drop_percentage = 2;
@ -105,7 +105,7 @@ message ClusterLoadAssignment {
  // <envoy_api_field_config.cluster.v3.Cluster.EdsClusterConfig.service_name>` value if specified
  // in the cluster :ref:`EdsClusterConfig
  // <envoy_api_msg_config.cluster.v3.Cluster.EdsClusterConfig>`.
-  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
  // List of endpoints to load balance to.
  repeated LocalityLbEndpoints endpoints = 2;
--- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto
@ -129,14 +129,14 @@ message ClusterStats {
        "envoy.api.v2.endpoint.ClusterStats.DroppedRequests";
    // Identifier for the policy specifying the drop.
-    string category = 1 [(validate.rules).string = {min_bytes: 1}];
+    string category = 1 [(validate.rules).string = {min_len: 1}];
    // Total number of deliberately dropped requests for the category.
    uint64 dropped_count = 2;
  }
  // The name of the cluster.
-  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
  // The eds_cluster_config service_name of the cluster.
  // It's possible that two clusters send the same service_name to EDS,
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -586,6 +586,10 @@ message ScopedRoutes {
        }
        // The name of the header field to extract the value from.
        //
        // .. note::
        //
        //   If the header appears multiple times only the first value is used.
        string name = 1 [(validate.rules).string = {min_bytes: 1}];
        // The element separator (e.g., ';' separates 'a;b;c;d').
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto
@ -15,7 +15,7 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
-import "udpa/core/v1/collection_entry.proto";
+import "xds/core/v3/collection_entry.proto";
 import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
@ -33,10 +33,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Listener list collections. Entries are *Listener* resources or references.
 // [#not-implemented-hide:]
 message ListenerCollection {
-  repeated udpa.core.v1.CollectionEntry entries = 1;
+  repeated xds.core.v3.CollectionEntry entries = 1;
 }
-// [#next-free-field: 25]
+// [#next-free-field: 26]
 message Listener {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
@ -116,6 +116,10 @@ message Listener {
  // :ref:`FAQ entry <faq_how_to_setup_sni>`.
  repeated FilterChain filter_chains = 3;
  // The default filter chain if none of the filter chain matches. If no default filter chain is supplied,
  // the connection will be closed. The filter chain match is ignored in this field.
  FilterChain default_filter_chain = 25;
  // Soft limit on size of the listener’s new connection read and write buffers.
  // If unspecified, an implementation defined default is applied (1MiB).
  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto
@ -32,7 +32,7 @@ message Filter {
  // The name of the filter to instantiate. The name must match a
  // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // Filter specific configuration which depends on the filter being
  // instantiated. See the supported filters for further documentation.
@ -65,6 +65,18 @@ message Filter {
 // ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
 // chain without ``server_names`` requirements).
 //
 // A different way to reason about the filter chain matches:
 // Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps.
 // In each step, filter chains which most specifically matches the attributes continue to the next step.
 // The listener guarantees at most 1 filter chain is left after all of the steps.
 //
 // Example:
 //
 // For destination port, filter chains specifying the destination port of incoming traffic are the
 // most specific match. If none of the filter chains specifies the exact destination port, the filter
 // chains which do not specify ports are the most specific match. Filter chains specifying the
 // wrong port can never be the most specific match.
 //
 // [#comment: Implemented rules are kept in the preference order, with deprecated fields
 // listed at the end, because that's how we want to list them in the docs.
 //
@ -168,7 +180,7 @@ message FilterChainMatch {
 // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
 // various other parameters.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message FilterChain {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";
@ -218,6 +230,11 @@ message FilterChain {
  // will be set up with plaintext.
  core.v3.TransportSocket transport_socket = 6;
  // If present and nonzero, the amount of time to allow incoming connections to complete any
  // transport socket negotiations. If this expires before the transport reports connection
  // establishment, the connection is summarily closed.
  google.protobuf.Duration transport_socket_connect_timeout = 9;
  // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
  // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
  // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
@ -303,7 +320,7 @@ message ListenerFilter {
  // The name of the filter to instantiate. The name must match a
  // :ref:`supported filter <config_listener_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // Filter specific configuration which depends on the filter being instantiated.
  // See the supported filters for further documentation.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto
@ -60,7 +60,7 @@ message VirtualHost {
  // The logical name of the virtual host. This is used when emitting certain
  // statistics but is not relevant for routing.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // A list of domains (host/authority header) that will be matched to this
  // virtual host. Wildcard hosts are supported in the suffix or prefix form.
@ -113,7 +113,7 @@ message VirtualHost {
  // Specifies a list of HTTP headers that should be removed from each request
  // handled by this virtual host.
  repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Specifies a list of HTTP headers that should be added to each response
@ -128,7 +128,7 @@ message VirtualHost {
  // Specifies a list of HTTP headers that should be removed from each response
  // handled by this virtual host.
  repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Indicates that the virtual host has a CORS policy.
@ -263,7 +263,7 @@ message Route {
  // Specifies a list of HTTP headers that should be removed from each request
  // matching this route.
  repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Specifies a set of headers that will be added to responses to requests
@ -278,7 +278,7 @@ message Route {
  // Specifies a list of HTTP headers that should be removed from each response
  // to requests matching this route.
  repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];
  // Presence of the object defines whether the connection manager's tracing configuration
@ -311,7 +311,7 @@ message WeightedCluster {
    // Name of the upstream cluster. The cluster must exist in the
    // :ref:`cluster manager configuration <config_cluster_manager>`.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // An integer between 0 and :ref:`total_weight
    // <envoy_api_field_config.route.v3.WeightedCluster.total_weight>`. When a request matches the route,
@ -591,7 +591,7 @@ message RouteAction {
    // Specifies the cluster that requests will be mirrored to. The cluster must
    // exist in the cluster manager configuration.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
    // If not specified, all requests to the target cluster will be mirrored.
    //
@ -620,9 +620,8 @@ message RouteAction {
      // The name of the request header that will be used to obtain the hash
      // key. If the request header is not present, no hash will be produced.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
      ];
      // If specified, the request header value will be rewritten and used
      // to produce the hash key.
@ -650,7 +649,7 @@ message RouteAction {
      // The name of the cookie that will be used to obtain the hash key. If the
      // cookie is not present and ttl below is not set, no hash will be
      // produced.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
      // If specified, a cookie with the TTL will be generated if the cookie is
      // not present. If the TTL is present and zero, the generated cookie will
@ -677,7 +676,7 @@ message RouteAction {
      // The name of the URL query parameter that will be used to obtain the hash
      // key. If the parameter is not present, no hash will be produced. Query
      // parameter names are case-sensitive.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
    }
    message FilterState {
@ -687,7 +686,7 @@ message RouteAction {
      // The name of the Object in the per-request filterState, which is an
      // Envoy::Http::Hashable object. If there is no data associated with the key,
      // or the stored object is not Envoy::Http::Hashable, no hash will be produced.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
    }
    oneof policy_specifier {
@ -752,7 +751,7 @@ message RouteAction {
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type] will be proxied upstream.
    string upgrade_type = 1
-        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
    // Determines if upgrades are available on this route. Defaults to true.
    google.protobuf.BoolValue enabled = 2;
@ -764,14 +763,15 @@ message RouteAction {
    ConnectConfig connect_config = 3;
  }
  // [#not-implemented-hide:]
  message MaxStreamDuration {
    // Specifies the maximum duration allowed for streams on the route. If not specified, the value
    // from the :ref:`max_stream_duration
    // <envoy_api_field_config.core.v3.HttpProtocolOptions.max_stream_duration>` field in
    // :ref:`HttpConnectionManager.common_http_protocol_options
    // <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options>`
-    // is used.
+    // is used. If this field is set explicitly to zero, any
    // HttpConnectionManager max_stream_duration timeout will be disabled for
    // this route.
    google.protobuf.Duration max_stream_duration = 1;
    // If present, and the request contains a `grpc-timeout header
@ -798,7 +798,7 @@ message RouteAction {
    // Indicates the upstream cluster to which the request should be routed
    // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
    // Envoy will determine the cluster to route to by reading the value of the
    // HTTP header named by cluster_header from the request headers. If the
@ -809,8 +809,12 @@ message RouteAction {
    //
    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
    // Multiple upstream clusters can be specified for a given route. The
    // request is routed to one of the upstream clusters based on weights
@ -917,6 +921,10 @@ message RouteAction {
    //
    //   Pay attention to the potential security implications of using this option. Provided header
    //   must come from trusted source.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    string host_rewrite_header = 29
        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
@ -969,6 +977,10 @@ message RouteAction {
  // fires, the stream is terminated with a 408 Request Timeout error code if no
  // upstream response header has been received, otherwise a stream reset
  // occurs.
  //
  // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts"
  // is configured, this timeout is scaled according to the value for
  // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`.
  google.protobuf.Duration idle_timeout = 24;
  // Indicates that the route has a retry policy. Note that if this is set,
@ -1018,6 +1030,7 @@ message RouteAction {
  // Indicates that the route has a CORS policy.
  CorsPolicy cors = 17;
  // Deprecated by :ref:`grpc_timeout_header_max <envoy_api_field_config.route.v3.RouteAction.MaxStreamDuration.grpc_timeout_header_max>`
  // If present, and the request is a gRPC request, use the
  // `grpc-timeout header <https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md>`_,
  // or its default value (infinity) instead of
@ -1037,8 +1050,9 @@ message RouteAction {
  //    :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`,
  //    :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the
  //    :ref:`retry overview <arch_overview_http_routing_retry>`.
-  google.protobuf.Duration max_grpc_timeout = 23;
+  google.protobuf.Duration max_grpc_timeout = 23 [deprecated = true];
  // Deprecated by :ref:`grpc_timeout_header_offset <envoy_api_field_config.route.v3.RouteAction.MaxStreamDuration.grpc_timeout_header_offset>`.
  // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting
  // the provided duration from the header. This is useful in allowing Envoy to set its global
  // timeout to be less than that of the deadline imposed by the calling client, which makes it more
@ -1046,7 +1060,7 @@ message RouteAction {
  // The offset will only be applied if the provided grpc_timeout is greater than the offset. This
  // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning
  // infinity).
-  google.protobuf.Duration grpc_timeout_offset = 28;
+  google.protobuf.Duration grpc_timeout_offset = 28 [deprecated = true];
  repeated UpgradeConfig upgrade_configs = 25;
@ -1080,7 +1094,6 @@ message RouteAction {
  HedgePolicy hedge_policy = 27;
  // Specifies the maximum stream duration for this route.
  // [#not-implemented-hide:]
  MaxStreamDuration max_stream_duration = 36;
 }
@ -1102,7 +1115,7 @@ message RetryPolicy {
    reserved "config";
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    oneof config_type {
      google.protobuf.Any typed_config = 3;
@ -1117,7 +1130,7 @@ message RetryPolicy {
    reserved "config";
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    oneof config_type {
      google.protobuf.Any typed_config = 3;
@ -1145,9 +1158,15 @@ message RetryPolicy {
  }
  message ResetHeader {
    // The name of the reset header.
    //
    // .. note::
    //
    //   If the header appears multiple times only the first value is used.
    string name = 1
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
    // The format of the reset header.
    ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}];
  }
@ -1413,7 +1432,7 @@ message Decorator {
  //   For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden
  //   by the :ref:`x-envoy-decorator-operation
  //   <config_http_filters_router_x-envoy-decorator-operation>` header.
-  string operation = 1 [(validate.rules).string = {min_bytes: 1}];
+  string operation = 1 [(validate.rules).string = {min_len: 1}];
  // Whether the decorated details should be propagated to the other party. The default is true.
  google.protobuf.BoolValue propagate = 2;
@ -1488,14 +1507,14 @@ message VirtualCluster {
  // Specifies the name of the virtual cluster. The virtual cluster name as well
  // as the virtual host name are used when emitting statistics. The statistics are emitted by the
  // router filter and are documented :ref:`here <config_http_filters_router_stats>`.
-  string name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string name = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Global rate limiting :ref:`architecture overview <arch_overview_global_rate_limit>`.
 message RateLimit {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";
-  // [#next-free-field: 8]
+  // [#next-free-field: 9]
  message Action {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.api.v2.route.RateLimit.Action";
@ -1546,12 +1565,11 @@ message RateLimit {
      // The header name to be queried from the request headers. The header’s
      // value is used to populate the value of the descriptor entry for the
      // descriptor_key.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
      ];
      // The key to use in the descriptor entry.
-      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
      // If set to true, Envoy skips the descriptor while calling rate limiting service
      // when header is not present in the request. By default it skips calling the
@ -1580,7 +1598,7 @@ message RateLimit {
          "envoy.api.v2.route.RateLimit.Action.GenericKey";
      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
      // An optional key to use in the descriptor entry. If not set it defaults
      // to 'generic_key' as the descriptor key.
@ -1597,7 +1615,7 @@ message RateLimit {
          "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch";
      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
      // If set to true, the action will append a descriptor entry when the
      // request matches the headers. If set to false, the action will append a
@ -1613,14 +1631,18 @@ message RateLimit {
      repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}];
    }
-    // The following descriptor entry is appended when the dynamic metadata contains a key value:
+    // The following descriptor entry is appended when the
    // :ref:`dynamic metadata <well_known_dynamic_metadata>` contains a key value:
    //
    // .. code-block:: cpp
    //
-    //   ("<descriptor_key>", "<value_queried_from_metadata>")
+    //   ("<descriptor_key>", "<value_queried_from_dynamic_metadata>")
    //
    // .. attention::
    //   This action has been deprecated in favor of the :ref:`metadata <envoy_api_msg_config.route.v3.RateLimit.Action.MetaData>` action
    message DynamicMetaData {
      // The key to use in the descriptor entry.
-      string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 1 [(validate.rules).string = {min_len: 1}];
      // Metadata struct that defines the key and path to retrieve the string value. A match will
      // only happen if the value in the dynamic metadata is of type string.
@ -1631,6 +1653,35 @@ message RateLimit {
      string default_value = 3;
    }
    // The following descriptor entry is appended when the metadata contains a key value:
    //
    // .. code-block:: cpp
    //
    //   ("<descriptor_key>", "<value_queried_from_metadata>")
    message MetaData {
      enum Source {
        // Query :ref:`dynamic metadata <well_known_dynamic_metadata>`
        DYNAMIC = 0;
        // Query :ref:`route entry metadata <envoy_api_field_config.route.v3.Route.metadata>`
        ROUTE_ENTRY = 1;
      }
      // The key to use in the descriptor entry.
      string descriptor_key = 1 [(validate.rules).string = {min_len: 1}];
      // Metadata struct that defines the key and path to retrieve the string value. A match will
      // only happen if the value in the metadata is of type string.
      type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
      // An optional value to use if *metadata_key* is empty. If not set and
      // no value is present under the metadata_key then no descriptor is generated.
      string default_value = 3;
      // Source of metadata
      Source source = 4 [(validate.rules).enum = {defined_only: true}];
    }
    oneof action_specifier {
      option (validate.required) = true;
@ -1653,7 +1704,14 @@ message RateLimit {
      HeaderValueMatch header_value_match = 6;
      // Rate limit on dynamic metadata.
-      DynamicMetaData dynamic_metadata = 7;
+      //
      // .. attention::
      //   This field has been deprecated in favor of the :ref:`metadata <envoy_api_field_config.route.v3.RateLimit.Action.metadata>` field
      DynamicMetaData dynamic_metadata = 7
          [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
      // Rate limit on metadata.
      MetaData metadata = 8;
    }
  }
@ -1736,7 +1794,7 @@ message HeaderMatcher {
  // Specifies the name of the header in the request.
  string name = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
  // Specifies how the header match will be performed to route the request.
  oneof header_match_specifier {
@ -1771,7 +1829,7 @@ message HeaderMatcher {
    // Examples:
    //
    // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
-    string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}];
+    string prefix_match = 9 [(validate.rules).string = {min_len: 1}];
    // If specified, header match will be performed based on the suffix of the header value.
    // Note: empty suffix is not allowed, please use present_match instead.
@ -1779,7 +1837,7 @@ message HeaderMatcher {
    // Examples:
    //
    // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
-    string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}];
+    string suffix_match = 10 [(validate.rules).string = {min_len: 1}];
    // If specified, header match will be performed based on whether the header value contains
    // the given value or not.
@ -1788,7 +1846,7 @@ message HeaderMatcher {
    // Examples:
    //
    // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*.
-    string contains_match = 12 [(validate.rules).string = {min_bytes: 1}];
+    string contains_match = 12 [(validate.rules).string = {min_len: 1}];
  }
  // If specified, the match result will be inverted before checking. Defaults to false.
@ -1813,7 +1871,7 @@ message QueryParameterMatcher {
  // Specifies the name of a key that must be present in the requested
  // *path*'s query string.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}];
+  string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}];
  oneof query_parameter_match_specifier {
    // Specifies whether a query parameter value should match against a string.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto
@ -108,12 +108,12 @@ message ScopedRouteConfiguration {
  bool on_demand = 4;
  // The name assigned to the routing scope.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // The resource name to use for a :ref:`envoy_api_msg_service.discovery.v3.DiscoveryRequest` to an
  // RDS server to fetch the :ref:`envoy_api_msg_config.route.v3.RouteConfiguration` associated
  // with this scope.
-  string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}];
  // The key to match against.
  Key key = 3 [(validate.rules).message = {required: true}];
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto
@ -22,8 +22,8 @@ message DatadogConfig {
      "envoy.config.trace.v2.DatadogConfig";
  // The cluster to use for submitting traces to the Datadog agent.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
  // The name used for the service when traces are generated by envoy.
-  string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string service_name = 2 [(validate.rules).string = {min_len: 1}];
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto
@ -28,7 +28,7 @@ message DynamicOtConfig {
  // Dynamic library implementing the `OpenTracing API
  // <https://github.com/opentracing/opentracing-cpp>`_.
-  string library = 1 [(validate.rules).string = {min_bytes: 1}];
+  string library = 1 [(validate.rules).string = {min_len: 1}];
  // The configuration to use when creating a tracer from the given dynamic
  // library.
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto
@ -52,7 +52,7 @@ message Tracing {
    // - *envoy.tracers.datadog*
    // - *envoy.tracers.opencensus*
    // - *envoy.tracers.xray*
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // Trace driver specific configuration which depends on the driver being instantiated.
    // See the trace drivers for examples:
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto
@ -38,11 +38,11 @@ message LightstepConfig {
  }
  // The cluster manager cluster that hosts the LightStep collectors.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
  // File containing the access token to the `LightStep
  // <https://lightstep.com/>`_ API.
-  string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
+  string access_token_file = 2 [(validate.rules).string = {min_len: 1}];
  // Propagation modes to use by LightStep's tracer.
  repeated PropagationMode propagation_modes = 3
--- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto
@ -46,15 +46,13 @@ message ZipkinConfig {
    GRPC = 3;
  }
-  // The cluster manager cluster that hosts the Zipkin collectors. Note that the
+  // The cluster manager cluster that hosts the Zipkin collectors.
-  // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
  // resources <envoy_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters>`.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
  // The API endpoint of the Zipkin service where the spans will be sent. When
  // using a standard Zipkin installation, the API endpoint is typically
  // /api/v1/spans, which is the default value.
-  string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+  string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}];
  // Determines whether a 128bit trace id will be used when creating a new
  // trace instance. The default value is false, which will result in a 64 bit trace id being used.
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@ -19,7 +19,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
-import "udpa/core/v1/resource_locator.proto";
+import "xds/core/v3/resource_locator.proto";
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]
-// [#next-free-field: 41]
+// [#next-free-field: 42]
 message HttpConnectionManager {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@ -252,7 +252,7 @@ message HttpConnectionManager {
  // The human readable prefix to use when emitting statistics for the
  // connection manager. See the :ref:`statistics documentation <config_http_conn_man_stats>` for
  // more information.
-  string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
  oneof route_specifier {
    option (validate.required) = true;
@ -360,6 +360,14 @@ message HttpConnectionManager {
  google.protobuf.Duration request_timeout = 28
      [(udpa.annotations.security).configure_for_untrusted_downstream = true];
  // The amount of time that Envoy will wait for the request headers to be received. The timer is
  // activated when the first byte of the headers is received, and is disarmed when the last byte of
  // the headers has been received. If not specified or set to 0, this timeout is disabled.
  google.protobuf.Duration request_headers_timeout = 41 [
    (validate.rules).duration = {gte {}},
    (udpa.annotations.security).configure_for_untrusted_downstream = true
  ];
  // The time that Envoy will wait between sending an HTTP/2 “shutdown
  // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame.
  // This is used so that Envoy provides a grace period for new streams that
@ -648,7 +656,7 @@ message Rds {
  // Resource locator for RDS. This is mutually exclusive to *route_config_name*.
  // [#not-implemented-hide:]
-  udpa.core.v1.ResourceLocator rds_resource_locator = 3
+  xds.core.v3.ResourceLocator rds_resource_locator = 3
      [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
 }
@ -718,14 +726,18 @@ message ScopedRoutes {
          // If an element contains no separator, the whole element is parsed as key and the
          // fragment value is an empty string.
          // If there are multiple values for a matched key, the first value is returned.
-          string separator = 1 [(validate.rules).string = {min_bytes: 1}];
+          string separator = 1 [(validate.rules).string = {min_len: 1}];
          // The key to match on.
-          string key = 2 [(validate.rules).string = {min_bytes: 1}];
+          string key = 2 [(validate.rules).string = {min_len: 1}];
        }
        // The name of the header field to extract the value from.
-        string name = 1 [(validate.rules).string = {min_bytes: 1}];
+        //
        // .. note::
        //
        //   If the header appears multiple times only the first value is used.
        string name = 1 [(validate.rules).string = {min_len: 1}];
        // The element separator (e.g., ';' separates 'a;b;c;d').
        // Default: empty string. This causes the entirety of the header field to be extracted.
@ -759,7 +771,7 @@ message ScopedRoutes {
  }
  // The name assigned to the scoped routing configuration.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  // The algorithm to use for constructing a scope key for each request.
  ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}];
@ -809,7 +821,7 @@ message HttpFilter {
  // The name of the filter configuration. The name is used as a fallback to
  // select an extension if the type of the configuration proto is not
  // sufficient. It also serves as a resource name in ExtensionConfigDS.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
  oneof config_type {
    // Filter specific configuration which depends on the filter being instantiated. See the supported
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -120,7 +120,7 @@ message PrivateKeyProvider {
  // Private key method provider name. The name must match a
  // supported private key method provider type.
-  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string provider_name = 1 [(validate.rules).string = {min_len: 1}];
  // Private key method provider specific configuration.
  oneof config_type {
@ -128,16 +128,37 @@ message PrivateKeyProvider {
  }
 }
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message TlsCertificate {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate";
  // The TLS certificate chain.
  //
  // If *certificate_chain* is a filesystem path, a watch will be added to the
  // parent directory for any file moves to support rotation. This currently
  // only applies to dynamic secrets, when the *TlsCertificate* is delivered via
  // SDS.
  config.core.v3.DataSource certificate_chain = 1;
  // The TLS private key.
  //
  // If *private_key* is a filesystem path, a watch will be added to the parent
  // directory for any file moves to support rotation. This currently only
  // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS.
  config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
  // If specified, updates of file-based *certificate_chain* and *private_key*
  // sources will be triggered by this watch. The certificate/key pair will be
  // read together and validated for atomic read consistency (i.e. no
  // intervening modification occurred between cert/key read, verified by file
  // hash comparisons). This allows explicit control over the path watched, by
  // default the parent directories of the filesystem paths in
  // *certificate_chain* and *private_key* are watched if this field is not
  // specified. This only applies when a *TlsCertificate* is delivered by SDS
  // with references to filesystem paths. See the :ref:`SDS key rotation
  // <sds_key_rotation>` documentation for further details.
  config.core.v3.WatchedDirectory watched_directory = 7;
  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
@ -191,7 +212,7 @@ message TlsSessionTicketKeys {
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message CertificateValidationContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.CertificateValidationContext";
@ -233,8 +254,22 @@ message CertificateValidationContext {
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  //
  // If *trusted_ca* is a filesystem path, a watch will be added to the parent
  // directory for any file moves to support rotation. This currently only
  // applies to dynamic secrets, when the *CertificateValidationContext* is
  // delivered via SDS.
  config.core.v3.DataSource trusted_ca = 1;
  // If specified, updates of a file-based *trusted_ca* source will be triggered
  // by this watch. This allows explicit control over the path watched, by
  // default the parent directory of the filesystem path in *trusted_ca* is
  // watched if this field is not specified. This only applies when a
  // *CertificateValidationContext* is delivered by SDS with references to
  // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
  // documentation for further details.
  config.core.v3.WatchedDirectory watched_directory = 11;
  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
  // matches one of the specified values.
@ -266,7 +301,7 @@ message CertificateValidationContext {
  //   because SPKI is tied to a private key, so it doesn't change when the certificate
  //   is renewed using the same private key.
  repeated string verify_certificate_spki = 3
-      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
+      [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}];
  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
@ -295,10 +330,10 @@ message CertificateValidationContext {
  // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
  // a hash matching value from either of the lists will result in the certificate being accepted.
  repeated string verify_certificate_hash = 2
-      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
+      [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}];
-  // An optional list of Subject Alternative name matchers. Envoy will verify that the
+  // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
-  // Subject Alternative Name of the presented certificate matches one of the specified matches.
+  // Subject Alternative Name of the presented certificate matches one of the specified matchers.
  //
  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto
@ -6,12 +6,13 @@ import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/extensions/transport_sockets/tls/v3/common.proto";
-import "udpa/core/v1/resource_locator.proto";
+import "xds/core/v3/resource_locator.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "SecretProto";
@ -33,11 +34,14 @@ message SdsSecretConfig {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
-  string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
+  string name = 1 [
    (validate.rules).string = {min_len: 1},
    (udpa.annotations.field_migrate).oneof_promotion = "name_specifier"
  ];
  // Resource locator for SDS. This is mutually exclusive to *name*.
  // [#not-implemented-hide:]
-  udpa.core.v1.ResourceLocator sds_resource_locator = 3
+  xds.core.v3.ResourceLocator sds_resource_locator = 3
      [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
  config.core.v3.ConfigSource sds_config = 2;
--- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto
@ -135,7 +135,7 @@ message CommonTlsContext {
  message CertificateProvider {
    // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
    // a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // Provider specific config.
    // Note: an implementation is expected to dedup multiple instances of the same config
--- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto
@ -5,10 +5,11 @@ package envoy.service.discovery.v3;
 import "envoy/config/core/v3/base.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/rpc/status.proto";
-import "udpa/core/v1/resource_locator.proto";
+import "xds/core/v3/resource_locator.proto";
-import "udpa/core/v1/resource_name.proto";
+import "xds/core/v3/resource_name.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
@ -153,8 +154,8 @@ message DeltaDiscoveryRequest {
  // Type of the resource that is being requested, e.g.
  // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This does not need to be set if
-  // resources are only referenced via *udpa_resource_subscribe* and
+  // resources are only referenced via *xds_resource_subscribe* and
-  // *udpa_resources_unsubscribe*.
+  // *xds_resources_unsubscribe*.
  string type_url = 2;
  // DeltaDiscoveryRequests allow the client to add or remove individual
@ -181,20 +182,20 @@ message DeltaDiscoveryRequest {
  repeated string resource_names_subscribe = 3;
  // As with *resource_names_subscribe* but used when subscribing to resources indicated
-  // by a *udpa.core.v1.ResourceLocator*. The directives in the resource locator
+  // by a *xds.core.v3.ResourceLocator*. The directives in the resource locator
  // are ignored and the context parameters are matched with
  // *context_param_specifier* specific semantics.
  // [#not-implemented-hide:]
-  repeated udpa.core.v1.ResourceLocator udpa_resources_subscribe = 8;
+  repeated xds.core.v3.ResourceLocator xds_resources_subscribe = 8;
  // A list of Resource names to remove from the list of tracked resources.
  repeated string resource_names_unsubscribe = 4;
  // As with *resource_names_unsubscribe* but used when unsubscribing to resources indicated by a
-  // *udpa.core.v1.ResourceLocator*. This must match a previously subscribed
+  // *xds.core.v3.ResourceLocator*. This must match a previously subscribed
-  // resource locator provided in *udpa_resources_subscribe*.
+  // resource locator provided in *xds_resources_subscribe*.
  // [#not-implemented-hide:]
-  repeated udpa.core.v1.ResourceLocator udpa_resources_unsubscribe = 9;
+  repeated xds.core.v3.ResourceLocator xds_resources_unsubscribe = 9;
  // Informs the server of the versions of the resources the xDS client knows of, to enable the
  // client to continue the same logical xDS session even in the face of gRPC stream reconnection.
@ -243,24 +244,33 @@ message DeltaDiscoveryResponse {
  repeated string removed_resources = 6;
  // As with *removed_resources* but used when a removed resource was named in
-  // its *Resource*s with a *udpa.core.v1.ResourceName*.
+  // its *Resource*s with a *xds.core.v3.ResourceName*.
  // [#not-implemented-hide:]
-  repeated udpa.core.v1.ResourceName udpa_removed_resources = 7;
+  repeated xds.core.v3.ResourceName udpa_removed_resources = 7;
  // The nonce provides a way for DeltaDiscoveryRequests to uniquely
  // reference a DeltaDiscoveryResponse when (N)ACKing. The nonce is required.
  string nonce = 5;
 }
-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message Resource {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Resource";
  // Cache control properties for the resource.
  // [#not-implemented-hide:]
  message CacheControl {
    // If true, xDS proxies may not cache this resource.
    // Note that this does not apply to clients other than xDS proxies, which must cache resources
    // for their own use, regardless of the value of this field.
    bool do_not_cache = 1;
  }
  // The resource's name, to distinguish it from others of the same type of resource.
  string name = 3 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
-  // Used instead of *name* when a resource with a *udpa.core.v1.ResourceName* is delivered.
+  // Used instead of *name* when a resource with a *xds.core.v3.ResourceName* is delivered.
-  udpa.core.v1.ResourceName udpa_resource_name = 5
+  xds.core.v3.ResourceName xds_resource_name = 5
      [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
  // The aliases are a list of other names that this resource can go by.
@ -272,4 +282,23 @@ message Resource {
  // The resource being tracked.
  google.protobuf.Any resource = 2;
  // Time-to-live value for the resource. For each resource, a timer is started. The timer is
  // reset each time the resource is received with a new TTL. If the resource is received with
  // no TTL set, the timer is removed for the resource. Upon expiration of the timer, the
  // configuration for the resource will be removed.
  //
  // The TTL can be refreshed or changed by sending a response that doesn't change the resource
  // version. In this case the resource field does not need to be populated, which allows for
  // light-weight "heartbeat" updates to keep a resource with a TTL alive.
  //
  // The TTL feature is meant to support configurations that should be removed in the event of
  // a management server failure. For example, the feature may be used for fault injection
  // testing where the fault injection should be terminated in the event that Envoy loses contact
  // with the management server.
  google.protobuf.Duration ttl = 6;
  // Cache control properties for the resource.
  // [#not-implemented-hide:]
  CacheControl cache_control = 7;
 }
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto
@ -83,12 +83,12 @@ message MetadataMatcher {
      option (validate.required) = true;
      // If specified, use the key to retrieve the value in a Struct.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
    }
  }
  // The filter name to retrieve the Struct from the Metadata.
-  string filter = 1 [(validate.rules).string = {min_bytes: 1}];
+  string filter = 1 [(validate.rules).string = {min_len: 1}];
  // The path to retrieve the Value from the Struct.
  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
@ -48,7 +48,7 @@ message RegexMatcher {
  }
  // The regex match string. The string must be supported by the configured engine.
-  string regex = 2 [(validate.rules).string = {min_bytes: 1}];
+  string regex = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Describes how to match a string and then produce a new string using a regular
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
@ -34,7 +34,7 @@ message StringMatcher {
    // Examples:
    //
    // * *abc* matches the value *abc.xyz*
-    string prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+    string prefix = 2 [(validate.rules).string = {min_len: 1}];
    // The input string must have the suffix specified here.
    // Note: empty prefix is not allowed, please use regex instead.
@ -42,7 +42,7 @@ message StringMatcher {
    // Examples:
    //
    // * *abc* matches the value *xyz.abc*
-    string suffix = 3 [(validate.rules).string = {min_bytes: 1}];
+    string suffix = 3 [(validate.rules).string = {min_len: 1}];
    // The input string must match the regular expression specified here.
    // The regex grammar is defined `here
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto
@ -89,12 +89,12 @@ message MetadataMatcher {
      option (validate.required) = true;
      // If specified, use the key to retrieve the value in a Struct.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
    }
  }
  // The filter name to retrieve the Struct from the Metadata.
-  string filter = 1 [(validate.rules).string = {min_bytes: 1}];
+  string filter = 1 [(validate.rules).string = {min_len: 1}];
  // The path to retrieve the Value from the Struct.
  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto
@ -54,7 +54,7 @@ message RegexMatcher {
  }
  // The regex match string. The string must be supported by the configured engine.
-  string regex = 2 [(validate.rules).string = {min_bytes: 1}];
+  string regex = 2 [(validate.rules).string = {min_len: 1}];
 }
 // Describes how to match a string and then produce a new string using a regular
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto
@ -41,7 +41,7 @@ message StringMatcher {
    // Examples:
    //
    // * *abc* matches the value *abc.xyz*
-    string prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+    string prefix = 2 [(validate.rules).string = {min_len: 1}];
    // The input string must have the suffix specified here.
    // Note: empty prefix is not allowed, please use regex instead.
@ -49,7 +49,7 @@ message StringMatcher {
    // Examples:
    //
    // * *abc* matches the value *xyz.abc*
-    string suffix = 3 [(validate.rules).string = {min_bytes: 1}];
+    string suffix = 3 [(validate.rules).string = {min_len: 1}];
    // The input string must match the regular expression specified here.
    RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}];
@ -60,7 +60,7 @@ message StringMatcher {
    // Examples:
    //
    // * *abc* matches the value *xyz.abc.def*
-    string contains = 7 [(validate.rules).string = {min_bytes: 1}];
+    string contains = 7 [(validate.rules).string = {min_len: 1}];
  }
  // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no
--- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto
@ -49,13 +49,13 @@ message MetadataKey {
      option (validate.required) = true;
      // If specified, use the key to retrieve the value in a Struct.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
    }
  }
  // The key name of Metadata to retrieve the Struct from the metadata.
  // Typically, it represents a builtin subsystem or custom extension.
-  string key = 1 [(validate.rules).string = {min_bytes: 1}];
+  string key = 1 [(validate.rules).string = {min_len: 1}];
  // The path to retrieve the Value from the Struct. It can be a prefix or a full path,
  // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example,
--- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto
@ -26,7 +26,7 @@ message CustomTag {
        "envoy.type.tracing.v2.CustomTag.Literal";
    // Static literal value to populate the tag value.
-    string value = 1 [(validate.rules).string = {min_bytes: 1}];
+    string value = 1 [(validate.rules).string = {min_len: 1}];
  }
  // Environment type custom tag with environment name and default value.
@ -35,7 +35,7 @@ message CustomTag {
        "envoy.type.tracing.v2.CustomTag.Environment";
    // Environment variable name to obtain the value to populate the tag value.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
    // When the environment variable is not found,
    // the tag value will be populated with this default value if specified,
@ -50,7 +50,7 @@ message CustomTag {
    // Header name to obtain the value to populate the tag value.
    string name = 1
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
    // When the header does not exist,
    // the tag value will be populated with this default value if specified,
@ -80,7 +80,7 @@ message CustomTag {
  }
  // Used to populate the tag name.
-  string tag = 1 [(validate.rules).string = {min_bytes: 1}];
+  string tag = 1 [(validate.rules).string = {min_len: 1}];
  // Used to specify what kind of custom tag.
  oneof type {
--- a/xds/third_party/udpa/import.sh
+++ b/xds/third_party/udpa/import.sh
@ -18,7 +18,7 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=efcf912fb35470672231c7b7bef620f3d17f655a
+VERSION=5459f2c994033b0afed7e4a70ac7e90c90c1ffee
 GIT_REPO="https://github.com/cncf/udpa.git"
 GIT_BASE_DIR=udpa
 SOURCE_PROTO_BASE_DIR=udpa
@ -29,13 +29,13 @@ udpa/annotations/security.proto
 udpa/annotations/sensitive.proto
 udpa/annotations/status.proto
 udpa/annotations/versioning.proto
 udpa/core/v1/authority.proto
 udpa/core/v1/collection_entry.proto
 udpa/core/v1/context_params.proto
 udpa/core/v1/resource_locator.proto
 udpa/core/v1/resource_name.proto
 udpa/data/orca/v1/orca_load_report.proto
 udpa/service/orca/v1/orca.proto
 xds/core/v3/authority.proto
 xds/core/v3/collection_entry.proto
 xds/core/v3/context_params.proto
 xds/core/v3/resource_locator.proto
 xds/core/v3/resource_name.proto
 )
 pushd `git rev-parse --show-toplevel`/xds/third_party/udpa
--- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto
+++ b/xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto
@ -1,16 +0,0 @@
 syntax = "proto3";
 package udpa.core.v1;
 import "udpa/annotations/status.proto";
 option java_outer_classname = "ContextParamsProto";
 option java_multiple_files = true;
 option java_package = "com.github.udpa.udpa.core.v1";
 option (udpa.annotations.file_status).work_in_progress = true;
 // Additional parameters that can be used to select resource variants.
 message ContextParams {
    map<string, string> params = 1;
 }
--- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/authority.proto
+++ b/xds/third_party/udpa/src/main/proto/udpa/core/v1/authority.proto
@ -1,6 +1,6 @@
 syntax = "proto3";
-package udpa.core.v1;
+package xds.core.v3;
 import "udpa/annotations/status.proto";
@ -8,11 +8,11 @@ import "validate/validate.proto";
 option java_outer_classname = "AuthorityProto";
 option java_multiple_files = true;
-option java_package = "com.github.udpa.udpa.core.v1";
+option java_package = "com.github.udpa.xds.core.v3";
 option (udpa.annotations.file_status).work_in_progress = true;
-// UDPA authority information.
+// xDS authority information.
 message Authority {
  string name = 1 [(validate.rules).string = {min_len: 1}];
--- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/collection_entry.proto
+++ b/xds/third_party/udpa/src/main/proto/udpa/core/v1/collection_entry.proto
@ -1,21 +1,21 @@
 syntax = "proto3";
-package udpa.core.v1;
+package xds.core.v3;
 import "google/protobuf/any.proto";
 import "udpa/annotations/status.proto";
-import "udpa/core/v1/resource_locator.proto";
+import "xds/core/v3/resource_locator.proto";
 import "validate/validate.proto";
 option java_outer_classname = "CollectionEntryProto";
 option java_multiple_files = true;
-option java_package = "com.github.udpa.udpa.core.v1";
+option java_package = "com.github.udpa.xds.core.v3";
 option (udpa.annotations.file_status).work_in_progress = true;
-// UDPA collection resource wrapper. This encapsulates a UDPA resource when
+// xDS collection resource wrapper. This encapsulates a xDS resource when
 // appearing inside a list collection resource. List collection resources are
 // regular Resource messages of type:
 //
@ -32,7 +32,7 @@ message CollectionEntry {
    // reference via the #entry directive in ResourceLocator.
    string name = 1 [(validate.rules).string.pattern = "^[0-9a-zA-Z_\\-\\.~:]+$"];
-    // The resource's logical version. It is illegal to have the same named UDPA
+    // The resource's logical version. It is illegal to have the same named xDS
    // resource name at a given version with different resource payloads.
    string version = 2;
--- a/xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto
+++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto
@ -0,0 +1,21 @@
 syntax = "proto3";
 package xds.core.v3;
 import "udpa/annotations/status.proto";
 option java_outer_classname = "ContextParamsProto";
 option java_multiple_files = true;
 option java_package = "com.github.udpa.xds.core.v3";
 option (udpa.annotations.file_status).work_in_progress = true;
 // Additional parameters that can be used to select resource variants. These include any
 // global context parameters, per-resource type client feature capabilities and per-resource
 // type functional attributes. All per-resource type attributes will be `xds.resource.`
 // prefixed and some of these are documented below:
 // `xds.resource.listening_address`: The value is "IP:port" (e.g. "10.1.1.3:8080") which is
 //   the listening address of a Listener. Used in a Listener resource query.
 message ContextParams {
    map<string, string> params = 1;
 }
--- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_locator.proto
+++ b/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_locator.proto
@ -1,38 +1,38 @@
 syntax = "proto3";
-package udpa.core.v1;
+package xds.core.v3;
 import "udpa/annotations/status.proto";
-import "udpa/core/v1/context_params.proto";
+import "xds/core/v3/context_params.proto";
 import "validate/validate.proto";
 option java_outer_classname = "ResourceLocatorProto";
 option java_multiple_files = true;
-option java_package = "com.github.udpa.udpa.core.v1";
+option java_package = "com.github.udpa.xds.core.v3";
 option (udpa.annotations.file_status).work_in_progress = true;
-// UDPA resource locators identify a UDPA resource name and instruct the
+// xDS resource locators identify a xDS resource name and instruct the
 // data-plane load balancer on how the resource may be located.
 //
-// Resource locators have a canonical udpa:// URI representation:
+// Resource locators have a canonical xdstp:// URI representation:
 //
-//   udpa://{authority}/{type_url}/{id/*}?{context_params}{#directive,*}
+//   xdstp://{authority}/{type_url}/{id}?{context_params}{#directive,*}
 //
 // where context_params take the form of URI query parameters.
 //
 // Resource locators have a similar canonical http:// URI representation:
 //
-//   http://{authority}/{type_url}/{id/*}?{context_params}{#directive,*}
+//   http://{authority}/{type_url}/{id}?{context_params}{#directive,*}
 //
 // Resource locators also have a simplified file:// URI representation:
 //
-//   file:///{id/*}{#directive,*}
+//   file:///{id}{#directive,*}
 //
 message ResourceLocator {
  enum Scheme {
-    UDPA = 0;
+    XDSTP = 0;
    HTTP = 1;
    FILE = 2;
  }
@ -40,13 +40,13 @@ message ResourceLocator {
  // URI scheme.
  Scheme scheme = 1 [(validate.rules).enum = {defined_only: true}];
-  // Opaque identifiers for the resource. These are effectively concatenated
+  // Opaque identifier for the resource. Any '/' will not be escaped during URI
-  // with ‘/’ to form the non-query param path as resource ID. This may end
+  // encoding and will form part of the URI path. This may end
  // with ‘*’ for glob collection references.
-  repeated string id = 2 [(validate.rules).repeated = {min_items: 1}];
+  string id = 2;
  // Logical authority for resource (not necessarily transport network address).
-  // Authorities are opaque in the UDPA API, data-plane load balancers will map
+  // Authorities are opaque in the xDS API, data-plane load balancers will map
  // them to concrete network transports such as an xDS management server, e.g.
  // via envoy.config.core.v3.ConfigSource.
  string authority = 3;
@ -65,7 +65,7 @@ message ResourceLocator {
    // .. space reserved for future potential matchers, e.g. CEL expressions.
  }
-  // Directives provide information to data-plane load balancers on how UDPA
+  // Directives provide information to data-plane load balancers on how xDS
  // resource names are to be interpreted and potentially further resolved. For
  // example, they may provide alternative resource locators for when primary
  // resolution fails. Directives are not part of resource names and do not
@ -75,7 +75,7 @@ message ResourceLocator {
  //
  // <directive name>=<string representation of directive value>
  //
-  // For example, we can have alt=udpa://foo/bar or entry=some%20thing. Each
+  // For example, we can have alt=xdstp://foo/bar or entry=some%20thing. Each
  // directive value type may have its own string encoding, in the case of
  // ResourceLocator there is a recursive URI encoding.
  //
@ -83,7 +83,7 @@ message ResourceLocator {
  // Multiple directives are comma-separated, so the reserved characters that
  // require percent encoding in a directive value are [',', '#', '[', ']',
  // '%']. These are the RFC3986 fragment reserved characters with the addition
-  // of the UDPA scheme specific ','. See
+  // of the xDS scheme specific ','. See
  // https://tools.ietf.org/html/rfc3986#page-49 for further details on URI ABNF
  // and reserved characters.
  message Directive {
@ -93,7 +93,7 @@ message ResourceLocator {
      // An alternative resource locator for fallback if the resource is
      // unavailable. For example, take the resource locator:
      //
-      //   udpa://foo/some-type/some-route-table#alt=udpa://bar/some-type/another-route-table
+      //   xdstp://foo/some-type/some-route-table#alt=xdstp://bar/some-type/another-route-table
      //
      // If the data-plane load balancer is unable to reach `foo` to fetch the
      // resource, it will fallback to `bar`. Alternative resources do not need
@ -103,13 +103,13 @@ message ResourceLocator {
      // List collections support inlining of resources via the entry field in
      // Resource. These inlined Resource objects may have an optional name
      // field specified. When specified, the entry directive allows
-      // UdpaResourceLocator to directly reference these inlined resources, e.g.
+      // ResourceLocator to directly reference these inlined resources, e.g.
-      // udpa://.../foo#entry=bar.
+      // xdstp://.../foo#entry=bar.
      string entry = 2 [(validate.rules).string = {min_len: 1, pattern: "^[0-9a-zA-Z_\\-\\./~:]+$"}];
    }
  }
-  // A list of directives that appear in the UDPA resource locator #fragment.
+  // A list of directives that appear in the xDS resource locator #fragment.
  //
  // When encoding to URI form, directives are percent encoded with comma
  // separation.
--- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_name.proto
+++ b/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_name.proto
@ -1,34 +1,34 @@
 syntax = "proto3";
-package udpa.core.v1;
+package xds.core.v3;
 import "udpa/annotations/status.proto";
-import "udpa/core/v1/context_params.proto";
+import "xds/core/v3/context_params.proto";
 import "validate/validate.proto";
 option java_outer_classname = "ResourceNameProto";
 option java_multiple_files = true;
-option java_package = "com.github.udpa.udpa.core.v1";
+option java_package = "com.github.udpa.xds.core.v3";
 option (udpa.annotations.file_status).work_in_progress = true;
-// UDPA resource name. This has a canonical udpa:// URI representation:
+// xDS resource name. This has a canonical xdstp:// URI representation:
 //
-//   udpa://{authority}/{type_url}/{id/*}?{context_params}
+//   xdstp://{authority}/{type_url}/{id}?{context_params}
 //
 // where context_params take the form of URI query parameters.
 //
-// A UDPA resource name fully identifies a network resource for transport
+// A xDS resource name fully identifies a network resource for transport
-// purposes. UDPA resource names in this form appear only in discovery
+// purposes. xDS resource names in this form appear only in discovery
 // request/response messages used with the xDS transport.
 message ResourceName {
-  // Opaque identifiers for the resource. These are effectively concatenated
+  // Opaque identifier for the resource. Any '/' will not be escaped during URI
-  // with ‘/’ to form the non-query param path as resource ID.
+  // encoding and will form part of the URI path.
-  repeated string id = 1 [(validate.rules).repeated = {min_items: 1}];
+  string id = 1;
  // Logical authority for resource (not necessarily transport network address).
-  // Authorities are opaque in the UDPA API, data-plane load balancers will map
+  // Authorities are opaque in the xDS API, data-plane load balancers will map
  // them to concrete network transports such as an xDS management server.
  string authority = 2;