grpc 1.32.0 → 1.33.0.pre1

data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h

@@ -0,0 +1,102 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H
+#define GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/certificate_provider_factory.h"
+#include "src/core/lib/backoff/backoff.h"
+#include "src/core/lib/gprpp/ref_counted.h"
+
+namespace grpc_core {
+
+class GoogleMeshCaCertificateProviderFactory
+    : public CertificateProviderFactory {
+ public:
+  class Config : public CertificateProviderFactory::Config {
+   public:
+    struct StsConfig {
+      std::string token_exchange_service_uri;
+      std::string resource;
+      std::string audience;
+      std::string scope;
+      std::string requested_token_type;
+      std::string subject_token_path;
+      std::string subject_token_type;
+      std::string actor_token_path;
+      std::string actor_token_type;
+    };
+
+    const char* name() const override;
+
+    const std::string& endpoint() const { return endpoint_; }
+
+    const StsConfig& sts_config() const { return sts_config_; }
+
+    grpc_millis timeout() const { return timeout_; }
+
+    grpc_millis certificate_lifetime() const { return certificate_lifetime_; }
+
+    grpc_millis renewal_grace_period() const { return renewal_grace_period_; }
+
+    uint32_t key_size() const { return key_size_; }
+
+    const std::string& location() const { return location_; }
+
+    static std::unique_ptr<Config> Parse(const Json& config_json,
+                                         grpc_error** error);
+
+   private:
+    // Helpers for parsing the config
+    std::vector<grpc_error*> ParseJsonObjectStsService(
+        const Json::Object& sts_service);
+    std::vector<grpc_error*> ParseJsonObjectCallCredentials(
+        const Json::Object& call_credentials);
+    std::vector<grpc_error*> ParseJsonObjectGoogleGrpc(
+        const Json::Object& google_grpc);
+    std::vector<grpc_error*> ParseJsonObjectGrpcServices(
+        const Json::Object& grpc_service);
+    std::vector<grpc_error*> ParseJsonObjectServer(const Json::Object& server);
+
+    std::string endpoint_;
+    StsConfig sts_config_;
+    grpc_millis timeout_;
+    grpc_millis certificate_lifetime_;
+    grpc_millis renewal_grace_period_;
+    uint32_t key_size_;
+    std::string location_;
+  };
+
+  const char* name() const override;
+
+  std::unique_ptr<CertificateProviderFactory::Config>
+  CreateCertificateProviderConfig(const Json& config_json,
+                                  grpc_error** error) override;
+
+  RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider(
+      std::unique_ptr<CertificateProviderFactory::Config> config) override {
+    // TODO(yashykt) : To be implemented
+    return nullptr;
+  }
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H

data/src/core/ext/xds/xds_api.cc

@@ -42,6 +42,7 @@
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/sockaddr_utils.h"
 
+#include "envoy/config/cluster/v3/circuit_breaker.upb.h"
 #include "envoy/config/cluster/v3/cluster.upb.h"
 #include "envoy/config/core/v3/address.upb.h"
 #include "envoy/config/core/v3/base.upb.h"
@@ -55,6 +56,8 @@
 #include "envoy/config/route/v3/route.upb.h"
 #include "envoy/config/route/v3/route_components.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/common.upb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.upb.h"
 #include "envoy/service/cluster/v3/cds.upb.h"
 #include "envoy/service/discovery/v3/discovery.upb.h"
 #include "envoy/service/endpoint/v3/eds.upb.h"
@@ -62,6 +65,7 @@
 #include "envoy/service/load_stats/v3/lrs.upb.h"
 #include "envoy/service/route/v3/rds.upb.h"
 #include "envoy/type/matcher/v3/regex.upb.h"
+#include "envoy/type/matcher/v3/string.upb.h"
 #include "envoy/type/v3/percent.upb.h"
 #include "envoy/type/v3/range.upb.h"
 #include "google/protobuf/any.upb.h"
@@ -228,8 +232,8 @@ std::string XdsApi::Route::Matchers::HeaderMatcher::ToString() const {
 std::string XdsApi::Route::Matchers::ToString() const {
   std::vector<std::string> contents;
   contents.push_back(path_matcher.ToString());
-  for (const auto& header_it : header_matchers) {
-    contents.push_back(header_it.ToString());
+  for (const HeaderMatcher& header_matcher : header_matchers) {
+    contents.push_back(header_matcher.ToString());
   }
   if (fraction_per_million.has_value()) {
     contents.push_back(absl::StrFormat("Fraction Per Million %d",
@@ -248,8 +252,8 @@ std::string XdsApi::Route::ToString() const {
   if (!cluster_name.empty()) {
     contents.push_back(absl::StrFormat("Cluster name: %s", cluster_name));
   }
-  for (const auto& weighted_it : weighted_clusters) {
-    contents.push_back(weighted_it.ToString());
+  for (const ClusterWeight& cluster_weight : weighted_clusters) {
+    contents.push_back(cluster_weight.ToString());
   }
   return absl::StrJoin(contents, "\n");
 }
@@ -333,8 +337,8 @@ MatchType DomainPatternMatchType(const std::string& domain_pattern) {
 
 }  // namespace
 
-const XdsApi::RdsUpdate::VirtualHost*
-XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
+XdsApi::RdsUpdate::VirtualHost* XdsApi::RdsUpdate::FindVirtualHostForDomain(
+    const std::string& domain) {
   // Find the best matched virtual host.
   // The search order for 4 groups of domain patterns:
   //   1. Exact match.
@@ -344,12 +348,12 @@ XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
   // Within each group, longest match wins.
   // If the same best matched domain pattern appears in multiple virtual hosts,
   // the first matched virtual host wins.
-  const VirtualHost* target_vhost = nullptr;
+  VirtualHost* target_vhost = nullptr;
   MatchType best_match_type = INVALID_MATCH;
   size_t longest_match = 0;
   // Check each domain pattern in each virtual host to determine the best
   // matched virtual host.
-  for (const VirtualHost& vhost : virtual_hosts) {
+  for (VirtualHost& vhost : virtual_hosts) {
     for (const std::string& domain_pattern : vhost.domains) {
       // Check the match type first. Skip the pattern if it's not better than
       // current match.
@@ -375,49 +379,80 @@ XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
 }
 
 //
-// XdsApi::PriorityListUpdate
+// XdsApi::StringMatcher
 //
 
-bool XdsApi::PriorityListUpdate::operator==(
-    const XdsApi::PriorityListUpdate& other) const {
-  if (priorities_.size() != other.priorities_.size()) return false;
-  for (size_t i = 0; i < priorities_.size(); ++i) {
-    if (priorities_[i].localities != other.priorities_[i].localities) {
-      return false;
-    }
+XdsApi::StringMatcher::StringMatcher(const StringMatcher& other)
+    : type(other.type) {
+  switch (type) {
+    case StringMatcherType::SAFE_REGEX:
+      regex_match = absl::make_unique<RE2>(other.regex_match->pattern());
+      break;
+    default:
+      string_matcher = other.string_matcher;
   }
-  return true;
 }
 
-void XdsApi::PriorityListUpdate::Add(
-    XdsApi::PriorityListUpdate::LocalityMap::Locality locality) {
-  // Pad the missing priorities in case the localities are not ordered by
-  // priority.
-  if (!Contains(locality.priority)) priorities_.resize(locality.priority + 1);
-  LocalityMap& locality_map = priorities_[locality.priority];
-  locality_map.localities.emplace(locality.name, std::move(locality));
-}
-
-const XdsApi::PriorityListUpdate::LocalityMap* XdsApi::PriorityListUpdate::Find(
-    uint32_t priority) const {
-  if (!Contains(priority)) return nullptr;
-  return &priorities_[priority];
+XdsApi::StringMatcher& XdsApi::StringMatcher::operator=(
+    const StringMatcher& other) {
+  type = other.type;
+  switch (type) {
+    case StringMatcherType::SAFE_REGEX:
+      regex_match = absl::make_unique<RE2>(other.regex_match->pattern());
+      break;
+    default:
+      string_matcher = other.string_matcher;
+  }
+  return *this;
 }
 
-bool XdsApi::PriorityListUpdate::Contains(
-    const RefCountedPtr<XdsLocalityName>& name) {
-  for (size_t i = 0; i < priorities_.size(); ++i) {
-    const LocalityMap& locality_map = priorities_[i];
-    if (locality_map.Contains(name)) return true;
+bool XdsApi::StringMatcher::operator==(const StringMatcher& other) const {
+  if (type != other.type) return false;
+  switch (type) {
+    case StringMatcherType::SAFE_REGEX:
+      return regex_match->pattern() != other.regex_match->pattern();
+    default:
+      return string_matcher != other.string_matcher;
   }
-  return false;
 }
 
 //
-// XdsApi::DropConfig
+// XdsApi::EdsUpdate
 //
 
-bool XdsApi::DropConfig::ShouldDrop(const std::string** category_name) const {
+std::string XdsApi::EdsUpdate::Priority::Locality::ToString() const {
+  std::vector<std::string> endpoint_strings;
+  for (const ServerAddress& endpoint : endpoints) {
+    endpoint_strings.emplace_back(endpoint.ToString());
+  }
+  return absl::StrCat("{name=", name->AsHumanReadableString(),
+                      ", lb_weight=", lb_weight, ", endpoints=[",
+                      absl::StrJoin(endpoint_strings, ", "), "]}");
+}
+
+bool XdsApi::EdsUpdate::Priority::operator==(const Priority& other) const {
+  if (localities.size() != other.localities.size()) return false;
+  auto it1 = localities.begin();
+  auto it2 = other.localities.begin();
+  while (it1 != localities.end()) {
+    if (*it1->first != *it2->first) return false;
+    if (it1->second != it2->second) return false;
+    ++it1;
+    ++it2;
+  }
+  return true;
+}
+
+std::string XdsApi::EdsUpdate::Priority::ToString() const {
+  std::vector<std::string> locality_strings;
+  for (const auto& p : localities) {
+    locality_strings.emplace_back(p.second.ToString());
+  }
+  return absl::StrCat("[", absl::StrJoin(locality_strings, ", "), "]");
+}
+
+bool XdsApi::EdsUpdate::DropConfig::ShouldDrop(
+    const std::string** category_name) const {
   for (size_t i = 0; i < drop_category_list_.size(); ++i) {
     const auto& drop_category = drop_category_list_[i];
     // Generate a random number in [0, 1000000).
@@ -430,6 +465,27 @@ bool XdsApi::DropConfig::ShouldDrop(const std::string** category_name) const {
   return false;
 }
 
+std::string XdsApi::EdsUpdate::DropConfig::ToString() const {
+  std::vector<std::string> category_strings;
+  for (const DropCategory& category : drop_category_list_) {
+    category_strings.emplace_back(
+        absl::StrCat(category.name, "=", category.parts_per_million));
+  }
+  return absl::StrCat("{[", absl::StrJoin(category_strings, ", "),
+                      "], drop_all=", drop_all_, "}");
+}
+
+std::string XdsApi::EdsUpdate::ToString() const {
+  std::vector<std::string> priority_strings;
+  for (size_t i = 0; i < priorities.size(); ++i) {
+    const Priority& priority = priorities[i];
+    priority_strings.emplace_back(
+        absl::StrCat("priority ", i, ": ", priority.ToString()));
+  }
+  return absl::StrCat("priorities=[", absl::StrJoin(priority_strings, ", "),
+                      "], drop_config=", drop_config->ToString());
+}
+
 //
 // XdsApi
 //
@@ -579,7 +635,6 @@ void PopulateBuildVersion(upb_arena* arena, envoy_config_core_v3_Node* node_msg,
 void PopulateNode(upb_arena* arena, const XdsBootstrap* bootstrap,
                   const std::string& build_version,
                   const std::string& user_agent_name,
-                  const std::string& server_name,
                   envoy_config_core_v3_Node* node_msg) {
   const XdsBootstrap::Node* node = bootstrap->node();
   if (node != nullptr) {
@@ -596,16 +651,6 @@ void PopulateNode(upb_arena* arena, const XdsBootstrap* bootstrap,
           envoy_config_core_v3_Node_mutable_metadata(node_msg, arena);
       PopulateMetadata(arena, metadata, node->metadata.object_value());
     }
-    if (!server_name.empty()) {
-      google_protobuf_Struct* metadata =
-          envoy_config_core_v3_Node_mutable_metadata(node_msg, arena);
-      google_protobuf_Value* value = google_protobuf_Value_new(arena);
-      google_protobuf_Value_set_string_value(value,
-                                             StdStringToUpbString(server_name));
-      google_protobuf_Struct_fields_set(
-          metadata, upb_strview_makez("PROXYLESS_CLIENT_HOSTNAME"), value,
-          arena);
-    }
     if (!node->locality_region.empty() || !node->locality_zone.empty() ||
         !node->locality_subzone.empty()) {
       envoy_config_core_v3_Locality* locality =
@@ -886,7 +931,7 @@ grpc_slice XdsApi::CreateAdsRequest(
     envoy_config_core_v3_Node* node_msg =
         envoy_service_discovery_v3_DiscoveryRequest_mutable_node(request,
                                                                  arena.ptr());
-    PopulateNode(arena.ptr(), bootstrap_, build_version_, user_agent_name_, "",
+    PopulateNode(arena.ptr(), bootstrap_, build_version_, user_agent_name_,
                  node_msg);
   }
   // Add resource_names.
@@ -1552,7 +1597,9 @@ grpc_error* RouteConfigParse(
       std::string domain_pattern = UpbStringToStdString(domains[j]);
       const MatchType match_type = DomainPatternMatchType(domain_pattern);
       if (match_type == INVALID_MATCH) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid domain pattern.");
+        return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat("Invalid domain pattern \"", domain_pattern, "\".")
+                .c_str());
       }
       vhost.domains.emplace_back(std::move(domain_pattern));
     }
@@ -1608,8 +1655,8 @@ grpc_error* RouteConfigParse(
 grpc_error* LdsResponseParse(
     XdsClient* client, TraceFlag* tracer,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
-    const std::string& expected_server_name,
-    absl::optional<XdsApi::LdsUpdate>* lds_update, upb_arena* arena) {
+    const std::set<absl::string_view>& expected_listener_names,
+    XdsApi::LdsUpdateMap* lds_update_map, upb_arena* arena) {
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
@@ -1631,9 +1678,19 @@ grpc_error* LdsResponseParse(
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode listener.");
     }
     // Check listener name. Ignore unexpected listeners.
-    absl::string_view name =
-        UpbStringToAbsl(envoy_config_listener_v3_Listener_name(listener));
-    if (name != expected_server_name) continue;
+    std::string listener_name =
+        UpbStringToStdString(envoy_config_listener_v3_Listener_name(listener));
+    if (expected_listener_names.find(listener_name) ==
+        expected_listener_names.end()) {
+      continue;
+    }
+    // Fail if listener name is duplicated.
+    if (lds_update_map->find(listener_name) != lds_update_map->end()) {
+      return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("duplicate listener name \"", listener_name, "\"")
+              .c_str());
+    }
+    XdsApi::LdsUpdate& lds_update = (*lds_update_map)[listener_name];
     // Get api_listener and decode it to http_connection_manager.
     const envoy_config_listener_v3_ApiListener* api_listener =
         envoy_config_listener_v3_Listener_api_listener(listener);
@@ -1661,9 +1718,8 @@ grpc_error* LdsResponseParse(
       grpc_error* error =
           RouteConfigParse(client, tracer, route_config, &rds_update);
       if (error != GRPC_ERROR_NONE) return error;
-      lds_update->emplace();
-      (*lds_update)->rds_update = std::move(rds_update);
-      return GRPC_ERROR_NONE;
+      lds_update.rds_update = std::move(rds_update);
+      continue;
     }
     // Validate that RDS must be used to get the route_config dynamically.
     if (!envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_rds(
@@ -1687,11 +1743,9 @@ grpc_error* LdsResponseParse(
           "HttpConnectionManager ConfigSource for RDS does not specify ADS.");
     }
     // Get the route_config_name.
-    lds_update->emplace();
-    (*lds_update)->route_config_name = UpbStringToStdString(
+    lds_update.route_config_name = UpbStringToStdString(
         envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
             rds));
-    return GRPC_ERROR_NONE;
   }
   return GRPC_ERROR_NONE;
 }
@@ -1700,7 +1754,7 @@ grpc_error* RdsResponseParse(
     XdsClient* client, TraceFlag* tracer,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
     const std::set<absl::string_view>& expected_route_configuration_names,
-    absl::optional<XdsApi::RdsUpdate>* rds_update, upb_arena* arena) {
+    XdsApi::RdsUpdateMap* rds_update_map, upb_arena* arena) {
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
@@ -1722,19 +1776,111 @@ grpc_error* RdsResponseParse(
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode route_config.");
     }
     // Check route_config_name. Ignore unexpected route_config.
-    absl::string_view route_config_name = UpbStringToAbsl(
+    std::string route_config_name = UpbStringToStdString(
         envoy_config_route_v3_RouteConfiguration_name(route_config));
     if (expected_route_configuration_names.find(route_config_name) ==
         expected_route_configuration_names.end()) {
       continue;
     }
+    // Fail if route config name is duplicated.
+    if (rds_update_map->find(route_config_name) != rds_update_map->end()) {
+      return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("duplicate route config name \"", route_config_name,
+                       "\"")
+              .c_str());
+    }
     // Parse the route_config.
-    XdsApi::RdsUpdate local_rds_update;
+    XdsApi::RdsUpdate& rds_update =
+        (*rds_update_map)[std::move(route_config_name)];
     grpc_error* error =
-        RouteConfigParse(client, tracer, route_config, &local_rds_update);
+        RouteConfigParse(client, tracer, route_config, &rds_update);
     if (error != GRPC_ERROR_NONE) return error;
-    rds_update->emplace(std::move(local_rds_update));
-    return GRPC_ERROR_NONE;
+  }
+  return GRPC_ERROR_NONE;
+}
+
+grpc_error* CommonTlsContextParse(
+    const envoy_extensions_transport_sockets_tls_v3_CommonTlsContext*
+        common_tls_context_proto,
+    XdsApi::CommonTlsContext* common_tls_context) GRPC_MUST_USE_RESULT;
+grpc_error* CommonTlsContextParse(
+    const envoy_extensions_transport_sockets_tls_v3_CommonTlsContext*
+        common_tls_context_proto,
+    XdsApi::CommonTlsContext* common_tls_context) {
+  auto* combined_validation_context =
+      envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_combined_validation_context(
+          common_tls_context_proto);
+  if (combined_validation_context != nullptr) {
+    auto* default_validation_context =
+        envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext_default_validation_context(
+            combined_validation_context);
+    if (default_validation_context != nullptr) {
+      size_t len = 0;
+      auto* subject_alt_names_matchers =
+          envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_match_subject_alt_names(
+              default_validation_context, &len);
+      for (size_t i = 0; i < len; ++i) {
+        XdsApi::StringMatcher matcher;
+        if (envoy_type_matcher_v3_StringMatcher_has_exact(
+                subject_alt_names_matchers[i])) {
+          matcher.type = XdsApi::StringMatcher::StringMatcherType::EXACT;
+          matcher.string_matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_exact(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_prefix(
+                       subject_alt_names_matchers[i])) {
+          matcher.type = XdsApi::StringMatcher::StringMatcherType::PREFIX;
+          matcher.string_matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_prefix(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_suffix(
+                       subject_alt_names_matchers[i])) {
+          matcher.type = XdsApi::StringMatcher::StringMatcherType::SUFFIX;
+          matcher.string_matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_suffix(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(
+                       subject_alt_names_matchers[i])) {
+          matcher.type = XdsApi::StringMatcher::StringMatcherType::SAFE_REGEX;
+          auto* regex_matcher = envoy_type_matcher_v3_StringMatcher_safe_regex(
+              subject_alt_names_matchers[i]);
+          std::unique_ptr<RE2> regex =
+              absl::make_unique<RE2>(UpbStringToStdString(
+                  envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher)));
+          if (!regex->ok()) {
+            return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                "Invalid regex string specified in string matcher.");
+          }
+          matcher.regex_match = std::move(regex);
+        } else {
+          return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+              "Invalid StringMatcher specified");
+        }
+        matcher.ignore_case = envoy_type_matcher_v3_StringMatcher_ignore_case(
+            subject_alt_names_matchers[i]);
+        common_tls_context->combined_validation_context
+            .default_validation_context.match_subject_alt_names.emplace_back(
+                matcher);
+      }
+    }
+    auto* validation_context_certificate_provider_instance =
+        envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext_validation_context_certificate_provider_instance(
+            combined_validation_context);
+    if (validation_context_certificate_provider_instance != nullptr) {
+      common_tls_context->combined_validation_context
+          .validation_context_certificate_provider_instance = UpbStringToStdString(
+          envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance_instance_name(
+              validation_context_certificate_provider_instance));
+    }
+  }
+  auto* tls_certificate_certificate_provider_instance =
+      envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_tls_certificate_certificate_provider_instance(
+          common_tls_context_proto);
+  if (tls_certificate_certificate_provider_instance != nullptr) {
+    common_tls_context
+        ->tls_certificate_certificate_provider_instance = UpbStringToStdString(
+        envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance_instance_name(
+            tls_certificate_certificate_provider_instance));
   }
   return GRPC_ERROR_NONE;
 }
@@ -1750,7 +1896,6 @@ grpc_error* CdsResponseParse(
       envoy_service_discovery_v3_DiscoveryResponse_resources(response, &size);
   // Parse all the resources in the CDS response.
   for (size_t i = 0; i < size; ++i) {
-    XdsApi::CdsUpdate cds_update;
     // Check the type_url of the resource.
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
@@ -1779,6 +1924,7 @@ grpc_error* CdsResponseParse(
           absl::StrCat("duplicate resource name \"", cluster_name, "\"")
               .c_str());
     }
+    XdsApi::CdsUpdate& cds_update = (*cds_update_map)[std::move(cluster_name)];
     // Check the cluster_discovery_type.
     if (!envoy_config_cluster_v3_Cluster_has_type(cluster)) {
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING("DiscoveryType not found.");
@@ -1810,6 +1956,37 @@ grpc_error* CdsResponseParse(
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "LB policy is not ROUND_ROBIN.");
     }
+    // Record Upstream tls context
+    auto* transport_socket =
+        envoy_config_cluster_v3_Cluster_transport_socket(cluster);
+    if (transport_socket != nullptr) {
+      absl::string_view name = UpbStringToAbsl(
+          envoy_config_core_v3_TransportSocket_name(transport_socket));
+      if (name == "tls") {
+        auto* typed_config =
+            envoy_config_core_v3_TransportSocket_typed_config(transport_socket);
+        if (typed_config != nullptr) {
+          const upb_strview encoded_upstream_tls_context =
+              google_protobuf_Any_value(typed_config);
+          auto* upstream_tls_context =
+              envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_parse(
+                  encoded_upstream_tls_context.data,
+                  encoded_upstream_tls_context.size, arena);
+          if (upstream_tls_context == nullptr) {
+            return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                "Can't decode upstream tls context.");
+          }
+          auto* common_tls_context =
+              envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_common_tls_context(
+                  upstream_tls_context);
+          if (common_tls_context != nullptr) {
+            grpc_error* error = CommonTlsContextParse(
+                common_tls_context, &cds_update.common_tls_context);
+            if (error != GRPC_ERROR_NONE) return error;
+          }
+        }
+      }
+    }
     // Record LRS server name (if any).
     const envoy_config_core_v3_ConfigSource* lrs_server =
         envoy_config_cluster_v3_Cluster_lrs_server(cluster);
@@ -1820,7 +1997,32 @@ grpc_error* CdsResponseParse(
       }
       cds_update.lrs_load_reporting_server_name.emplace("");
     }
-    cds_update_map->emplace(std::move(cluster_name), std::move(cds_update));
+    // The Cluster resource encodes the circuit breaking parameters in a list of
+    // Thresholds messages, where each message specifies the parameters for a
+    // particular RoutingPriority. we will look only at the first entry in the
+    // list for priority DEFAULT and default to 1024 if not found.
+    if (envoy_config_cluster_v3_Cluster_has_circuit_breakers(cluster)) {
+      const envoy_config_cluster_v3_CircuitBreakers* circuit_breakers =
+          envoy_config_cluster_v3_Cluster_circuit_breakers(cluster);
+      size_t num_thresholds;
+      const envoy_config_cluster_v3_CircuitBreakers_Thresholds* const*
+          thresholds = envoy_config_cluster_v3_CircuitBreakers_thresholds(
+              circuit_breakers, &num_thresholds);
+      for (size_t i = 0; i < num_thresholds; ++i) {
+        const auto* threshold = thresholds[i];
+        if (envoy_config_cluster_v3_CircuitBreakers_Thresholds_priority(
+                threshold) == envoy_config_core_v3_DEFAULT) {
+          const google_protobuf_UInt32Value* max_requests =
+              envoy_config_cluster_v3_CircuitBreakers_Thresholds_max_requests(
+                  threshold);
+          if (max_requests != nullptr) {
+            cds_update.max_concurrent_requests =
+                google_protobuf_UInt32Value_value(max_requests);
+          }
+          break;
+        }
+      }
+    }
   }
   return GRPC_ERROR_NONE;
 }
@@ -1858,7 +2060,7 @@ grpc_error* ServerAddressParseAndAppend(
 
 grpc_error* LocalityParse(
     const envoy_config_endpoint_v3_LocalityLbEndpoints* locality_lb_endpoints,
-    XdsApi::PriorityListUpdate::LocalityMap::Locality* output_locality) {
+    XdsApi::EdsUpdate::Priority::Locality* output_locality, size_t* priority) {
   // Parse LB weight.
   const google_protobuf_UInt32Value* lb_weight =
       envoy_config_endpoint_v3_LocalityLbEndpoints_load_balancing_weight(
@@ -1888,20 +2090,19 @@ grpc_error* LocalityParse(
           locality_lb_endpoints, &size);
   for (size_t i = 0; i < size; ++i) {
     grpc_error* error = ServerAddressParseAndAppend(
-        lb_endpoints[i], &output_locality->serverlist);
+        lb_endpoints[i], &output_locality->endpoints);
     if (error != GRPC_ERROR_NONE) return error;
   }
   // Parse the priority.
-  output_locality->priority =
-      envoy_config_endpoint_v3_LocalityLbEndpoints_priority(
-          locality_lb_endpoints);
+  *priority = envoy_config_endpoint_v3_LocalityLbEndpoints_priority(
+      locality_lb_endpoints);
   return GRPC_ERROR_NONE;
 }
 
 grpc_error* DropParseAndAppend(
     const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload*
         drop_overload,
-    XdsApi::DropConfig* drop_config) {
+    XdsApi::EdsUpdate::DropConfig* drop_config) {
   // Get the category.
   std::string category = UpbStringToStdString(
       envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload_category(
@@ -1947,7 +2148,6 @@ grpc_error* EdsResponseParse(
   const google_protobuf_Any* const* resources =
       envoy_service_discovery_v3_DiscoveryResponse_resources(response, &size);
   for (size_t i = 0; i < size; ++i) {
-    XdsApi::EdsUpdate eds_update;
     // Check the type_url of the resource.
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
@@ -1980,29 +2180,36 @@ grpc_error* EdsResponseParse(
           absl::StrCat("duplicate resource name \"", eds_service_name, "\"")
               .c_str());
     }
+    XdsApi::EdsUpdate& eds_update =
+        (*eds_update_map)[std::move(eds_service_name)];
     // Get the endpoints.
     size_t locality_size;
     const envoy_config_endpoint_v3_LocalityLbEndpoints* const* endpoints =
         envoy_config_endpoint_v3_ClusterLoadAssignment_endpoints(
             cluster_load_assignment, &locality_size);
     for (size_t j = 0; j < locality_size; ++j) {
-      XdsApi::PriorityListUpdate::LocalityMap::Locality locality;
-      grpc_error* error = LocalityParse(endpoints[j], &locality);
+      size_t priority;
+      XdsApi::EdsUpdate::Priority::Locality locality;
+      grpc_error* error = LocalityParse(endpoints[j], &locality, &priority);
       if (error != GRPC_ERROR_NONE) return error;
       // Filter out locality with weight 0.
       if (locality.lb_weight == 0) continue;
-      eds_update.priority_list_update.Add(locality);
+      // Make sure prorities is big enough. Note that they might not
+      // arrive in priority order.
+      while (eds_update.priorities.size() < priority + 1) {
+        eds_update.priorities.emplace_back();
+      }
+      eds_update.priorities[priority].localities.emplace(locality.name.get(),
+                                                         std::move(locality));
     }
-    for (uint32_t priority = 0;
-         priority < eds_update.priority_list_update.size(); ++priority) {
-      auto* locality_map = eds_update.priority_list_update.Find(priority);
-      if (locality_map == nullptr || locality_map->size() == 0) {
+    for (const auto& priority : eds_update.priorities) {
+      if (priority.localities.empty()) {
         return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
             "EDS update includes sparse priority list");
       }
     }
     // Get the drop config.
-    eds_update.drop_config = MakeRefCounted<XdsApi::DropConfig>();
+    eds_update.drop_config = MakeRefCounted<XdsApi::EdsUpdate::DropConfig>();
     const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy* policy =
         envoy_config_endpoint_v3_ClusterLoadAssignment_policy(
             cluster_load_assignment);
@@ -2018,7 +2225,6 @@ grpc_error* EdsResponseParse(
         if (error != GRPC_ERROR_NONE) return error;
       }
     }
-    eds_update_map->emplace(std::move(eds_service_name), std::move(eds_update));
   }
   return GRPC_ERROR_NONE;
 }
@@ -2039,7 +2245,8 @@ std::string TypeUrlInternalToExternal(absl::string_view type_url) {
 }  // namespace
 
 XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
-    const grpc_slice& encoded_response, const std::string& expected_server_name,
+    const grpc_slice& encoded_response,
+    const std::set<absl::string_view>& expected_listener_names,
     const std::set<absl::string_view>& expected_route_configuration_names,
     const std::set<absl::string_view>& expected_cluster_names,
     const std::set<absl::string_view>& expected_eds_service_names) {
@@ -2067,12 +2274,12 @@ XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
   // Parse the response according to the resource type.
   if (IsLds(result.type_url)) {
     result.parse_error =
-        LdsResponseParse(client_, tracer_, response, expected_server_name,
-                         &result.lds_update, arena.ptr());
+        LdsResponseParse(client_, tracer_, response, expected_listener_names,
+                         &result.lds_update_map, arena.ptr());
   } else if (IsRds(result.type_url)) {
     result.parse_error = RdsResponseParse(client_, tracer_, response,
                                           expected_route_configuration_names,
-                                          &result.rds_update, arena.ptr());
+                                          &result.rds_update_map, arena.ptr());
   } else if (IsCds(result.type_url)) {
     result.parse_error =
         CdsResponseParse(client_, tracer_, response, expected_cluster_names,
@@ -2216,7 +2423,7 @@ grpc_slice SerializeLrsRequest(
 
 }  // namespace
 
-grpc_slice XdsApi::CreateLrsInitialRequest(const std::string& server_name) {
+grpc_slice XdsApi::CreateLrsInitialRequest() {
   upb::Arena arena;
   // Create a request.
   envoy_service_load_stats_v3_LoadStatsRequest* request =
@@ -2226,7 +2433,7 @@ grpc_slice XdsApi::CreateLrsInitialRequest(const std::string& server_name) {
       envoy_service_load_stats_v3_LoadStatsRequest_mutable_node(request,
                                                                 arena.ptr());
   PopulateNode(arena.ptr(), bootstrap_, build_version_, user_agent_name_,
-               server_name, node_msg);
+               node_msg);
   envoy_config_core_v3_Node_add_client_features(
       node_msg, upb_strview_makez("envoy.lrs.supports_send_all_clusters"),
       arena.ptr());
@@ -2317,7 +2524,7 @@ grpc_slice XdsApi::CreateLrsRequest(
     }
     // Add dropped requests.
     uint64_t total_dropped_requests = 0;
-    for (const auto& p : load_report.dropped_requests) {
+    for (const auto& p : load_report.dropped_requests.categorized_drops) {
       const std::string& category = p.first;
       const uint64_t count = p.second;
       envoy_config_endpoint_v3_ClusterStats_DroppedRequests* dropped_requests =
@@ -2329,6 +2536,7 @@ grpc_slice XdsApi::CreateLrsRequest(
           dropped_requests, count);
       total_dropped_requests += count;
     }
+    total_dropped_requests += load_report.dropped_requests.uncategorized_drops;
     // Set total dropped requests.
     envoy_config_endpoint_v3_ClusterStats_set_total_dropped_requests(
         cluster_stats, total_dropped_requests);