grpc 1.32.0 → 1.36.0

data/src/core/ext/xds/certificate_provider_store.cc

@@ -0,0 +1,87 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/certificate_provider_store.h"
+
+#include "src/core/ext/xds/certificate_provider_registry.h"
+
+namespace grpc_core {
+
+// If a certificate provider is created, the CertificateProviderStore
+// maintains a raw pointer to the created CertificateProviderWrapper so that
+// future calls to `CreateOrGetCertificateProvider()` with the same key result
+// in returning a ref to this created certificate provider. This entry is
+// deleted when the refcount to this provider reaches zero.
+RefCountedPtr<grpc_tls_certificate_provider>
+CertificateProviderStore::CreateOrGetCertificateProvider(
+    absl::string_view key) {
+  RefCountedPtr<CertificateProviderWrapper> result;
+  MutexLock lock(&mu_);
+  auto it = certificate_providers_map_.find(key);
+  if (it == certificate_providers_map_.end()) {
+    result = CreateCertificateProviderLocked(key);
+    if (result != nullptr) {
+      certificate_providers_map_.insert({result->key(), result.get()});
+    }
+  } else {
+    result = it->second->RefIfNonZero();
+    if (result == nullptr) {
+      result = CreateCertificateProviderLocked(key);
+      it->second = result.get();
+    }
+  }
+  return result;
+}
+
+RefCountedPtr<CertificateProviderStore::CertificateProviderWrapper>
+CertificateProviderStore::CreateCertificateProviderLocked(
+    absl::string_view key) {
+  auto plugin_config_it = plugin_config_map_.find(std::string(key));
+  if (plugin_config_it == plugin_config_map_.end()) {
+    return nullptr;
+  }
+  CertificateProviderFactory* factory =
+      CertificateProviderRegistry::LookupCertificateProviderFactory(
+          plugin_config_it->second.plugin_name);
+  if (factory == nullptr) {
+    // This should never happen since an entry is only inserted in the
+    // plugin_config_map_ if the corresponding factory was found when parsing
+    // the xDS bootstrap file.
+    gpr_log(GPR_ERROR, "Certificate provider factory %s not found",
+            plugin_config_it->second.plugin_name.c_str());
+    return nullptr;
+  }
+  return MakeRefCounted<CertificateProviderWrapper>(
+      factory->CreateCertificateProvider(plugin_config_it->second.config),
+      Ref(), plugin_config_it->first);
+}
+
+void CertificateProviderStore::ReleaseCertificateProvider(
+    absl::string_view key, CertificateProviderWrapper* wrapper) {
+  MutexLock lock(&mu_);
+  auto it = certificate_providers_map_.find(key);
+  if (it != certificate_providers_map_.end()) {
+    if (it->second == wrapper) {
+      certificate_providers_map_.erase(it);
+    }
+  }
+}
+
+}  // namespace grpc_core

data/src/core/ext/xds/certificate_provider_store.h

@@ -0,0 +1,112 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H
+#define GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H
+
+#include <grpc/support/port_platform.h>
+
+#include <map>
+
+#include "absl/strings/string_view.h"
+
+#include "src/core/ext/xds/certificate_provider_factory.h"
+#include "src/core/lib/gprpp/orphanable.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/sync.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+
+namespace grpc_core {
+
+// Map for xDS based grpc_tls_certificate_provider instances.
+class CertificateProviderStore
+    : public InternallyRefCounted<CertificateProviderStore> {
+ public:
+  struct PluginDefinition {
+    std::string plugin_name;
+    RefCountedPtr<CertificateProviderFactory::Config> config;
+  };
+
+  // Maps plugin instance (opaque) name to plugin defition.
+  typedef std::map<std::string, PluginDefinition> PluginDefinitionMap;
+
+  explicit CertificateProviderStore(PluginDefinitionMap plugin_config_map)
+      : plugin_config_map_(std::move(plugin_config_map)) {}
+
+  // If a certificate provider corresponding to the instance name \a key is
+  // found, a ref to the grpc_tls_certificate_provider is returned. If no
+  // provider is found for the key, a new provider is created from the plugin
+  // definition map.
+  // Returns nullptr on failure to get or create a new certificate provider.
+  RefCountedPtr<grpc_tls_certificate_provider> CreateOrGetCertificateProvider(
+      absl::string_view key);
+
+  void Orphan() override { Unref(); }
+
+ private:
+  // A thin wrapper around `grpc_tls_certificate_provider` which allows removing
+  // the entry from the CertificateProviderStore when the refcount reaches zero.
+  class CertificateProviderWrapper : public grpc_tls_certificate_provider {
+   public:
+    CertificateProviderWrapper(
+        RefCountedPtr<grpc_tls_certificate_provider> certificate_provider,
+        RefCountedPtr<CertificateProviderStore> store, absl::string_view key)
+        : certificate_provider_(std::move(certificate_provider)),
+          store_(std::move(store)),
+          key_(key) {}
+
+    ~CertificateProviderWrapper() override {
+      store_->ReleaseCertificateProvider(key_, this);
+    }
+
+    grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
+        const override {
+      return certificate_provider_->distributor();
+    }
+
+    grpc_pollset_set* interested_parties() const override {
+      return certificate_provider_->interested_parties();
+    }
+
+    absl::string_view key() const { return key_; }
+
+   private:
+    RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
+    RefCountedPtr<CertificateProviderStore> store_;
+    absl::string_view key_;
+  };
+
+  RefCountedPtr<CertificateProviderWrapper> CreateCertificateProviderLocked(
+      absl::string_view key);
+
+  // Releases a previously created certificate provider from the certificate
+  // provider map if the value matches \a wrapper.
+  void ReleaseCertificateProvider(absl::string_view key,
+                                  CertificateProviderWrapper* wrapper);
+
+  Mutex mu_;
+  // Map of plugin configurations
+  PluginDefinitionMap plugin_config_map_;
+  // Underlying map for the providers.
+  std::map<absl::string_view, CertificateProviderWrapper*>
+      certificate_providers_map_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H

data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc

@@ -0,0 +1,144 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/file_watcher_certificate_provider_factory.h"
+
+#include "absl/strings/str_format.h"
+#include "absl/strings/str_join.h"
+
+#include "src/core/ext/xds/certificate_provider_registry.h"
+#include "src/core/lib/json/json_util.h"
+
+namespace grpc_core {
+
+namespace {
+
+const char* kFileWatcherPlugin = "file_watcher";
+
+}  // namespace
+
+//
+// FileWatcherCertificateProviderFactory::Config
+//
+
+const char* FileWatcherCertificateProviderFactory::Config::name() const {
+  return kFileWatcherPlugin;
+}
+
+std::string FileWatcherCertificateProviderFactory::Config::ToString() const {
+  std::vector<std::string> parts;
+  parts.push_back("{");
+  if (!identity_cert_file_.empty()) {
+    parts.push_back(
+        absl::StrFormat("certificate_file=\"%s\", ", identity_cert_file_));
+  }
+  if (!identity_cert_file_.empty()) {
+    parts.push_back(
+        absl::StrFormat("private_key_file=\"%s\", ", private_key_file_));
+  }
+  if (!identity_cert_file_.empty()) {
+    parts.push_back(
+        absl::StrFormat("ca_certificate_file=\"%s\", ", root_cert_file_));
+  }
+  parts.push_back(
+      absl::StrFormat("refresh_interval=%ldms}", refresh_interval_ms_));
+  return absl::StrJoin(parts, "");
+}
+
+RefCountedPtr<FileWatcherCertificateProviderFactory::Config>
+FileWatcherCertificateProviderFactory::Config::Parse(const Json& config_json,
+                                                     grpc_error** error) {
+  auto config = MakeRefCounted<FileWatcherCertificateProviderFactory::Config>();
+  if (config_json.type() != Json::Type::OBJECT) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "error:config type should be OBJECT.");
+    return nullptr;
+  }
+  std::vector<grpc_error*> error_list;
+  ParseJsonObjectField(config_json.object_value(), "certificate_file",
+                       &config->identity_cert_file_, &error_list, false);
+  ParseJsonObjectField(config_json.object_value(), "private_key_file",
+                       &config->private_key_file_, &error_list, false);
+  if (config->identity_cert_file_.empty() !=
+      config->private_key_file_.empty()) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "fields \"certificate_file\" and \"private_key_file\" must be both set "
+        "or both unset."));
+  }
+  ParseJsonObjectField(config_json.object_value(), "ca_certificate_file",
+                       &config->root_cert_file_, &error_list, false);
+  if (config->identity_cert_file_.empty() && config->root_cert_file_.empty()) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "At least one of \"certificate_file\" and \"ca_certificate_file\" must "
+        "be specified."));
+  }
+  if (!ParseJsonObjectFieldAsDuration(
+          config_json.object_value(), "refresh_interval",
+          &config->refresh_interval_ms_, &error_list, false)) {
+    config->refresh_interval_ms_ = 10 * 60 * 1000;  // 10 minutes default
+  }
+  if (!error_list.empty()) {
+    *error = GRPC_ERROR_CREATE_FROM_VECTOR(
+        "Error parsing file watcher certificate provider config", &error_list);
+    return nullptr;
+  }
+  return config;
+}
+
+//
+// FileWatcherCertificateProviderFactory
+//
+
+const char* FileWatcherCertificateProviderFactory::name() const {
+  return kFileWatcherPlugin;
+}
+
+RefCountedPtr<CertificateProviderFactory::Config>
+FileWatcherCertificateProviderFactory::CreateCertificateProviderConfig(
+    const Json& config_json, grpc_error** error) {
+  return FileWatcherCertificateProviderFactory::Config::Parse(config_json,
+                                                              error);
+}
+
+RefCountedPtr<grpc_tls_certificate_provider>
+FileWatcherCertificateProviderFactory::CreateCertificateProvider(
+    RefCountedPtr<CertificateProviderFactory::Config> config) {
+  if (config->name() != name()) {
+    gpr_log(GPR_ERROR, "Wrong config type Actual:%s vs Expected:%s",
+            config->name(), name());
+    return nullptr;
+  }
+  auto* file_watcher_config =
+      static_cast<FileWatcherCertificateProviderFactory::Config*>(config.get());
+  return MakeRefCounted<FileWatcherCertificateProvider>(
+      file_watcher_config->private_key_file(),
+      file_watcher_config->identity_cert_file(),
+      file_watcher_config->root_cert_file(),
+      file_watcher_config->refresh_interval_ms() / GPR_MS_PER_SEC);
+}
+
+void FileWatcherCertificateProviderInit() {
+  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+      absl::make_unique<FileWatcherCertificateProviderFactory>());
+}
+
+void FileWatcherCertificateProviderShutdown() {}
+
+}  // namespace grpc_core

data/src/core/ext/xds/file_watcher_certificate_provider_factory.h

@@ -0,0 +1,69 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_EXT_XDS_FILE_WATCHER_CERTIFICATE_PROVIDER_FACTORY_H
+#define GRPC_CORE_EXT_XDS_FILE_WATCHER_CERTIFICATE_PROVIDER_FACTORY_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/certificate_provider_factory.h"
+
+namespace grpc_core {
+
+class FileWatcherCertificateProviderFactory
+    : public CertificateProviderFactory {
+ public:
+  class Config : public CertificateProviderFactory::Config {
+   public:
+    static RefCountedPtr<Config> Parse(const Json& config_json,
+                                       grpc_error** error);
+
+    const char* name() const override;
+
+    std::string ToString() const override;
+
+    const std::string& identity_cert_file() const {
+      return identity_cert_file_;
+    }
+
+    const std::string& private_key_file() const { return private_key_file_; }
+
+    const std::string& root_cert_file() const { return root_cert_file_; }
+
+    grpc_millis refresh_interval_ms() const { return refresh_interval_ms_; }
+
+   private:
+    std::string identity_cert_file_;
+    std::string private_key_file_;
+    std::string root_cert_file_;
+    grpc_millis refresh_interval_ms_;
+  };
+
+  const char* name() const override;
+
+  RefCountedPtr<CertificateProviderFactory::Config>
+  CreateCertificateProviderConfig(const Json& config_json,
+                                  grpc_error** error) override;
+
+  RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider(
+      RefCountedPtr<CertificateProviderFactory::Config> config) override;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_EXT_XDS_FILE_WATCHER_CERTIFICATE_PROVIDER_FACTORY_H

data/src/core/ext/xds/xds_api.cc

@@ -39,29 +39,46 @@
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gpr/useful.h"
+#include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/sockaddr_utils.h"
+#include "src/core/lib/slice/slice_utils.h"
 
+#include "envoy/config/cluster/v3/circuit_breaker.upb.h"
 #include "envoy/config/cluster/v3/cluster.upb.h"
+#include "envoy/config/cluster/v3/cluster.upbdefs.h"
 #include "envoy/config/core/v3/address.upb.h"
 #include "envoy/config/core/v3/base.upb.h"
 #include "envoy/config/core/v3/config_source.upb.h"
 #include "envoy/config/core/v3/health_check.upb.h"
+#include "envoy/config/core/v3/protocol.upb.h"
 #include "envoy/config/endpoint/v3/endpoint.upb.h"
+#include "envoy/config/endpoint/v3/endpoint.upbdefs.h"
 #include "envoy/config/endpoint/v3/endpoint_components.upb.h"
 #include "envoy/config/endpoint/v3/load_report.upb.h"
 #include "envoy/config/listener/v3/api_listener.upb.h"
 #include "envoy/config/listener/v3/listener.upb.h"
+#include "envoy/config/listener/v3/listener_components.upb.h"
 #include "envoy/config/route/v3/route.upb.h"
+#include "envoy/config/route/v3/route.upbdefs.h"
 #include "envoy/config/route/v3/route_components.upb.h"
+#include "envoy/extensions/clusters/aggregate/v3/cluster.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/common.upb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.upb.h"
 #include "envoy/service/cluster/v3/cds.upb.h"
+#include "envoy/service/cluster/v3/cds.upbdefs.h"
 #include "envoy/service/discovery/v3/discovery.upb.h"
+#include "envoy/service/discovery/v3/discovery.upbdefs.h"
 #include "envoy/service/endpoint/v3/eds.upb.h"
+#include "envoy/service/endpoint/v3/eds.upbdefs.h"
 #include "envoy/service/listener/v3/lds.upb.h"
 #include "envoy/service/load_stats/v3/lrs.upb.h"
+#include "envoy/service/load_stats/v3/lrs.upbdefs.h"
 #include "envoy/service/route/v3/rds.upb.h"
+#include "envoy/service/route/v3/rds.upbdefs.h"
 #include "envoy/type/matcher/v3/regex.upb.h"
+#include "envoy/type/matcher/v3/string.upb.h"
 #include "envoy/type/v3/percent.upb.h"
 #include "envoy/type/v3/range.upb.h"
 #include "google/protobuf/any.upb.h"
@@ -69,156 +86,55 @@
 #include "google/protobuf/struct.upb.h"
 #include "google/protobuf/wrappers.upb.h"
 #include "google/rpc/status.upb.h"
+#include "upb/text_encode.h"
 #include "upb/upb.h"
 
 namespace grpc_core {
 
-//
-// XdsApi::Route::Matchers::PathMatcher
-//
-
-XdsApi::Route::Matchers::PathMatcher::PathMatcher(const PathMatcher& other)
-    : type(other.type) {
-  if (type == PathMatcherType::REGEX) {
-    regex_matcher = absl::make_unique<RE2>(other.regex_matcher->pattern());
-  } else {
-    string_matcher = other.string_matcher;
-  }
-}
-
-XdsApi::Route::Matchers::PathMatcher& XdsApi::Route::Matchers::PathMatcher::
-operator=(const PathMatcher& other) {
-  type = other.type;
-  if (type == PathMatcherType::REGEX) {
-    regex_matcher = absl::make_unique<RE2>(other.regex_matcher->pattern());
-  } else {
-    string_matcher = other.string_matcher;
-  }
-  return *this;
-}
-
-bool XdsApi::Route::Matchers::PathMatcher::operator==(
-    const PathMatcher& other) const {
-  if (type != other.type) return false;
-  if (type == PathMatcherType::REGEX) {
-    // Should never be null.
-    if (regex_matcher == nullptr || other.regex_matcher == nullptr) {
-      return false;
-    }
-    return regex_matcher->pattern() == other.regex_matcher->pattern();
-  }
-  return string_matcher == other.string_matcher;
-}
-
-std::string XdsApi::Route::Matchers::PathMatcher::ToString() const {
-  std::string path_type_string;
-  switch (type) {
-    case PathMatcherType::PATH:
-      path_type_string = "path match";
-      break;
-    case PathMatcherType::PREFIX:
-      path_type_string = "prefix match";
-      break;
-    case PathMatcherType::REGEX:
-      path_type_string = "regex match";
-      break;
-    default:
-      break;
-  }
-  return absl::StrFormat("Path %s:%s", path_type_string,
-                         type == PathMatcherType::REGEX
-                             ? regex_matcher->pattern()
-                             : string_matcher);
-}
-
-//
-// XdsApi::Route::Matchers::HeaderMatcher
-//
-
-XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcher(
-    const HeaderMatcher& other)
-    : name(other.name), type(other.type), invert_match(other.invert_match) {
-  switch (type) {
-    case HeaderMatcherType::REGEX:
-      regex_match = absl::make_unique<RE2>(other.regex_match->pattern());
-      break;
-    case HeaderMatcherType::RANGE:
-      range_start = other.range_start;
-      range_end = other.range_end;
-      break;
-    case HeaderMatcherType::PRESENT:
-      present_match = other.present_match;
-      break;
-    default:
-      string_matcher = other.string_matcher;
-  }
-}
-
-XdsApi::Route::Matchers::HeaderMatcher& XdsApi::Route::Matchers::HeaderMatcher::
-operator=(const HeaderMatcher& other) {
-  name = other.name;
-  type = other.type;
-  invert_match = other.invert_match;
-  switch (type) {
-    case HeaderMatcherType::REGEX:
-      regex_match = absl::make_unique<RE2>(other.regex_match->pattern());
-      break;
-    case HeaderMatcherType::RANGE:
-      range_start = other.range_start;
-      range_end = other.range_end;
-      break;
-    case HeaderMatcherType::PRESENT:
-      present_match = other.present_match;
-      break;
-    default:
-      string_matcher = other.string_matcher;
-  }
-  return *this;
-}
-
-bool XdsApi::Route::Matchers::HeaderMatcher::operator==(
-    const HeaderMatcher& other) const {
-  if (name != other.name) return false;
-  if (type != other.type) return false;
-  if (invert_match != other.invert_match) return false;
-  switch (type) {
-    case HeaderMatcherType::REGEX:
-      return regex_match->pattern() != other.regex_match->pattern();
-    case HeaderMatcherType::RANGE:
-      return range_start != other.range_start && range_end != other.range_end;
-    case HeaderMatcherType::PRESENT:
-      return present_match != other.present_match;
-    default:
-      return string_matcher != other.string_matcher;
-  }
-}
-
-std::string XdsApi::Route::Matchers::HeaderMatcher::ToString() const {
-  switch (type) {
-    case HeaderMatcherType::EXACT:
-      return absl::StrFormat("Header exact match:%s %s:%s",
-                             invert_match ? " not" : "", name, string_matcher);
-    case HeaderMatcherType::REGEX:
-      return absl::StrFormat("Header regex match:%s %s:%s",
-                             invert_match ? " not" : "", name,
-                             regex_match->pattern());
-    case HeaderMatcherType::RANGE:
-      return absl::StrFormat("Header range match:%s %s:[%d, %d)",
-                             invert_match ? " not" : "", name, range_start,
-                             range_end);
-    case HeaderMatcherType::PRESENT:
-      return absl::StrFormat("Header present match:%s %s:%s",
-                             invert_match ? " not" : "", name,
-                             present_match ? "true" : "false");
-    case HeaderMatcherType::PREFIX:
-      return absl::StrFormat("Header prefix match:%s %s:%s",
-                             invert_match ? " not" : "", name, string_matcher);
-    case HeaderMatcherType::SUFFIX:
-      return absl::StrFormat("Header suffix match:%s %s:%s",
-                             invert_match ? " not" : "", name, string_matcher);
-    default:
-      return "";
-  }
+// TODO(donnadionne): Check to see if timeout is enabled, this will be
+// removed once timeout feature is fully integration-tested and enabled by
+// default.
+bool XdsTimeoutEnabled() {
+  char* value = gpr_getenv("GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT");
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value, &parsed_value);
+  gpr_free(value);
+  return parse_succeeded && parsed_value;
+}
+
+// TODO(donnadionne): Check to see if cluster types aggregate_cluster and
+// logical_dns are enabled, this will be
+// removed once the cluster types are fully integration-tested and enabled by
+// default.
+bool XdsAggregateAndLogicalDnsClusterEnabled() {
+  char* value = gpr_getenv(
+      "GRPC_XDS_EXPERIMENTAL_ENABLE_AGGREGATE_AND_LOGICAL_DNS_CLUSTER");
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value, &parsed_value);
+  gpr_free(value);
+  return parse_succeeded && parsed_value;
+}
+
+// TODO(donnadionne): Check to see if ring hash policy is enabled, this will be
+// removed once ring hash policy is fully integration-tested and enabled by
+// default.
+bool XdsRingHashEnabled() {
+  char* value = gpr_getenv("GRPC_XDS_EXPERIMENTAL_ENABLE_RING_HASH");
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value, &parsed_value);
+  gpr_free(value);
+  return parse_succeeded && parsed_value;
+}
+
+// TODO(yashykt): Check to see if xDS security is enabled. This will be
+// removed once this feature is fully integration-tested and enabled by
+// default.
+bool XdsSecurityEnabled() {
+  char* value = gpr_getenv("GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT");
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value, &parsed_value);
+  gpr_free(value);
+  return parse_succeeded && parsed_value;
 }
 
 //
@@ -227,9 +143,10 @@ std::string XdsApi::Route::Matchers::HeaderMatcher::ToString() const {
 
 std::string XdsApi::Route::Matchers::ToString() const {
   std::vector<std::string> contents;
-  contents.push_back(path_matcher.ToString());
-  for (const auto& header_it : header_matchers) {
-    contents.push_back(header_it.ToString());
+  contents.push_back(
+      absl::StrFormat("PathMatcher{%s}", path_matcher.ToString()));
+  for (const HeaderMatcher& header_matcher : header_matchers) {
+    contents.push_back(header_matcher.ToString());
   }
   if (fraction_per_million.has_value()) {
     contents.push_back(absl::StrFormat("Fraction Per Million %d",
@@ -248,8 +165,11 @@ std::string XdsApi::Route::ToString() const {
   if (!cluster_name.empty()) {
     contents.push_back(absl::StrFormat("Cluster name: %s", cluster_name));
   }
-  for (const auto& weighted_it : weighted_clusters) {
-    contents.push_back(weighted_it.ToString());
+  for (const ClusterWeight& cluster_weight : weighted_clusters) {
+    contents.push_back(cluster_weight.ToString());
+  }
+  if (max_stream_duration.has_value()) {
+    contents.push_back(max_stream_duration->ToString());
   }
   return absl::StrJoin(contents, "\n");
 }
@@ -290,9 +210,11 @@ enum MatchType {
 };
 
 // Returns true if match succeeds.
-bool DomainMatch(MatchType match_type, std::string domain_pattern,
-                 std::string expected_host_name) {
+bool DomainMatch(MatchType match_type, const std::string& domain_pattern_in,
+                 const std::string& expected_host_name_in) {
   // Normalize the args to lower-case. Domain matching is case-insensitive.
+  std::string domain_pattern = domain_pattern_in;
+  std::string expected_host_name = expected_host_name_in;
   std::transform(domain_pattern.begin(), domain_pattern.end(),
                  domain_pattern.begin(),
                  [](unsigned char c) { return std::tolower(c); });
@@ -333,8 +255,8 @@ MatchType DomainPatternMatchType(const std::string& domain_pattern) {
 
 }  // namespace
 
-const XdsApi::RdsUpdate::VirtualHost*
-XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
+XdsApi::RdsUpdate::VirtualHost* XdsApi::RdsUpdate::FindVirtualHostForDomain(
+    const std::string& domain) {
   // Find the best matched virtual host.
   // The search order for 4 groups of domain patterns:
   //   1. Exact match.
@@ -344,12 +266,12 @@ XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
   // Within each group, longest match wins.
   // If the same best matched domain pattern appears in multiple virtual hosts,
   // the first matched virtual host wins.
-  const VirtualHost* target_vhost = nullptr;
+  VirtualHost* target_vhost = nullptr;
   MatchType best_match_type = INVALID_MATCH;
   size_t longest_match = 0;
   // Check each domain pattern in each virtual host to determine the best
   // matched virtual host.
-  for (const VirtualHost& vhost : virtual_hosts) {
+  for (VirtualHost& vhost : virtual_hosts) {
     for (const std::string& domain_pattern : vhost.domains) {
       // Check the match type first. Skip the pattern if it's not better than
       // current match.
@@ -375,49 +297,192 @@ XdsApi::RdsUpdate::FindVirtualHostForDomain(const std::string& domain) const {
 }
 
 //
-// XdsApi::PriorityListUpdate
+// XdsApi::CommonTlsContext::CertificateValidationContext
 //
 
-bool XdsApi::PriorityListUpdate::operator==(
-    const XdsApi::PriorityListUpdate& other) const {
-  if (priorities_.size() != other.priorities_.size()) return false;
-  for (size_t i = 0; i < priorities_.size(); ++i) {
-    if (priorities_[i].localities != other.priorities_[i].localities) {
-      return false;
-    }
+std::string XdsApi::CommonTlsContext::CertificateValidationContext::ToString()
+    const {
+  std::vector<std::string> contents;
+  for (const auto& match : match_subject_alt_names) {
+    contents.push_back(match.ToString());
   }
-  return true;
+  return absl::StrFormat("{match_subject_alt_names=[%s]}",
+                         absl::StrJoin(contents, ", "));
 }
 
-void XdsApi::PriorityListUpdate::Add(
-    XdsApi::PriorityListUpdate::LocalityMap::Locality locality) {
-  // Pad the missing priorities in case the localities are not ordered by
-  // priority.
-  if (!Contains(locality.priority)) priorities_.resize(locality.priority + 1);
-  LocalityMap& locality_map = priorities_[locality.priority];
-  locality_map.localities.emplace(locality.name, std::move(locality));
+bool XdsApi::CommonTlsContext::CertificateValidationContext::Empty() const {
+  return match_subject_alt_names.empty();
 }
 
-const XdsApi::PriorityListUpdate::LocalityMap* XdsApi::PriorityListUpdate::Find(
-    uint32_t priority) const {
-  if (!Contains(priority)) return nullptr;
-  return &priorities_[priority];
+//
+// XdsApi::CommonTlsContext::CertificateValidationContext
+//
+
+std::string XdsApi::CommonTlsContext::CertificateProviderInstance::ToString()
+    const {
+  absl::InlinedVector<std::string, 2> contents;
+  if (!instance_name.empty()) {
+    contents.push_back(absl::StrFormat("instance_name=%s", instance_name));
+  }
+  if (!certificate_name.empty()) {
+    contents.push_back(
+        absl::StrFormat("certificate_name=%s", certificate_name));
+  }
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
 }
 
-bool XdsApi::PriorityListUpdate::Contains(
-    const RefCountedPtr<XdsLocalityName>& name) {
-  for (size_t i = 0; i < priorities_.size(); ++i) {
-    const LocalityMap& locality_map = priorities_[i];
-    if (locality_map.Contains(name)) return true;
+bool XdsApi::CommonTlsContext::CertificateProviderInstance::Empty() const {
+  return instance_name.empty() && certificate_name.empty();
+}
+
+//
+// XdsApi::CommonTlsContext::CombinedCertificateValidationContext
+//
+
+std::string
+XdsApi::CommonTlsContext::CombinedCertificateValidationContext::ToString()
+    const {
+  absl::InlinedVector<std::string, 2> contents;
+  if (!default_validation_context.Empty()) {
+    contents.push_back(absl::StrFormat("default_validation_context=%s",
+                                       default_validation_context.ToString()));
   }
-  return false;
+  if (!validation_context_certificate_provider_instance.Empty()) {
+    contents.push_back(absl::StrFormat(
+        "validation_context_certificate_provider_instance=%s",
+        validation_context_certificate_provider_instance.ToString()));
+  }
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
+}
+
+bool XdsApi::CommonTlsContext::CombinedCertificateValidationContext::Empty()
+    const {
+  return default_validation_context.Empty() &&
+         validation_context_certificate_provider_instance.Empty();
+}
+
+//
+// XdsApi::CommonTlsContext
+//
+
+std::string XdsApi::CommonTlsContext::ToString() const {
+  absl::InlinedVector<std::string, 2> contents;
+  if (!tls_certificate_certificate_provider_instance.Empty()) {
+    contents.push_back(absl::StrFormat(
+        "tls_certificate_certificate_provider_instance=%s",
+        tls_certificate_certificate_provider_instance.ToString()));
+  }
+  if (!combined_validation_context.Empty()) {
+    contents.push_back(absl::StrFormat("combined_validation_context=%s",
+                                       combined_validation_context.ToString()));
+  }
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
+}
+
+bool XdsApi::CommonTlsContext::Empty() const {
+  return tls_certificate_certificate_provider_instance.Empty() &&
+         combined_validation_context.Empty();
 }
 
 //
-// XdsApi::DropConfig
+// XdsApi::DownstreamTlsContext
 //
 
-bool XdsApi::DropConfig::ShouldDrop(const std::string** category_name) const {
+std::string XdsApi::DownstreamTlsContext::ToString() const {
+  return absl::StrFormat("common_tls_context=%s, require_client_certificate=%s",
+                         common_tls_context.ToString(),
+                         require_client_certificate ? "true" : "false");
+}
+
+bool XdsApi::DownstreamTlsContext::Empty() const {
+  return common_tls_context.Empty();
+}
+
+//
+// XdsApi::LdsUpdate
+//
+
+std::string XdsApi::LdsUpdate::ToString() const {
+  absl::InlinedVector<std::string, 3> contents;
+  if (type == ListenerType::kTcpListener) {
+    if (!downstream_tls_context.Empty()) {
+      contents.push_back(absl::StrFormat("downstream_tls_context=%s",
+                                         downstream_tls_context.ToString()));
+    }
+  } else if (type == ListenerType::kHttpApiListener) {
+    contents.push_back(absl::StrFormat(
+        "route_config_name=%s",
+        !route_config_name.empty() ? route_config_name.c_str() : "<inlined>"));
+    contents.push_back(absl::StrFormat("http_max_stream_duration=%s",
+                                       http_max_stream_duration.ToString()));
+    if (rds_update.has_value()) {
+      contents.push_back(
+          absl::StrFormat("rds_update=%s", rds_update->ToString()));
+    }
+  }
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
+}
+
+//
+// XdsApi::CdsUpdate
+//
+
+std::string XdsApi::CdsUpdate::ToString() const {
+  absl::InlinedVector<std::string, 4> contents;
+  if (!eds_service_name.empty()) {
+    contents.push_back(
+        absl::StrFormat("eds_service_name=%s", eds_service_name));
+  }
+  if (!common_tls_context.Empty()) {
+    contents.push_back(absl::StrFormat("common_tls_context=%s",
+                                       common_tls_context.ToString()));
+  }
+  if (lrs_load_reporting_server_name.has_value()) {
+    contents.push_back(absl::StrFormat("lrs_load_reporting_server_name=%s",
+                                       lrs_load_reporting_server_name.value()));
+  }
+  contents.push_back(
+      absl::StrFormat("max_concurrent_requests=%d", max_concurrent_requests));
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
+}
+
+//
+// XdsApi::EdsUpdate
+//
+
+std::string XdsApi::EdsUpdate::Priority::Locality::ToString() const {
+  std::vector<std::string> endpoint_strings;
+  for (const ServerAddress& endpoint : endpoints) {
+    endpoint_strings.emplace_back(endpoint.ToString());
+  }
+  return absl::StrCat("{name=", name->AsHumanReadableString(),
+                      ", lb_weight=", lb_weight, ", endpoints=[",
+                      absl::StrJoin(endpoint_strings, ", "), "]}");
+}
+
+bool XdsApi::EdsUpdate::Priority::operator==(const Priority& other) const {
+  if (localities.size() != other.localities.size()) return false;
+  auto it1 = localities.begin();
+  auto it2 = other.localities.begin();
+  while (it1 != localities.end()) {
+    if (*it1->first != *it2->first) return false;
+    if (it1->second != it2->second) return false;
+    ++it1;
+    ++it2;
+  }
+  return true;
+}
+
+std::string XdsApi::EdsUpdate::Priority::ToString() const {
+  std::vector<std::string> locality_strings;
+  for (const auto& p : localities) {
+    locality_strings.emplace_back(p.second.ToString());
+  }
+  return absl::StrCat("[", absl::StrJoin(locality_strings, ", "), "]");
+}
+
+bool XdsApi::EdsUpdate::DropConfig::ShouldDrop(
+    const std::string** category_name) const {
   for (size_t i = 0; i < drop_category_list_.size(); ++i) {
     const auto& drop_category = drop_category_list_[i];
     // Generate a random number in [0, 1000000).
@@ -430,6 +495,27 @@ bool XdsApi::DropConfig::ShouldDrop(const std::string** category_name) const {
   return false;
 }
 
+std::string XdsApi::EdsUpdate::DropConfig::ToString() const {
+  std::vector<std::string> category_strings;
+  for (const DropCategory& category : drop_category_list_) {
+    category_strings.emplace_back(
+        absl::StrCat(category.name, "=", category.parts_per_million));
+  }
+  return absl::StrCat("{[", absl::StrJoin(category_strings, ", "),
+                      "], drop_all=", drop_all_, "}");
+}
+
+std::string XdsApi::EdsUpdate::ToString() const {
+  std::vector<std::string> priority_strings;
+  for (size_t i = 0; i < priorities.size(); ++i) {
+    const Priority& priority = priorities[i];
+    priority_strings.emplace_back(
+        absl::StrCat("priority ", i, ": ", priority.ToString()));
+  }
+  return absl::StrCat("priorities=[", absl::StrJoin(priority_strings, ", "),
+                      "], drop_config=", drop_config->ToString());
+}
+
 //
 // XdsApi
 //
@@ -471,11 +557,10 @@ bool IsEds(absl::string_view type_url) {
 }  // namespace
 
 XdsApi::XdsApi(XdsClient* client, TraceFlag* tracer,
-               const XdsBootstrap* bootstrap)
+               const XdsBootstrap::Node* node)
     : client_(client),
       tracer_(tracer),
-      use_v3_(bootstrap != nullptr && bootstrap->server().ShouldUseV3()),
-      bootstrap_(bootstrap),
+      node_(node),
       build_version_(absl::StrCat("gRPC C-core ", GPR_PLATFORM_STRING, " ",
                                   grpc_version_string())),
       user_agent_name_(absl::StrCat("gRPC C-core ", GPR_PLATFORM_STRING)) {}
@@ -576,12 +661,10 @@ void PopulateBuildVersion(upb_arena* arena, envoy_config_core_v3_Node* node_msg,
                       encoded_build_version.size(), arena);
 }
 
-void PopulateNode(upb_arena* arena, const XdsBootstrap* bootstrap,
+void PopulateNode(upb_arena* arena, const XdsBootstrap::Node* node, bool use_v3,
                   const std::string& build_version,
                   const std::string& user_agent_name,
-                  const std::string& server_name,
                   envoy_config_core_v3_Node* node_msg) {
-  const XdsBootstrap::Node* node = bootstrap->node();
   if (node != nullptr) {
     if (!node->id.empty()) {
       envoy_config_core_v3_Node_set_id(node_msg,
@@ -596,16 +679,6 @@ void PopulateNode(upb_arena* arena, const XdsBootstrap* bootstrap,
           envoy_config_core_v3_Node_mutable_metadata(node_msg, arena);
       PopulateMetadata(arena, metadata, node->metadata.object_value());
     }
-    if (!server_name.empty()) {
-      google_protobuf_Struct* metadata =
-          envoy_config_core_v3_Node_mutable_metadata(node_msg, arena);
-      google_protobuf_Value* value = google_protobuf_Value_new(arena);
-      google_protobuf_Value_set_string_value(value,
-                                             StdStringToUpbString(server_name));
-      google_protobuf_Struct_fields_set(
-          metadata, upb_strview_makez("PROXYLESS_CLIENT_HOSTNAME"), value,
-          arena);
-    }
     if (!node->locality_region.empty() || !node->locality_zone.empty() ||
         !node->locality_subzone.empty()) {
       envoy_config_core_v3_Locality* locality =
@@ -624,7 +697,7 @@ void PopulateNode(upb_arena* arena, const XdsBootstrap* bootstrap,
       }
     }
   }
-  if (!bootstrap->server().ShouldUseV3()) {
+  if (!use_v3) {
     PopulateBuildVersion(arena, node_msg, build_version);
   }
   envoy_config_core_v3_Node_set_user_agent_name(
@@ -644,172 +717,17 @@ inline std::string UpbStringToStdString(const upb_strview& str) {
   return std::string(str.data, str.size);
 }
 
-inline void AddStringField(const char* name, const upb_strview& value,
-                           std::vector<std::string>* fields,
-                           bool add_if_empty = false) {
-  if (value.size > 0 || add_if_empty) {
-    fields->emplace_back(
-        absl::StrCat(name, ": \"", UpbStringToAbsl(value), "\""));
-  }
-}
-
-inline void AddUInt32ValueField(const char* name,
-                                const google_protobuf_UInt32Value* value,
-                                std::vector<std::string>* fields) {
-  if (value != nullptr) {
-    fields->emplace_back(absl::StrCat(
-        name, " { value: ", google_protobuf_UInt32Value_value(value), " }"));
-  }
-}
-
-inline void AddLocalityField(int indent_level,
-                             const envoy_config_core_v3_Locality* locality,
-                             std::vector<std::string>* fields) {
-  std::string indent =
-      absl::StrJoin(std::vector<std::string>(indent_level, "  "), "");
-  // region
-  std::string field = absl::StrCat(indent, "region");
-  AddStringField(field.c_str(), envoy_config_core_v3_Locality_region(locality),
-                 fields);
-  // zone
-  field = absl::StrCat(indent, "zone");
-  AddStringField(field.c_str(), envoy_config_core_v3_Locality_zone(locality),
-                 fields);
-  // sub_zone
-  field = absl::StrCat(indent, "sub_zone");
-  AddStringField(field.c_str(),
-                 envoy_config_core_v3_Locality_sub_zone(locality), fields);
-}
-
-void AddNodeLogFields(const envoy_config_core_v3_Node* node,
-                      const std::string& build_version,
-                      std::vector<std::string>* fields) {
-  fields->emplace_back("node {");
-  // id
-  AddStringField("  id", envoy_config_core_v3_Node_id(node), fields);
-  // metadata
-  const google_protobuf_Struct* metadata =
-      envoy_config_core_v3_Node_metadata(node);
-  if (metadata != nullptr) {
-    fields->emplace_back("  metadata {");
-    size_t entry_idx = UPB_MAP_BEGIN;
-    while (true) {
-      const google_protobuf_Struct_FieldsEntry* entry =
-          google_protobuf_Struct_fields_next(metadata, &entry_idx);
-      if (entry == nullptr) break;
-      fields->emplace_back("    field {");
-      // key
-      AddStringField("      key", google_protobuf_Struct_FieldsEntry_key(entry),
-                     fields);
-      // value
-      const google_protobuf_Value* value =
-          google_protobuf_Struct_FieldsEntry_value(entry);
-      if (value != nullptr) {
-        std::string value_str;
-        if (google_protobuf_Value_has_string_value(value)) {
-          value_str = absl::StrCat(
-              "string_value: \"",
-              UpbStringToAbsl(google_protobuf_Value_string_value(value)), "\"");
-        } else if (google_protobuf_Value_has_null_value(value)) {
-          value_str = "null_value: NULL_VALUE";
-        } else if (google_protobuf_Value_has_number_value(value)) {
-          value_str = absl::StrCat("double_value: ",
-                                   google_protobuf_Value_number_value(value));
-        } else if (google_protobuf_Value_has_bool_value(value)) {
-          value_str = absl::StrCat("bool_value: ",
-                                   google_protobuf_Value_bool_value(value));
-        } else if (google_protobuf_Value_has_struct_value(value)) {
-          value_str = "struct_value: <not printed>";
-        } else if (google_protobuf_Value_has_list_value(value)) {
-          value_str = "list_value: <not printed>";
-        } else {
-          value_str = "<unknown>";
-        }
-        fields->emplace_back(absl::StrCat("      value { ", value_str, " }"));
-      }
-      fields->emplace_back("    }");
-    }
-    fields->emplace_back("  }");
-  }
-  // locality
-  const envoy_config_core_v3_Locality* locality =
-      envoy_config_core_v3_Node_locality(node);
-  if (locality != nullptr) {
-    fields->emplace_back("  locality {");
-    AddLocalityField(2, locality, fields);
-    fields->emplace_back("  }");
-  }
-  // build_version (doesn't exist in v3 proto; this is a horrible hack)
-  if (!build_version.empty()) {
-    fields->emplace_back(
-        absl::StrCat("  build_version: \"", build_version, "\""));
-  }
-  // user_agent_name
-  AddStringField("  user_agent_name",
-                 envoy_config_core_v3_Node_user_agent_name(node), fields);
-  // user_agent_version
-  AddStringField("  user_agent_version",
-                 envoy_config_core_v3_Node_user_agent_version(node), fields);
-  // client_features
-  size_t num_client_features;
-  const upb_strview* client_features =
-      envoy_config_core_v3_Node_client_features(node, &num_client_features);
-  for (size_t i = 0; i < num_client_features; ++i) {
-    AddStringField("  client_features", client_features[i], fields);
-  }
-  fields->emplace_back("}");
-}
-
 void MaybeLogDiscoveryRequest(
-    XdsClient* client, TraceFlag* tracer,
-    const envoy_service_discovery_v3_DiscoveryRequest* request,
-    const std::string& build_version) {
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
+    const envoy_service_discovery_v3_DiscoveryRequest* request) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // version_info
-    AddStringField(
-        "version_info",
-        envoy_service_discovery_v3_DiscoveryRequest_version_info(request),
-        &fields);
-    // node
-    const envoy_config_core_v3_Node* node =
-        envoy_service_discovery_v3_DiscoveryRequest_node(request);
-    if (node != nullptr) AddNodeLogFields(node, build_version, &fields);
-    // resource_names
-    size_t num_resource_names;
-    const upb_strview* resource_names =
-        envoy_service_discovery_v3_DiscoveryRequest_resource_names(
-            request, &num_resource_names);
-    for (size_t i = 0; i < num_resource_names; ++i) {
-      AddStringField("resource_names", resource_names[i], &fields);
-    }
-    // type_url
-    AddStringField(
-        "type_url",
-        envoy_service_discovery_v3_DiscoveryRequest_type_url(request), &fields);
-    // response_nonce
-    AddStringField(
-        "response_nonce",
-        envoy_service_discovery_v3_DiscoveryRequest_response_nonce(request),
-        &fields);
-    // error_detail
-    const struct google_rpc_Status* error_detail =
-        envoy_service_discovery_v3_DiscoveryRequest_error_detail(request);
-    if (error_detail != nullptr) {
-      fields.emplace_back("error_detail {");
-      // code
-      int32_t code = google_rpc_Status_code(error_detail);
-      if (code != 0) fields.emplace_back(absl::StrCat("  code: ", code));
-      // message
-      AddStringField("  message", google_rpc_Status_message(error_detail),
-                     &fields);
-      fields.emplace_back("}");
-    }
+    const upb_msgdef* msg_type =
+        envoy_service_discovery_v3_DiscoveryRequest_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(request, msg_type, nullptr, 0, buf, sizeof(buf));
     gpr_log(GPR_DEBUG, "[xds_client %p] constructed ADS request: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+            buf);
   }
 }
 
@@ -843,7 +761,7 @@ absl::string_view TypeUrlExternalToInternal(bool use_v3,
 }  // namespace
 
 grpc_slice XdsApi::CreateAdsRequest(
-    const std::string& type_url,
+    const XdsBootstrap::XdsServer& server, const std::string& type_url,
     const std::set<absl::string_view>& resource_names,
     const std::string& version, const std::string& nonce, grpc_error* error,
     bool populate_node) {
@@ -853,7 +771,7 @@ grpc_slice XdsApi::CreateAdsRequest(
       envoy_service_discovery_v3_DiscoveryRequest_new(arena.ptr());
   // Set type_url.
   absl::string_view real_type_url =
-      TypeUrlExternalToInternal(use_v3_, type_url);
+      TypeUrlExternalToInternal(server.ShouldUseV3(), type_url);
   envoy_service_discovery_v3_DiscoveryRequest_set_type_url(
       request, StdStringToUpbString(real_type_url));
   // Set version_info.
@@ -868,17 +786,18 @@ grpc_slice XdsApi::CreateAdsRequest(
   }
   // Set error_detail if it's a NACK.
   if (error != GRPC_ERROR_NONE) {
-    grpc_slice error_description_slice;
-    GPR_ASSERT(grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION,
-                                  &error_description_slice));
-    upb_strview error_description_strview =
-        upb_strview_make(reinterpret_cast<const char*>(
-                             GPR_SLICE_START_PTR(error_description_slice)),
-                         GPR_SLICE_LENGTH(error_description_slice));
     google_rpc_Status* error_detail =
         envoy_service_discovery_v3_DiscoveryRequest_mutable_error_detail(
             request, arena.ptr());
-    google_rpc_Status_set_message(error_detail, error_description_strview);
+    // Hard-code INVALID_ARGUMENT as the status code.
+    // TODO(roth): If at some point we decide we care about this value,
+    // we could attach a status code to the individual errors where we
+    // generate them in the parsing code, and then use that here.
+    google_rpc_Status_set_code(error_detail, GRPC_STATUS_INVALID_ARGUMENT);
+    // Error description comes from the error that was passed in.
+    upb_strview error_description =
+        StdStringToUpbString(absl::string_view(grpc_error_string(error)));
+    google_rpc_Status_set_message(error_detail, error_description);
     GRPC_ERROR_UNREF(error);
   }
   // Populate node.
@@ -886,401 +805,87 @@ grpc_slice XdsApi::CreateAdsRequest(
     envoy_config_core_v3_Node* node_msg =
         envoy_service_discovery_v3_DiscoveryRequest_mutable_node(request,
                                                                  arena.ptr());
-    PopulateNode(arena.ptr(), bootstrap_, build_version_, user_agent_name_, "",
-                 node_msg);
+    PopulateNode(arena.ptr(), node_, server.ShouldUseV3(), build_version_,
+                 user_agent_name_, node_msg);
   }
   // Add resource_names.
   for (const auto& resource_name : resource_names) {
     envoy_service_discovery_v3_DiscoveryRequest_add_resource_names(
         request, StdStringToUpbString(resource_name), arena.ptr());
   }
-  MaybeLogDiscoveryRequest(client_, tracer_, request, build_version_);
+  MaybeLogDiscoveryRequest(client_, tracer_, symtab_.ptr(), request);
   return SerializeDiscoveryRequest(arena.ptr(), request);
 }
 
 namespace {
 
 void MaybeLogDiscoveryResponse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_service_discovery_v3_DiscoveryResponse* response) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // version_info
-    AddStringField(
-        "version_info",
-        envoy_service_discovery_v3_DiscoveryResponse_version_info(response),
-        &fields);
-    // resources
-    size_t num_resources;
-    envoy_service_discovery_v3_DiscoveryResponse_resources(response,
-                                                           &num_resources);
-    fields.emplace_back(
-        absl::StrCat("resources: <", num_resources, " element(s)>"));
-    // type_url
-    AddStringField(
-        "type_url",
-        envoy_service_discovery_v3_DiscoveryResponse_type_url(response),
-        &fields);
-    // nonce
-    AddStringField("nonce",
-                   envoy_service_discovery_v3_DiscoveryResponse_nonce(response),
-                   &fields);
-    gpr_log(GPR_DEBUG, "[xds_client %p] received response: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+    const upb_msgdef* msg_type =
+        envoy_service_discovery_v3_DiscoveryResponse_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(response, msg_type, nullptr, 0, buf, sizeof(buf));
+    gpr_log(GPR_DEBUG, "[xds_client %p] received response: %s", client, buf);
   }
 }
 
 void MaybeLogRouteConfiguration(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_config_route_v3_RouteConfiguration* route_config) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // name
-    AddStringField("name",
-                   envoy_config_route_v3_RouteConfiguration_name(route_config),
-                   &fields);
-    // virtual_hosts
-    size_t num_virtual_hosts;
-    const envoy_config_route_v3_VirtualHost* const* virtual_hosts =
-        envoy_config_route_v3_RouteConfiguration_virtual_hosts(
-            route_config, &num_virtual_hosts);
-    for (size_t i = 0; i < num_virtual_hosts; ++i) {
-      const auto* virtual_host = virtual_hosts[i];
-      fields.push_back("virtual_hosts {");
-      // name
-      AddStringField("  name",
-                     envoy_config_route_v3_VirtualHost_name(virtual_host),
-                     &fields);
-      // domains
-      size_t num_domains;
-      const upb_strview* const domains =
-          envoy_config_route_v3_VirtualHost_domains(virtual_host, &num_domains);
-      for (size_t j = 0; j < num_domains; ++j) {
-        AddStringField("  domains", domains[j], &fields);
-      }
-      // routes
-      size_t num_routes;
-      const envoy_config_route_v3_Route* const* routes =
-          envoy_config_route_v3_VirtualHost_routes(virtual_host, &num_routes);
-      for (size_t j = 0; j < num_routes; ++j) {
-        const auto* route = routes[j];
-        fields.push_back("  route {");
-        // name
-        AddStringField("    name", envoy_config_route_v3_Route_name(route),
-                       &fields);
-        // match
-        const envoy_config_route_v3_RouteMatch* match =
-            envoy_config_route_v3_Route_match(route);
-        if (match != nullptr) {
-          fields.emplace_back("    match {");
-          // path matching
-          if (envoy_config_route_v3_RouteMatch_has_prefix(match)) {
-            AddStringField("      prefix",
-                           envoy_config_route_v3_RouteMatch_prefix(match),
-                           &fields,
-                           /*add_if_empty=*/true);
-          } else if (envoy_config_route_v3_RouteMatch_has_path(match)) {
-            AddStringField("      path",
-                           envoy_config_route_v3_RouteMatch_path(match),
-                           &fields,
-                           /*add_if_empty=*/true);
-          } else if (envoy_config_route_v3_RouteMatch_has_safe_regex(match)) {
-            fields.emplace_back("      safe_regex: <not printed>");
-          } else {
-            fields.emplace_back("      <unknown path matching type>");
-          }
-          // header matching
-          size_t num_headers;
-          envoy_config_route_v3_RouteMatch_headers(match, &num_headers);
-          if (num_headers > 0) {
-            fields.emplace_back(
-                absl::StrCat("      headers: <", num_headers, " element(s)>"));
-          }
-          fields.emplace_back("    }");
-        }
-        // action
-        if (envoy_config_route_v3_Route_has_route(route)) {
-          const envoy_config_route_v3_RouteAction* action =
-              envoy_config_route_v3_Route_route(route);
-          fields.emplace_back("    route {");
-          if (envoy_config_route_v3_RouteAction_has_cluster(action)) {
-            AddStringField("      cluster",
-                           envoy_config_route_v3_RouteAction_cluster(action),
-                           &fields);
-          } else if (envoy_config_route_v3_RouteAction_has_cluster_header(
-                         action)) {
-            AddStringField(
-                "      cluster_header",
-                envoy_config_route_v3_RouteAction_cluster_header(action),
-                &fields);
-          } else if (envoy_config_route_v3_RouteAction_has_weighted_clusters(
-                         action)) {
-            const envoy_config_route_v3_WeightedCluster* weighted_clusters =
-                envoy_config_route_v3_RouteAction_weighted_clusters(action);
-            fields.emplace_back("      weighted_clusters {");
-            size_t num_cluster_weights;
-            const envoy_config_route_v3_WeightedCluster_ClusterWeight* const*
-                cluster_weights =
-                    envoy_config_route_v3_WeightedCluster_clusters(
-                        weighted_clusters, &num_cluster_weights);
-            for (size_t i = 0; i < num_cluster_weights; ++i) {
-              const envoy_config_route_v3_WeightedCluster_ClusterWeight*
-                  cluster_weight = cluster_weights[i];
-              fields.emplace_back("        clusters {");
-              AddStringField(
-                  "          name",
-                  envoy_config_route_v3_WeightedCluster_ClusterWeight_name(
-                      cluster_weight),
-                  &fields);
-              AddUInt32ValueField(
-                  "          weight",
-                  envoy_config_route_v3_WeightedCluster_ClusterWeight_weight(
-                      cluster_weight),
-                  &fields);
-              fields.emplace_back("        }");
-            }
-            AddUInt32ValueField(
-                "        total_weight",
-                envoy_config_route_v3_WeightedCluster_total_weight(
-                    weighted_clusters),
-                &fields);
-            fields.emplace_back("      }");
-          }
-          fields.emplace_back("    }");
-        } else if (envoy_config_route_v3_Route_has_redirect(route)) {
-          fields.emplace_back("    redirect: <not printed>");
-        } else if (envoy_config_route_v3_Route_has_direct_response(route)) {
-          fields.emplace_back("    direct_response: <not printed>");
-        } else if (envoy_config_route_v3_Route_has_filter_action(route)) {
-          fields.emplace_back("    filter_action: <not printed>");
-        }
-        fields.push_back("  }");
-      }
-      fields.push_back("}");
-    }
-    gpr_log(GPR_DEBUG, "[xds_client %p] RouteConfiguration: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+    const upb_msgdef* msg_type =
+        envoy_config_route_v3_RouteConfiguration_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(route_config, msg_type, nullptr, 0, buf, sizeof(buf));
+    gpr_log(GPR_DEBUG, "[xds_client %p] RouteConfiguration: %s", client, buf);
   }
 }
 
-void MaybeLogCluster(XdsClient* client, TraceFlag* tracer,
+void MaybeLogCluster(XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
                      const envoy_config_cluster_v3_Cluster* cluster) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // name
-    AddStringField("name", envoy_config_cluster_v3_Cluster_name(cluster),
-                   &fields);
-    // type
-    if (envoy_config_cluster_v3_Cluster_has_type(cluster)) {
-      fields.emplace_back(absl::StrCat(
-          "type: ", envoy_config_cluster_v3_Cluster_type(cluster)));
-    } else if (envoy_config_cluster_v3_Cluster_has_cluster_type(cluster)) {
-      fields.emplace_back("cluster_type: <not printed>");
-    } else {
-      fields.emplace_back("<unknown type>");
-    }
-    // eds_cluster_config
-    const envoy_config_cluster_v3_Cluster_EdsClusterConfig* eds_cluster_config =
-        envoy_config_cluster_v3_Cluster_eds_cluster_config(cluster);
-    if (eds_cluster_config != nullptr) {
-      fields.emplace_back("eds_cluster_config {");
-      // eds_config
-      const struct envoy_config_core_v3_ConfigSource* eds_config =
-          envoy_config_cluster_v3_Cluster_EdsClusterConfig_eds_config(
-              eds_cluster_config);
-      if (eds_config != nullptr) {
-        if (envoy_config_core_v3_ConfigSource_has_ads(eds_config)) {
-          fields.emplace_back("  eds_config { ads {} }");
-        } else {
-          fields.emplace_back("  eds_config: <non-ADS type>");
-        }
-      }
-      // service_name
-      AddStringField(
-          "  service_name",
-          envoy_config_cluster_v3_Cluster_EdsClusterConfig_service_name(
-              eds_cluster_config),
-          &fields);
-      fields.emplace_back("}");
-    }
-    // lb_policy
-    fields.emplace_back(absl::StrCat(
-        "lb_policy: ", envoy_config_cluster_v3_Cluster_lb_policy(cluster)));
-    // lrs_server
-    const envoy_config_core_v3_ConfigSource* lrs_server =
-        envoy_config_cluster_v3_Cluster_lrs_server(cluster);
-    if (lrs_server != nullptr) {
-      if (envoy_config_core_v3_ConfigSource_has_self(lrs_server)) {
-        fields.emplace_back("lrs_server { self {} }");
-      } else {
-        fields.emplace_back("lrs_server: <non-self type>");
-      }
-    }
-    gpr_log(GPR_DEBUG, "[xds_client %p] Cluster: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+    const upb_msgdef* msg_type =
+        envoy_config_cluster_v3_Cluster_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(cluster, msg_type, nullptr, 0, buf, sizeof(buf));
+    gpr_log(GPR_DEBUG, "[xds_client %p] Cluster: %s", client, buf);
   }
 }
 
 void MaybeLogClusterLoadAssignment(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_config_endpoint_v3_ClusterLoadAssignment* cla) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // cluster_name
-    AddStringField(
-        "cluster_name",
-        envoy_config_endpoint_v3_ClusterLoadAssignment_cluster_name(cla),
-        &fields);
-    // endpoints
-    size_t num_localities;
-    const struct envoy_config_endpoint_v3_LocalityLbEndpoints* const*
-        locality_endpoints =
-            envoy_config_endpoint_v3_ClusterLoadAssignment_endpoints(
-                cla, &num_localities);
-    for (size_t i = 0; i < num_localities; ++i) {
-      const auto* locality_endpoint = locality_endpoints[i];
-      fields.emplace_back("endpoints {");
-      // locality
-      const auto* locality =
-          envoy_config_endpoint_v3_LocalityLbEndpoints_locality(
-              locality_endpoint);
-      if (locality != nullptr) {
-        fields.emplace_back("  locality {");
-        AddLocalityField(2, locality, &fields);
-        fields.emplace_back("  }");
-      }
-      // lb_endpoints
-      size_t num_lb_endpoints;
-      const envoy_config_endpoint_v3_LbEndpoint* const* lb_endpoints =
-          envoy_config_endpoint_v3_LocalityLbEndpoints_lb_endpoints(
-              locality_endpoint, &num_lb_endpoints);
-      for (size_t j = 0; j < num_lb_endpoints; ++j) {
-        const auto* lb_endpoint = lb_endpoints[j];
-        fields.emplace_back("  lb_endpoints {");
-        // health_status
-        uint32_t health_status =
-            envoy_config_endpoint_v3_LbEndpoint_health_status(lb_endpoint);
-        if (health_status > 0) {
-          fields.emplace_back(
-              absl::StrCat("    health_status: ", health_status));
-        }
-        // endpoint
-        const envoy_config_endpoint_v3_Endpoint* endpoint =
-            envoy_config_endpoint_v3_LbEndpoint_endpoint(lb_endpoint);
-        if (endpoint != nullptr) {
-          fields.emplace_back("    endpoint {");
-          // address
-          const auto* address =
-              envoy_config_endpoint_v3_Endpoint_address(endpoint);
-          if (address != nullptr) {
-            fields.emplace_back("      address {");
-            // socket_address
-            const auto* socket_address =
-                envoy_config_core_v3_Address_socket_address(address);
-            if (socket_address != nullptr) {
-              fields.emplace_back("        socket_address {");
-              // address
-              AddStringField(
-                  "          address",
-                  envoy_config_core_v3_SocketAddress_address(socket_address),
-                  &fields);
-              // port_value
-              if (envoy_config_core_v3_SocketAddress_has_port_value(
-                      socket_address)) {
-                fields.emplace_back(
-                    absl::StrCat("          port_value: ",
-                                 envoy_config_core_v3_SocketAddress_port_value(
-                                     socket_address)));
-              } else {
-                fields.emplace_back("        <non-numeric port>");
-              }
-              fields.emplace_back("        }");
-            } else {
-              fields.emplace_back("        <non-socket address>");
-            }
-            fields.emplace_back("      }");
-          }
-          fields.emplace_back("    }");
-        }
-        fields.emplace_back("  }");
-      }
-      // load_balancing_weight
-      AddUInt32ValueField(
-          "  load_balancing_weight",
-          envoy_config_endpoint_v3_LocalityLbEndpoints_load_balancing_weight(
-              locality_endpoint),
-          &fields);
-      // priority
-      uint32_t priority = envoy_config_endpoint_v3_LocalityLbEndpoints_priority(
-          locality_endpoint);
-      if (priority > 0) {
-        fields.emplace_back(absl::StrCat("  priority: ", priority));
-      }
-      fields.emplace_back("}");
-    }
-    // policy
-    const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy* policy =
-        envoy_config_endpoint_v3_ClusterLoadAssignment_policy(cla);
-    if (policy != nullptr) {
-      fields.emplace_back("policy {");
-      // drop_overloads
-      size_t num_drop_overloads;
-      const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload* const*
-          drop_overloads =
-              envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_drop_overloads(
-                  policy, &num_drop_overloads);
-      for (size_t i = 0; i < num_drop_overloads; ++i) {
-        auto* drop_overload = drop_overloads[i];
-        fields.emplace_back("  drop_overloads {");
-        // category
-        AddStringField(
-            "    category",
-            envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload_category(
-                drop_overload),
-            &fields);
-        // drop_percentage
-        const auto* drop_percentage =
-            envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload_drop_percentage(
-                drop_overload);
-        if (drop_percentage != nullptr) {
-          fields.emplace_back("    drop_percentage {");
-          fields.emplace_back(absl::StrCat(
-              "      numerator: ",
-              envoy_type_v3_FractionalPercent_numerator(drop_percentage)));
-          fields.emplace_back(absl::StrCat(
-              "      denominator: ",
-              envoy_type_v3_FractionalPercent_denominator(drop_percentage)));
-          fields.emplace_back("    }");
-        }
-        fields.emplace_back("  }");
-      }
-      // overprovisioning_factor
-      fields.emplace_back("}");
-    }
+    const upb_msgdef* msg_type =
+        envoy_config_endpoint_v3_ClusterLoadAssignment_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(cla, msg_type, nullptr, 0, buf, sizeof(buf));
     gpr_log(GPR_DEBUG, "[xds_client %p] ClusterLoadAssignment: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+            buf);
   }
 }
 
 grpc_error* RoutePathMatchParse(const envoy_config_route_v3_RouteMatch* match,
                                 XdsApi::Route* route, bool* ignore_route) {
+  auto* case_sensitive_ptr =
+      envoy_config_route_v3_RouteMatch_case_sensitive(match);
+  bool case_sensitive = true;
+  if (case_sensitive_ptr != nullptr) {
+    case_sensitive = google_protobuf_BoolValue_value(case_sensitive_ptr);
+  }
+  StringMatcher::Type type;
+  std::string match_string;
   if (envoy_config_route_v3_RouteMatch_has_prefix(match)) {
     absl::string_view prefix =
         UpbStringToAbsl(envoy_config_route_v3_RouteMatch_prefix(match));
     // Empty prefix "" is accepted.
-    if (prefix.size() > 0) {
+    if (!prefix.empty()) {
       // Prefix "/" is accepted.
       if (prefix[0] != '/') {
         // Prefix which does not start with a / will never match anything, so
@@ -1300,13 +905,12 @@ grpc_error* RoutePathMatchParse(const envoy_config_route_v3_RouteMatch* match,
         return GRPC_ERROR_NONE;
       }
     }
-    route->matchers.path_matcher.type =
-        XdsApi::Route::Matchers::PathMatcher::PathMatcherType::PREFIX;
-    route->matchers.path_matcher.string_matcher = std::string(prefix);
+    type = StringMatcher::Type::PREFIX;
+    match_string = std::string(prefix);
   } else if (envoy_config_route_v3_RouteMatch_has_path(match)) {
     absl::string_view path =
         UpbStringToAbsl(envoy_config_route_v3_RouteMatch_path(match));
-    if (path.size() == 0) {
+    if (path.empty()) {
       // Path that is empty will never match anything, so ignore this route.
       *ignore_route = true;
       return GRPC_ERROR_NONE;
@@ -1335,27 +939,28 @@ grpc_error* RoutePathMatchParse(const envoy_config_route_v3_RouteMatch* match,
       *ignore_route = true;
       return GRPC_ERROR_NONE;
     }
-    route->matchers.path_matcher.type =
-        XdsApi::Route::Matchers::PathMatcher::PathMatcherType::PATH;
-    route->matchers.path_matcher.string_matcher = std::string(path);
+    type = StringMatcher::Type::EXACT;
+    match_string = std::string(path);
   } else if (envoy_config_route_v3_RouteMatch_has_safe_regex(match)) {
     const envoy_type_matcher_v3_RegexMatcher* regex_matcher =
         envoy_config_route_v3_RouteMatch_safe_regex(match);
     GPR_ASSERT(regex_matcher != nullptr);
-    std::string matcher = UpbStringToStdString(
+    type = StringMatcher::Type::SAFE_REGEX;
+    match_string = UpbStringToStdString(
         envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher));
-    std::unique_ptr<RE2> regex = absl::make_unique<RE2>(std::move(matcher));
-    if (!regex->ok()) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Invalid regex string specified in path matcher.");
-    }
-    route->matchers.path_matcher.type =
-        XdsApi::Route::Matchers::PathMatcher::PathMatcherType::REGEX;
-    route->matchers.path_matcher.regex_matcher = std::move(regex);
   } else {
     return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "Invalid route path specifier specified.");
   }
+  absl::StatusOr<StringMatcher> string_matcher =
+      StringMatcher::Create(type, match_string, case_sensitive);
+  if (!string_matcher.ok()) {
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("path matcher: ", string_matcher.status().message())
+            .c_str());
+    ;
+  }
+  route->matchers.path_matcher = std::move(string_matcher.value());
   return GRPC_ERROR_NONE;
 }
 
@@ -1366,64 +971,62 @@ grpc_error* RouteHeaderMatchersParse(
       envoy_config_route_v3_RouteMatch_headers(match, &size);
   for (size_t i = 0; i < size; ++i) {
     const envoy_config_route_v3_HeaderMatcher* header = headers[i];
-    XdsApi::Route::Matchers::HeaderMatcher header_matcher;
-    header_matcher.name =
+    const std::string name =
         UpbStringToStdString(envoy_config_route_v3_HeaderMatcher_name(header));
+    HeaderMatcher::Type type;
+    std::string match_string;
+    int64_t range_start = 0;
+    int64_t range_end = 0;
+    bool present_match = false;
     if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) {
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::EXACT;
-      header_matcher.string_matcher = UpbStringToStdString(
+      type = HeaderMatcher::Type::EXACT;
+      match_string = UpbStringToStdString(
           envoy_config_route_v3_HeaderMatcher_exact_match(header));
     } else if (envoy_config_route_v3_HeaderMatcher_has_safe_regex_match(
                    header)) {
       const envoy_type_matcher_v3_RegexMatcher* regex_matcher =
           envoy_config_route_v3_HeaderMatcher_safe_regex_match(header);
       GPR_ASSERT(regex_matcher != nullptr);
-      const std::string matcher = UpbStringToStdString(
+      type = HeaderMatcher::Type::SAFE_REGEX;
+      match_string = UpbStringToStdString(
           envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher));
-      std::unique_ptr<RE2> regex = absl::make_unique<RE2>(matcher);
-      if (!regex->ok()) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-            "Invalid regex string specified in header matcher.");
-      }
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::REGEX;
-      header_matcher.regex_match = std::move(regex);
     } else if (envoy_config_route_v3_HeaderMatcher_has_range_match(header)) {
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::RANGE;
+      type = HeaderMatcher::Type::RANGE;
       const envoy_type_v3_Int64Range* range_matcher =
           envoy_config_route_v3_HeaderMatcher_range_match(header);
-      header_matcher.range_start =
-          envoy_type_v3_Int64Range_start(range_matcher);
-      header_matcher.range_end = envoy_type_v3_Int64Range_end(range_matcher);
-      if (header_matcher.range_end < header_matcher.range_start) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-            "Invalid range header matcher specifier specified: end "
-            "cannot be smaller than start.");
-      }
+      range_start = envoy_type_v3_Int64Range_start(range_matcher);
+      range_end = envoy_type_v3_Int64Range_end(range_matcher);
     } else if (envoy_config_route_v3_HeaderMatcher_has_present_match(header)) {
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::PRESENT;
-      header_matcher.present_match =
-          envoy_config_route_v3_HeaderMatcher_present_match(header);
+      type = HeaderMatcher::Type::PRESENT;
+      present_match = envoy_config_route_v3_HeaderMatcher_present_match(header);
     } else if (envoy_config_route_v3_HeaderMatcher_has_prefix_match(header)) {
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::PREFIX;
-      header_matcher.string_matcher = UpbStringToStdString(
+      type = HeaderMatcher::Type::PREFIX;
+      match_string = UpbStringToStdString(
           envoy_config_route_v3_HeaderMatcher_prefix_match(header));
     } else if (envoy_config_route_v3_HeaderMatcher_has_suffix_match(header)) {
-      header_matcher.type =
-          XdsApi::Route::Matchers::HeaderMatcher::HeaderMatcherType::SUFFIX;
-      header_matcher.string_matcher = UpbStringToStdString(
+      type = HeaderMatcher::Type::SUFFIX;
+      match_string = UpbStringToStdString(
           envoy_config_route_v3_HeaderMatcher_suffix_match(header));
+    } else if (envoy_config_route_v3_HeaderMatcher_has_contains_match(header)) {
+      type = HeaderMatcher::Type::CONTAINS;
+      match_string = UpbStringToStdString(
+          envoy_config_route_v3_HeaderMatcher_contains_match(header));
     } else {
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "Invalid route header matcher specified.");
     }
-    header_matcher.invert_match =
+    bool invert_match =
         envoy_config_route_v3_HeaderMatcher_invert_match(header);
-    route->matchers.header_matchers.emplace_back(std::move(header_matcher));
+    absl::StatusOr<HeaderMatcher> header_matcher =
+        HeaderMatcher::Create(name, type, match_string, range_start, range_end,
+                              present_match, invert_match);
+    if (!header_matcher.ok()) {
+      return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("header matcher: ", header_matcher.status().message())
+              .c_str());
+    }
+    route->matchers.header_matchers.emplace_back(
+        std::move(header_matcher.value()));
   }
   return GRPC_ERROR_NONE;
 }
@@ -1473,7 +1076,7 @@ grpc_error* RouteActionParse(const envoy_config_route_v3_Route* route_msg,
   if (envoy_config_route_v3_RouteAction_has_cluster(route_action)) {
     route->cluster_name = UpbStringToStdString(
         envoy_config_route_v3_RouteAction_cluster(route_action));
-    if (route->cluster_name.size() == 0) {
+    if (route->cluster_name.empty()) {
       return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "RouteAction cluster contains empty cluster name.");
     }
@@ -1512,6 +1115,7 @@ grpc_error* RouteActionParse(const envoy_config_route_v3_Route* route_msg,
             "RouteAction weighted_cluster cluster missing weight");
       }
       cluster.weight = google_protobuf_UInt32Value_value(weight);
+      if (cluster.weight == 0) continue;
       sum_of_weights += cluster.weight;
       route->weighted_clusters.emplace_back(std::move(cluster));
     }
@@ -1526,16 +1130,36 @@ grpc_error* RouteActionParse(const envoy_config_route_v3_Route* route_msg,
   } else {
     // No cluster or weighted_clusters found in RouteAction, ignore this route.
     *ignore_route = true;
-    return GRPC_ERROR_NONE;
+  }
+  if (XdsTimeoutEnabled() && !*ignore_route) {
+    const envoy_config_route_v3_RouteAction_MaxStreamDuration*
+        max_stream_duration =
+            envoy_config_route_v3_RouteAction_max_stream_duration(route_action);
+    if (max_stream_duration != nullptr) {
+      const google_protobuf_Duration* duration =
+          envoy_config_route_v3_RouteAction_MaxStreamDuration_grpc_timeout_header_max(
+              max_stream_duration);
+      if (duration == nullptr) {
+        duration =
+            envoy_config_route_v3_RouteAction_MaxStreamDuration_max_stream_duration(
+                max_stream_duration);
+      }
+      if (duration != nullptr) {
+        XdsApi::Duration duration_in_route;
+        duration_in_route.seconds = google_protobuf_Duration_seconds(duration);
+        duration_in_route.nanos = google_protobuf_Duration_nanos(duration);
+        route->max_stream_duration = duration_in_route;
+      }
+    }
   }
   return GRPC_ERROR_NONE;
 }
 
 grpc_error* RouteConfigParse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_config_route_v3_RouteConfiguration* route_config,
     XdsApi::RdsUpdate* rds_update) {
-  MaybeLogRouteConfiguration(client, tracer, route_config);
+  MaybeLogRouteConfiguration(client, tracer, symtab, route_config);
   // Get the virtual hosts.
   size_t size;
   const envoy_config_route_v3_VirtualHost* const* virtual_hosts =
@@ -1552,7 +1176,9 @@ grpc_error* RouteConfigParse(
       std::string domain_pattern = UpbStringToStdString(domains[j]);
       const MatchType match_type = DomainPatternMatchType(domain_pattern);
       if (match_type == INVALID_MATCH) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid domain pattern.");
+        return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat("Invalid domain pattern \"", domain_pattern, "\".")
+                .c_str());
       }
       vhost.domains.emplace_back(std::move(domain_pattern));
     }
@@ -1589,13 +1215,6 @@ grpc_error* RouteConfigParse(
       error = RouteActionParse(routes[j], &route, &ignore_route);
       if (error != GRPC_ERROR_NONE) return error;
       if (ignore_route) continue;
-      const google_protobuf_BoolValue* case_sensitive =
-          envoy_config_route_v3_RouteMatch_case_sensitive(match);
-      if (case_sensitive != nullptr &&
-          !google_protobuf_BoolValue_value(case_sensitive)) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-            "case_sensitive if set must be set to true.");
-      }
       vhost.routes.emplace_back(std::move(route));
     }
     if (vhost.routes.empty()) {
@@ -1605,11 +1224,263 @@ grpc_error* RouteConfigParse(
   return GRPC_ERROR_NONE;
 }
 
+XdsApi::CommonTlsContext::CertificateProviderInstance
+CertificateProviderInstanceParse(
+    const envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance*
+        certificate_provider_instance_proto) {
+  return {
+      UpbStringToStdString(
+          envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance_instance_name(
+              certificate_provider_instance_proto)),
+      UpbStringToStdString(
+          envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance_certificate_name(
+              certificate_provider_instance_proto))};
+}
+
+grpc_error* CommonTlsContextParse(
+    const envoy_extensions_transport_sockets_tls_v3_CommonTlsContext*
+        common_tls_context_proto,
+    XdsApi::CommonTlsContext* common_tls_context) GRPC_MUST_USE_RESULT;
+grpc_error* CommonTlsContextParse(
+    const envoy_extensions_transport_sockets_tls_v3_CommonTlsContext*
+        common_tls_context_proto,
+    XdsApi::CommonTlsContext* common_tls_context) {
+  auto* combined_validation_context =
+      envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_combined_validation_context(
+          common_tls_context_proto);
+  if (combined_validation_context != nullptr) {
+    auto* default_validation_context =
+        envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext_default_validation_context(
+            combined_validation_context);
+    if (default_validation_context != nullptr) {
+      size_t len = 0;
+      auto* subject_alt_names_matchers =
+          envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_match_subject_alt_names(
+              default_validation_context, &len);
+      for (size_t i = 0; i < len; ++i) {
+        StringMatcher::Type type;
+        std::string matcher;
+        if (envoy_type_matcher_v3_StringMatcher_has_exact(
+                subject_alt_names_matchers[i])) {
+          type = StringMatcher::Type::EXACT;
+          matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_exact(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_prefix(
+                       subject_alt_names_matchers[i])) {
+          type = StringMatcher::Type::PREFIX;
+          matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_prefix(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_suffix(
+                       subject_alt_names_matchers[i])) {
+          type = StringMatcher::Type::SUFFIX;
+          matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_suffix(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_contains(
+                       subject_alt_names_matchers[i])) {
+          type = StringMatcher::Type::CONTAINS;
+          matcher =
+              UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_contains(
+                  subject_alt_names_matchers[i]));
+        } else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(
+                       subject_alt_names_matchers[i])) {
+          type = StringMatcher::Type::SAFE_REGEX;
+          auto* regex_matcher = envoy_type_matcher_v3_StringMatcher_safe_regex(
+              subject_alt_names_matchers[i]);
+          matcher = UpbStringToStdString(
+              envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher));
+        } else {
+          return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+              "Invalid StringMatcher specified");
+        }
+        bool ignore_case = envoy_type_matcher_v3_StringMatcher_ignore_case(
+            subject_alt_names_matchers[i]);
+        absl::StatusOr<StringMatcher> string_matcher =
+            StringMatcher::Create(type, matcher,
+                                  /*case_sensitive=*/!ignore_case);
+        if (!string_matcher.ok()) {
+          return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat("string matcher: ",
+                           string_matcher.status().message())
+                  .c_str());
+        }
+        if (type == StringMatcher::Type::SAFE_REGEX && ignore_case) {
+          return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+              "StringMatcher: ignore_case has no effect for SAFE_REGEX.");
+        }
+        common_tls_context->combined_validation_context
+            .default_validation_context.match_subject_alt_names.push_back(
+                std::move(string_matcher.value()));
+      }
+    }
+    auto* validation_context_certificate_provider_instance =
+        envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext_validation_context_certificate_provider_instance(
+            combined_validation_context);
+    if (validation_context_certificate_provider_instance != nullptr) {
+      common_tls_context->combined_validation_context
+          .validation_context_certificate_provider_instance =
+          CertificateProviderInstanceParse(
+              validation_context_certificate_provider_instance);
+    }
+  }
+  auto* tls_certificate_certificate_provider_instance =
+      envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_tls_certificate_certificate_provider_instance(
+          common_tls_context_proto);
+  if (tls_certificate_certificate_provider_instance != nullptr) {
+    common_tls_context->tls_certificate_certificate_provider_instance =
+        CertificateProviderInstanceParse(
+            tls_certificate_certificate_provider_instance);
+  }
+  return GRPC_ERROR_NONE;
+}
+
+grpc_error* LdsResponseParseClient(
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab, upb_arena* arena,
+    const envoy_config_listener_v3_ApiListener* api_listener,
+    XdsApi::LdsUpdate* lds_update) {
+  lds_update->type = XdsApi::LdsUpdate::ListenerType::kHttpApiListener;
+  const upb_strview encoded_api_listener = google_protobuf_Any_value(
+      envoy_config_listener_v3_ApiListener_api_listener(api_listener));
+  const envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager*
+      http_connection_manager =
+          envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_parse(
+              encoded_api_listener.data, encoded_api_listener.size, arena);
+  if (http_connection_manager == nullptr) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "Could not parse HttpConnectionManager config from ApiListener");
+  }
+  if (XdsTimeoutEnabled()) {
+    // Obtain max_stream_duration from Http Protocol Options.
+    const envoy_config_core_v3_HttpProtocolOptions* options =
+        envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_common_http_protocol_options(
+            http_connection_manager);
+    if (options != nullptr) {
+      const google_protobuf_Duration* duration =
+          envoy_config_core_v3_HttpProtocolOptions_max_stream_duration(options);
+      if (duration != nullptr) {
+        lds_update->http_max_stream_duration.seconds =
+            google_protobuf_Duration_seconds(duration);
+        lds_update->http_max_stream_duration.nanos =
+            google_protobuf_Duration_nanos(duration);
+      }
+    }
+  }
+  // Found inlined route_config. Parse it to find the cluster_name.
+  if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config(
+          http_connection_manager)) {
+    const envoy_config_route_v3_RouteConfiguration* route_config =
+        envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config(
+            http_connection_manager);
+    XdsApi::RdsUpdate rds_update;
+    grpc_error* error =
+        RouteConfigParse(client, tracer, symtab, route_config, &rds_update);
+    if (error != GRPC_ERROR_NONE) return error;
+    lds_update->rds_update = std::move(rds_update);
+    return GRPC_ERROR_NONE;
+  }
+  // Validate that RDS must be used to get the route_config dynamically.
+  if (!envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_rds(
+          http_connection_manager)) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "HttpConnectionManager neither has inlined route_config nor RDS.");
+  }
+  const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds =
+      envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds(
+          http_connection_manager);
+  // Check that the ConfigSource specifies ADS.
+  const envoy_config_core_v3_ConfigSource* config_source =
+      envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source(
+          rds);
+  if (config_source == nullptr) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "HttpConnectionManager missing config_source for RDS.");
+  }
+  if (!envoy_config_core_v3_ConfigSource_has_ads(config_source)) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "HttpConnectionManager ConfigSource for RDS does not specify ADS.");
+  }
+  // Get the route_config_name.
+  lds_update->route_config_name = UpbStringToStdString(
+      envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
+          rds));
+  return GRPC_ERROR_NONE;
+}
+
+grpc_error* LdsResponseParseServer(
+    upb_arena* arena, const envoy_config_listener_v3_Listener* listener,
+    const std::string& /*listener_name*/,
+    const envoy_config_core_v3_Address* /*address*/,
+    XdsApi::LdsUpdate* lds_update) {
+  lds_update->type = XdsApi::LdsUpdate::ListenerType::kTcpListener;
+  // TODO(yashykt): Support filter chain match.
+  // Right now, we are supporting and expecting only one entry in filter_chains.
+  size_t size = 0;
+  auto* filter_chains =
+      envoy_config_listener_v3_Listener_filter_chains(listener, &size);
+  if (size != 1) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "Only one filter_chain supported.");
+  }
+  // Get the DownstreamTlsContext from the match
+  if (XdsSecurityEnabled()) {
+    auto* transport_socket =
+        envoy_config_listener_v3_FilterChain_transport_socket(filter_chains[0]);
+    if (transport_socket != nullptr) {
+      absl::string_view name = UpbStringToAbsl(
+          envoy_config_core_v3_TransportSocket_name(transport_socket));
+      if (name == "envoy.transport_sockets.tls") {
+        auto* typed_config =
+            envoy_config_core_v3_TransportSocket_typed_config(transport_socket);
+        if (typed_config != nullptr) {
+          const upb_strview encoded_downstream_tls_context =
+              google_protobuf_Any_value(typed_config);
+          auto* downstream_tls_context =
+              envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_parse(
+                  encoded_downstream_tls_context.data,
+                  encoded_downstream_tls_context.size, arena);
+          if (downstream_tls_context == nullptr) {
+            return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                "Can't decode downstream tls context.");
+          }
+          auto* common_tls_context =
+              envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_common_tls_context(
+                  downstream_tls_context);
+          if (common_tls_context != nullptr) {
+            grpc_error* error = CommonTlsContextParse(
+                common_tls_context,
+                &lds_update->downstream_tls_context.common_tls_context);
+            if (error != GRPC_ERROR_NONE) return error;
+          }
+          auto* require_client_certificate =
+              envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_require_client_certificate(
+                  downstream_tls_context);
+          if (require_client_certificate != nullptr) {
+            lds_update->downstream_tls_context.require_client_certificate =
+                google_protobuf_BoolValue_value(require_client_certificate);
+          }
+        }
+        if (lds_update->downstream_tls_context.common_tls_context
+                .tls_certificate_certificate_provider_instance.instance_name
+                .empty()) {
+          return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+              "TLS configuration provided but no "
+              "tls_certificate_certificate_provider_instance found.");
+        }
+      }
+    }
+  }
+  return GRPC_ERROR_NONE;
+}
+
 grpc_error* LdsResponseParse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
-    const std::string& expected_server_name,
-    absl::optional<XdsApi::LdsUpdate>* lds_update, upb_arena* arena) {
+    const std::set<absl::string_view>& expected_listener_names,
+    XdsApi::LdsUpdateMap* lds_update_map,
+    std::set<std::string>* resource_names_failed, upb_arena* arena) {
+  std::vector<grpc_error*> errors;
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
@@ -1619,7 +1490,10 @@ grpc_error* LdsResponseParse(
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
     if (!IsLds(type_url)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Resource is not LDS.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Resource is not LDS.")
+              .c_str()));
+      continue;
     }
     // Decode the listener.
     const upb_strview encoded_listener =
@@ -1628,79 +1502,74 @@ grpc_error* LdsResponseParse(
         envoy_config_listener_v3_Listener_parse(encoded_listener.data,
                                                 encoded_listener.size, arena);
     if (listener == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode listener.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Can't decode listener.")
+              .c_str()));
+      continue;
     }
     // Check listener name. Ignore unexpected listeners.
-    absl::string_view name =
-        UpbStringToAbsl(envoy_config_listener_v3_Listener_name(listener));
-    if (name != expected_server_name) continue;
-    // Get api_listener and decode it to http_connection_manager.
+    std::string listener_name =
+        UpbStringToStdString(envoy_config_listener_v3_Listener_name(listener));
+    if (expected_listener_names.find(listener_name) ==
+        expected_listener_names.end()) {
+      continue;
+    }
+    // Fail if listener name is duplicated.
+    if (lds_update_map->find(listener_name) != lds_update_map->end()) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("duplicate listener name \"", listener_name, "\"")
+              .c_str()));
+      resource_names_failed->insert(listener_name);
+      continue;
+    }
+    XdsApi::LdsUpdate& lds_update = (*lds_update_map)[listener_name];
+    // Check whether it's a client or server listener.
     const envoy_config_listener_v3_ApiListener* api_listener =
         envoy_config_listener_v3_Listener_api_listener(listener);
-    if (api_listener == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Listener has no ApiListener.");
-    }
-    const upb_strview encoded_api_listener = google_protobuf_Any_value(
-        envoy_config_listener_v3_ApiListener_api_listener(api_listener));
-    const envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager*
-        http_connection_manager =
-            envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_parse(
-                encoded_api_listener.data, encoded_api_listener.size, arena);
-    if (http_connection_manager == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Could not parse HttpConnectionManager config from ApiListener");
-    }
-    // Found inlined route_config. Parse it to find the cluster_name.
-    if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config(
-            http_connection_manager)) {
-      const envoy_config_route_v3_RouteConfiguration* route_config =
-          envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config(
-              http_connection_manager);
-      XdsApi::RdsUpdate rds_update;
-      grpc_error* error =
-          RouteConfigParse(client, tracer, route_config, &rds_update);
-      if (error != GRPC_ERROR_NONE) return error;
-      lds_update->emplace();
-      (*lds_update)->rds_update = std::move(rds_update);
-      return GRPC_ERROR_NONE;
+    const envoy_config_core_v3_Address* address =
+        envoy_config_listener_v3_Listener_address(listener);
+    if (api_listener != nullptr && address != nullptr) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat(listener_name,
+                       ": Listener has both address and ApiListener")
+              .c_str()));
+      resource_names_failed->insert(listener_name);
+      continue;
     }
-    // Validate that RDS must be used to get the route_config dynamically.
-    if (!envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_rds(
-            http_connection_manager)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "HttpConnectionManager neither has inlined route_config nor RDS.");
+    if (api_listener == nullptr && address == nullptr) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat(listener_name,
+                       ": Listener has neither address nor ApiListener")
+              .c_str()));
+      resource_names_failed->insert(listener_name);
+      continue;
     }
-    const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds =
-        envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds(
-            http_connection_manager);
-    // Check that the ConfigSource specifies ADS.
-    const envoy_config_core_v3_ConfigSource* config_source =
-        envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source(
-            rds);
-    if (config_source == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "HttpConnectionManager missing config_source for RDS.");
+    grpc_error* error = GRPC_ERROR_NONE;
+    if (api_listener != nullptr) {
+      error = LdsResponseParseClient(client, tracer, symtab, arena,
+                                     api_listener, &lds_update);
+    } else {
+      error = LdsResponseParseServer(arena, listener, listener_name, address,
+                                     &lds_update);
     }
-    if (!envoy_config_core_v3_ConfigSource_has_ads(config_source)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "HttpConnectionManager ConfigSource for RDS does not specify ADS.");
+    if (error != GRPC_ERROR_NONE) {
+      errors.push_back(grpc_error_add_child(
+          GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(listener_name, ": validation error").c_str()),
+          error));
+      resource_names_failed->insert(listener_name);
     }
-    // Get the route_config_name.
-    lds_update->emplace();
-    (*lds_update)->route_config_name = UpbStringToStdString(
-        envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
-            rds));
-    return GRPC_ERROR_NONE;
   }
-  return GRPC_ERROR_NONE;
+  return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing LDS response", &errors);
 }
 
 grpc_error* RdsResponseParse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
     const std::set<absl::string_view>& expected_route_configuration_names,
-    absl::optional<XdsApi::RdsUpdate>* rds_update, upb_arena* arena) {
+    XdsApi::RdsUpdateMap* rds_update_map,
+    std::set<std::string>* resource_names_failed, upb_arena* arena) {
+  std::vector<grpc_error*> errors;
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
@@ -1710,7 +1579,10 @@ grpc_error* RdsResponseParse(
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
     if (!IsRds(type_url)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Resource is not RDS.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Resource is not RDS.")
+              .c_str()));
+      continue;
     }
     // Decode the route_config.
     const upb_strview encoded_route_config =
@@ -1719,43 +1591,63 @@ grpc_error* RdsResponseParse(
         envoy_config_route_v3_RouteConfiguration_parse(
             encoded_route_config.data, encoded_route_config.size, arena);
     if (route_config == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode route_config.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Can't decode route_config.")
+              .c_str()));
+      continue;
     }
     // Check route_config_name. Ignore unexpected route_config.
-    absl::string_view route_config_name = UpbStringToAbsl(
+    std::string route_config_name = UpbStringToStdString(
         envoy_config_route_v3_RouteConfiguration_name(route_config));
     if (expected_route_configuration_names.find(route_config_name) ==
         expected_route_configuration_names.end()) {
       continue;
     }
+    // Fail if route config name is duplicated.
+    if (rds_update_map->find(route_config_name) != rds_update_map->end()) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("duplicate route config name \"", route_config_name,
+                       "\"")
+              .c_str()));
+      resource_names_failed->insert(route_config_name);
+      continue;
+    }
     // Parse the route_config.
-    XdsApi::RdsUpdate local_rds_update;
+    XdsApi::RdsUpdate& rds_update = (*rds_update_map)[route_config_name];
     grpc_error* error =
-        RouteConfigParse(client, tracer, route_config, &local_rds_update);
-    if (error != GRPC_ERROR_NONE) return error;
-    rds_update->emplace(std::move(local_rds_update));
-    return GRPC_ERROR_NONE;
+        RouteConfigParse(client, tracer, symtab, route_config, &rds_update);
+    if (error != GRPC_ERROR_NONE) {
+      errors.push_back(grpc_error_add_child(
+          GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(route_config_name, ": validation error").c_str()),
+          error));
+      resource_names_failed->insert(route_config_name);
+    }
   }
-  return GRPC_ERROR_NONE;
+  return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing RDS response", &errors);
 }
 
 grpc_error* CdsResponseParse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
     const std::set<absl::string_view>& expected_cluster_names,
-    XdsApi::CdsUpdateMap* cds_update_map, upb_arena* arena) {
+    XdsApi::CdsUpdateMap* cds_update_map,
+    std::set<std::string>* resource_names_failed, upb_arena* arena) {
+  std::vector<grpc_error*> errors;
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
       envoy_service_discovery_v3_DiscoveryResponse_resources(response, &size);
   // Parse all the resources in the CDS response.
   for (size_t i = 0; i < size; ++i) {
-    XdsApi::CdsUpdate cds_update;
     // Check the type_url of the resource.
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
     if (!IsCds(type_url)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Resource is not CDS.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Resource is not CDS.")
+              .c_str()));
+      continue;
     }
     // Decode the cluster.
     const upb_strview encoded_cluster = google_protobuf_Any_value(resources[i]);
@@ -1763,9 +1655,12 @@ grpc_error* CdsResponseParse(
         envoy_config_cluster_v3_Cluster_parse(encoded_cluster.data,
                                               encoded_cluster.size, arena);
     if (cluster == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode cluster.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Can't decode cluster.")
+              .c_str()));
+      continue;
     }
-    MaybeLogCluster(client, tracer, cluster);
+    MaybeLogCluster(client, tracer, symtab, cluster);
     // Ignore unexpected cluster names.
     std::string cluster_name =
         UpbStringToStdString(envoy_config_cluster_v3_Cluster_name(cluster));
@@ -1775,54 +1670,290 @@ grpc_error* CdsResponseParse(
     }
     // Fail on duplicate resources.
     if (cds_update_map->find(cluster_name) != cds_update_map->end()) {
-      return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
           absl::StrCat("duplicate resource name \"", cluster_name, "\"")
-              .c_str());
+              .c_str()));
+      resource_names_failed->insert(cluster_name);
+      continue;
     }
+    XdsApi::CdsUpdate& cds_update = (*cds_update_map)[cluster_name];
     // Check the cluster_discovery_type.
-    if (!envoy_config_cluster_v3_Cluster_has_type(cluster)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("DiscoveryType not found.");
+    if (!envoy_config_cluster_v3_Cluster_has_type(cluster) &&
+        !envoy_config_cluster_v3_Cluster_has_cluster_type(cluster)) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat(cluster_name, ": DiscoveryType not found.").c_str()));
+      resource_names_failed->insert(cluster_name);
+      continue;
     }
-    if (envoy_config_cluster_v3_Cluster_type(cluster) !=
+    if (envoy_config_cluster_v3_Cluster_type(cluster) ==
         envoy_config_cluster_v3_Cluster_EDS) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("DiscoveryType is not EDS.");
-    }
-    // Check the EDS config source.
-    const envoy_config_cluster_v3_Cluster_EdsClusterConfig* eds_cluster_config =
-        envoy_config_cluster_v3_Cluster_eds_cluster_config(cluster);
-    const envoy_config_core_v3_ConfigSource* eds_config =
-        envoy_config_cluster_v3_Cluster_EdsClusterConfig_eds_config(
-            eds_cluster_config);
-    if (!envoy_config_core_v3_ConfigSource_has_ads(eds_config)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "EDS ConfigSource is not ADS.");
-    }
-    // Record EDS service_name (if any).
-    upb_strview service_name =
-        envoy_config_cluster_v3_Cluster_EdsClusterConfig_service_name(
-            eds_cluster_config);
-    if (service_name.size != 0) {
-      cds_update.eds_service_name = UpbStringToStdString(service_name);
+      cds_update.cluster_type = XdsApi::CdsUpdate::ClusterType::EDS;
+      // Check the EDS config source.
+      const envoy_config_cluster_v3_Cluster_EdsClusterConfig*
+          eds_cluster_config =
+              envoy_config_cluster_v3_Cluster_eds_cluster_config(cluster);
+      const envoy_config_core_v3_ConfigSource* eds_config =
+          envoy_config_cluster_v3_Cluster_EdsClusterConfig_eds_config(
+              eds_cluster_config);
+      if (!envoy_config_core_v3_ConfigSource_has_ads(eds_config)) {
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(cluster_name, ": EDS ConfigSource is not ADS.")
+                .c_str()));
+        resource_names_failed->insert(cluster_name);
+        continue;
+      }
+      // Record EDS service_name (if any).
+      upb_strview service_name =
+          envoy_config_cluster_v3_Cluster_EdsClusterConfig_service_name(
+              eds_cluster_config);
+      if (service_name.size != 0) {
+        cds_update.eds_service_name = UpbStringToStdString(service_name);
+      }
+    } else if (!XdsAggregateAndLogicalDnsClusterEnabled()) {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat(cluster_name, ": DiscoveryType is not valid.").c_str()));
+      resource_names_failed->insert(cluster_name);
+      continue;
+    } else if (envoy_config_cluster_v3_Cluster_type(cluster) ==
+               envoy_config_cluster_v3_Cluster_LOGICAL_DNS) {
+      cds_update.cluster_type = XdsApi::CdsUpdate::ClusterType::LOGICAL_DNS;
+    } else {
+      if (envoy_config_cluster_v3_Cluster_has_cluster_type(cluster)) {
+        const envoy_config_cluster_v3_Cluster_CustomClusterType*
+            custom_cluster_type =
+                envoy_config_cluster_v3_Cluster_cluster_type(cluster);
+        upb_strview type_name =
+            envoy_config_cluster_v3_Cluster_CustomClusterType_name(
+                custom_cluster_type);
+        if (UpbStringToAbsl(type_name) == "envoy.clusters.aggregate") {
+          cds_update.cluster_type = XdsApi::CdsUpdate::ClusterType::AGGREGATE;
+          // Retrieve aggregate clusters.
+          const google_protobuf_Any* typed_config =
+              envoy_config_cluster_v3_Cluster_CustomClusterType_typed_config(
+                  custom_cluster_type);
+          const upb_strview aggregate_cluster_config_upb_strview =
+              google_protobuf_Any_value(typed_config);
+          const envoy_extensions_clusters_aggregate_v3_ClusterConfig*
+              aggregate_cluster_config =
+                  envoy_extensions_clusters_aggregate_v3_ClusterConfig_parse(
+                      aggregate_cluster_config_upb_strview.data,
+                      aggregate_cluster_config_upb_strview.size, arena);
+          if (aggregate_cluster_config == nullptr) {
+            errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrCat(cluster_name, ": Can't parse aggregate cluster.")
+                    .c_str()));
+            resource_names_failed->insert(cluster_name);
+            continue;
+          }
+          size_t size;
+          const upb_strview* clusters =
+              envoy_extensions_clusters_aggregate_v3_ClusterConfig_clusters(
+                  aggregate_cluster_config, &size);
+          for (size_t i = 0; i < size; ++i) {
+            const upb_strview cluster = clusters[i];
+            cds_update.prioritized_cluster_names.emplace_back(
+                UpbStringToStdString(cluster));
+          }
+        } else {
+          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(cluster_name, ": DiscoveryType is not valid.")
+                  .c_str()));
+          resource_names_failed->insert(cluster_name);
+          continue;
+        }
+      } else {
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(cluster_name, ": DiscoveryType is not valid.")
+                .c_str()));
+        resource_names_failed->insert(cluster_name);
+        continue;
+      }
     }
     // Check the LB policy.
-    if (envoy_config_cluster_v3_Cluster_lb_policy(cluster) !=
+    if (envoy_config_cluster_v3_Cluster_lb_policy(cluster) ==
         envoy_config_cluster_v3_Cluster_ROUND_ROBIN) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "LB policy is not ROUND_ROBIN.");
+      cds_update.lb_policy = "ROUND_ROBIN";
+    } else if (XdsRingHashEnabled() &&
+               envoy_config_cluster_v3_Cluster_lb_policy(cluster) ==
+                   envoy_config_cluster_v3_Cluster_RING_HASH) {
+      cds_update.lb_policy = "RING_HASH";
+      // Record ring hash lb config
+      auto* ring_hash_config =
+          envoy_config_cluster_v3_Cluster_ring_hash_lb_config(cluster);
+      if (ring_hash_config == nullptr) {
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(cluster_name,
+                         ": ring hash lb config required but not present.")
+                .c_str()));
+        resource_names_failed->insert(cluster_name);
+        continue;
+      }
+      const google_protobuf_UInt64Value* max_ring_size =
+          envoy_config_cluster_v3_Cluster_RingHashLbConfig_maximum_ring_size(
+              ring_hash_config);
+      if (max_ring_size != nullptr) {
+        cds_update.max_ring_size =
+            google_protobuf_UInt64Value_value(max_ring_size);
+        if (cds_update.max_ring_size > 8388608 ||
+            cds_update.max_ring_size == 0) {
+          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(
+                  cluster_name,
+                  ": max_ring_size is not in the range of 1 to 8388608.")
+                  .c_str()));
+          resource_names_failed->insert(cluster_name);
+          continue;
+        }
+      }
+      const google_protobuf_UInt64Value* min_ring_size =
+          envoy_config_cluster_v3_Cluster_RingHashLbConfig_minimum_ring_size(
+              ring_hash_config);
+      if (min_ring_size != nullptr) {
+        cds_update.min_ring_size =
+            google_protobuf_UInt64Value_value(min_ring_size);
+        if (cds_update.min_ring_size > 8388608 ||
+            cds_update.min_ring_size == 0) {
+          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(
+                  cluster_name,
+                  ": min_ring_size is not in the range of 1 to 8388608.")
+                  .c_str()));
+          resource_names_failed->insert(cluster_name);
+          continue;
+        }
+        if (cds_update.min_ring_size > cds_update.max_ring_size) {
+          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(
+                  cluster_name,
+                  ": min_ring_size cannot be greater than max_ring_size.")
+                  .c_str()));
+          resource_names_failed->insert(cluster_name);
+          continue;
+        }
+      }
+      if (envoy_config_cluster_v3_Cluster_RingHashLbConfig_hash_function(
+              ring_hash_config) ==
+          envoy_config_cluster_v3_Cluster_RingHashLbConfig_XX_HASH) {
+        cds_update.hash_function = XdsApi::CdsUpdate::HashFunction::XX_HASH;
+      } else if (
+          envoy_config_cluster_v3_Cluster_RingHashLbConfig_hash_function(
+              ring_hash_config) ==
+          envoy_config_cluster_v3_Cluster_RingHashLbConfig_MURMUR_HASH_2) {
+        cds_update.hash_function =
+            XdsApi::CdsUpdate::HashFunction::MURMUR_HASH_2;
+      } else {
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(cluster_name,
+                         ": ring hash lb config has invalid hash function.")
+                .c_str()));
+        resource_names_failed->insert(cluster_name);
+        continue;
+      }
+    } else {
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat(cluster_name, ": LB policy is not supported.").c_str()));
+      resource_names_failed->insert(cluster_name);
+      continue;
+    }
+    if (XdsSecurityEnabled()) {
+      // Record Upstream tls context
+      auto* transport_socket =
+          envoy_config_cluster_v3_Cluster_transport_socket(cluster);
+      if (transport_socket != nullptr) {
+        absl::string_view name = UpbStringToAbsl(
+            envoy_config_core_v3_TransportSocket_name(transport_socket));
+        if (name == "envoy.transport_sockets.tls") {
+          auto* typed_config =
+              envoy_config_core_v3_TransportSocket_typed_config(
+                  transport_socket);
+          if (typed_config != nullptr) {
+            const upb_strview encoded_upstream_tls_context =
+                google_protobuf_Any_value(typed_config);
+            auto* upstream_tls_context =
+                envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_parse(
+                    encoded_upstream_tls_context.data,
+                    encoded_upstream_tls_context.size, arena);
+            if (upstream_tls_context == nullptr) {
+              errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                  absl::StrCat(cluster_name,
+                               ": Can't decode upstream tls context.")
+                      .c_str()));
+              resource_names_failed->insert(cluster_name);
+              continue;
+            }
+            auto* common_tls_context =
+                envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_common_tls_context(
+                    upstream_tls_context);
+            if (common_tls_context != nullptr) {
+              grpc_error* error = CommonTlsContextParse(
+                  common_tls_context, &cds_update.common_tls_context);
+              if (error != GRPC_ERROR_NONE) {
+                errors.push_back(grpc_error_add_child(
+                    GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                        absl::StrCat(cluster_name, ": error in TLS context")
+                            .c_str()),
+                    error));
+                resource_names_failed->insert(cluster_name);
+                continue;
+              }
+            }
+          }
+          if (cds_update.common_tls_context.combined_validation_context
+                  .validation_context_certificate_provider_instance
+                  .instance_name.empty()) {
+            errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrCat(cluster_name,
+                             "TLS configuration provided but no "
+                             "validation_context_certificate_provider_instance "
+                             "found.")
+                    .c_str()));
+            resource_names_failed->insert(cluster_name);
+            continue;
+          }
+        }
+      }
     }
     // Record LRS server name (if any).
     const envoy_config_core_v3_ConfigSource* lrs_server =
         envoy_config_cluster_v3_Cluster_lrs_server(cluster);
     if (lrs_server != nullptr) {
       if (!envoy_config_core_v3_ConfigSource_has_self(lrs_server)) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-            "LRS ConfigSource is not self.");
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(cluster_name, ": LRS ConfigSource is not self.")
+                .c_str()));
+        resource_names_failed->insert(cluster_name);
+        continue;
       }
       cds_update.lrs_load_reporting_server_name.emplace("");
     }
-    cds_update_map->emplace(std::move(cluster_name), std::move(cds_update));
+    // The Cluster resource encodes the circuit breaking parameters in a list of
+    // Thresholds messages, where each message specifies the parameters for a
+    // particular RoutingPriority. we will look only at the first entry in the
+    // list for priority DEFAULT and default to 1024 if not found.
+    if (envoy_config_cluster_v3_Cluster_has_circuit_breakers(cluster)) {
+      const envoy_config_cluster_v3_CircuitBreakers* circuit_breakers =
+          envoy_config_cluster_v3_Cluster_circuit_breakers(cluster);
+      size_t num_thresholds;
+      const envoy_config_cluster_v3_CircuitBreakers_Thresholds* const*
+          thresholds = envoy_config_cluster_v3_CircuitBreakers_thresholds(
+              circuit_breakers, &num_thresholds);
+      for (size_t i = 0; i < num_thresholds; ++i) {
+        const auto* threshold = thresholds[i];
+        if (envoy_config_cluster_v3_CircuitBreakers_Thresholds_priority(
+                threshold) == envoy_config_core_v3_DEFAULT) {
+          const google_protobuf_UInt32Value* max_requests =
+              envoy_config_cluster_v3_CircuitBreakers_Thresholds_max_requests(
+                  threshold);
+          if (max_requests != nullptr) {
+            cds_update.max_concurrent_requests =
+                google_protobuf_UInt32Value_value(max_requests);
+          }
+          break;
+        }
+      }
+    }
   }
-  return GRPC_ERROR_NONE;
+  return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing CDS response", &errors);
 }
 
 grpc_error* ServerAddressParseAndAppend(
@@ -1858,7 +1989,7 @@ grpc_error* ServerAddressParseAndAppend(
 
 grpc_error* LocalityParse(
     const envoy_config_endpoint_v3_LocalityLbEndpoints* locality_lb_endpoints,
-    XdsApi::PriorityListUpdate::LocalityMap::Locality* output_locality) {
+    XdsApi::EdsUpdate::Priority::Locality* output_locality, size_t* priority) {
   // Parse LB weight.
   const google_protobuf_UInt32Value* lb_weight =
       envoy_config_endpoint_v3_LocalityLbEndpoints_load_balancing_weight(
@@ -1888,25 +2019,24 @@ grpc_error* LocalityParse(
           locality_lb_endpoints, &size);
   for (size_t i = 0; i < size; ++i) {
     grpc_error* error = ServerAddressParseAndAppend(
-        lb_endpoints[i], &output_locality->serverlist);
+        lb_endpoints[i], &output_locality->endpoints);
     if (error != GRPC_ERROR_NONE) return error;
   }
   // Parse the priority.
-  output_locality->priority =
-      envoy_config_endpoint_v3_LocalityLbEndpoints_priority(
-          locality_lb_endpoints);
+  *priority = envoy_config_endpoint_v3_LocalityLbEndpoints_priority(
+      locality_lb_endpoints);
   return GRPC_ERROR_NONE;
 }
 
 grpc_error* DropParseAndAppend(
     const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload*
         drop_overload,
-    XdsApi::DropConfig* drop_config) {
+    XdsApi::EdsUpdate::DropConfig* drop_config) {
   // Get the category.
   std::string category = UpbStringToStdString(
       envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload_category(
           drop_overload));
-  if (category.size() == 0) {
+  if (category.empty()) {
     return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Empty drop category name");
   }
   // Get the drop rate (per million).
@@ -1938,21 +2068,25 @@ grpc_error* DropParseAndAppend(
 }
 
 grpc_error* EdsResponseParse(
-    XdsClient* client, TraceFlag* tracer,
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
     const envoy_service_discovery_v3_DiscoveryResponse* response,
     const std::set<absl::string_view>& expected_eds_service_names,
-    XdsApi::EdsUpdateMap* eds_update_map, upb_arena* arena) {
+    XdsApi::EdsUpdateMap* eds_update_map,
+    std::set<std::string>* resource_names_failed, upb_arena* arena) {
+  std::vector<grpc_error*> errors;
   // Get the resources from the response.
   size_t size;
   const google_protobuf_Any* const* resources =
       envoy_service_discovery_v3_DiscoveryResponse_resources(response, &size);
   for (size_t i = 0; i < size; ++i) {
-    XdsApi::EdsUpdate eds_update;
     // Check the type_url of the resource.
     absl::string_view type_url =
         UpbStringToAbsl(google_protobuf_Any_type_url(resources[i]));
     if (!IsEds(type_url)) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING("Resource is not EDS.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i, ": Resource is not EDS.")
+              .c_str()));
+      continue;
     }
     // Get the cluster_load_assignment.
     upb_strview encoded_cluster_load_assignment =
@@ -1962,10 +2096,14 @@ grpc_error* EdsResponseParse(
             encoded_cluster_load_assignment.data,
             encoded_cluster_load_assignment.size, arena);
     if (cluster_load_assignment == nullptr) {
-      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Can't parse cluster_load_assignment.");
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("resource index ", i,
+                       ": Can't parse cluster_load_assignment.")
+              .c_str()));
+      continue;
     }
-    MaybeLogClusterLoadAssignment(client, tracer, cluster_load_assignment);
+    MaybeLogClusterLoadAssignment(client, tracer, symtab,
+                                  cluster_load_assignment);
     // Check the EDS service name.  Ignore unexpected names.
     std::string eds_service_name = UpbStringToStdString(
         envoy_config_endpoint_v3_ClusterLoadAssignment_cluster_name(
@@ -1976,33 +2114,53 @@ grpc_error* EdsResponseParse(
     }
     // Fail on duplicate resources.
     if (eds_update_map->find(eds_service_name) != eds_update_map->end()) {
-      return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+      errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
           absl::StrCat("duplicate resource name \"", eds_service_name, "\"")
-              .c_str());
+              .c_str()));
+      resource_names_failed->insert(eds_service_name);
+      continue;
     }
+    XdsApi::EdsUpdate& eds_update = (*eds_update_map)[eds_service_name];
     // Get the endpoints.
     size_t locality_size;
     const envoy_config_endpoint_v3_LocalityLbEndpoints* const* endpoints =
         envoy_config_endpoint_v3_ClusterLoadAssignment_endpoints(
             cluster_load_assignment, &locality_size);
+    grpc_error* error = GRPC_ERROR_NONE;
     for (size_t j = 0; j < locality_size; ++j) {
-      XdsApi::PriorityListUpdate::LocalityMap::Locality locality;
-      grpc_error* error = LocalityParse(endpoints[j], &locality);
-      if (error != GRPC_ERROR_NONE) return error;
+      size_t priority;
+      XdsApi::EdsUpdate::Priority::Locality locality;
+      error = LocalityParse(endpoints[j], &locality, &priority);
+      if (error != GRPC_ERROR_NONE) break;
       // Filter out locality with weight 0.
       if (locality.lb_weight == 0) continue;
-      eds_update.priority_list_update.Add(locality);
+      // Make sure prorities is big enough. Note that they might not
+      // arrive in priority order.
+      while (eds_update.priorities.size() < priority + 1) {
+        eds_update.priorities.emplace_back();
+      }
+      eds_update.priorities[priority].localities.emplace(locality.name.get(),
+                                                         std::move(locality));
+    }
+    if (error != GRPC_ERROR_NONE) {
+      errors.push_back(grpc_error_add_child(
+          GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrCat(eds_service_name, ": locality validation error")
+                  .c_str()),
+          error));
+      resource_names_failed->insert(eds_service_name);
+      continue;
     }
-    for (uint32_t priority = 0;
-         priority < eds_update.priority_list_update.size(); ++priority) {
-      auto* locality_map = eds_update.priority_list_update.Find(priority);
-      if (locality_map == nullptr || locality_map->size() == 0) {
-        return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-            "EDS update includes sparse priority list");
+    for (const auto& priority : eds_update.priorities) {
+      if (priority.localities.empty()) {
+        errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrCat(eds_service_name, ": sparse priority list").c_str()));
+        resource_names_failed->insert(eds_service_name);
+        continue;
       }
     }
     // Get the drop config.
-    eds_update.drop_config = MakeRefCounted<XdsApi::DropConfig>();
+    eds_update.drop_config = MakeRefCounted<XdsApi::EdsUpdate::DropConfig>();
     const envoy_config_endpoint_v3_ClusterLoadAssignment_Policy* policy =
         envoy_config_endpoint_v3_ClusterLoadAssignment_policy(
             cluster_load_assignment);
@@ -2013,14 +2171,22 @@ grpc_error* EdsResponseParse(
               envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_drop_overloads(
                   policy, &drop_size);
       for (size_t j = 0; j < drop_size; ++j) {
-        grpc_error* error =
+        error =
             DropParseAndAppend(drop_overload[j], eds_update.drop_config.get());
-        if (error != GRPC_ERROR_NONE) return error;
+        if (error != GRPC_ERROR_NONE) break;
+      }
+      if (error != GRPC_ERROR_NONE) {
+        errors.push_back(grpc_error_add_child(
+            GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrCat(eds_service_name, ": drop config validation error")
+                    .c_str()),
+            error));
+        resource_names_failed->insert(eds_service_name);
+        continue;
       }
     }
-    eds_update_map->emplace(std::move(eds_service_name), std::move(eds_update));
   }
-  return GRPC_ERROR_NONE;
+  return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing EDS response", &errors);
 }
 
 std::string TypeUrlInternalToExternal(absl::string_view type_url) {
@@ -2036,10 +2202,20 @@ std::string TypeUrlInternalToExternal(absl::string_view type_url) {
   return std::string(type_url);
 }
 
+template <typename UpdateMap>
+void MoveUpdatesToFailedSet(UpdateMap* update_map,
+                            std::set<std::string>* resource_names_failed) {
+  for (const auto& p : *update_map) {
+    resource_names_failed->insert(p.first);
+  }
+  update_map->clear();
+}
+
 }  // namespace
 
 XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
-    const grpc_slice& encoded_response, const std::string& expected_server_name,
+    const grpc_slice& encoded_response,
+    const std::set<absl::string_view>& expected_listener_names,
     const std::set<absl::string_view>& expected_route_configuration_names,
     const std::set<absl::string_view>& expected_cluster_names,
     const std::set<absl::string_view>& expected_eds_service_names) {
@@ -2056,7 +2232,7 @@ XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
         GRPC_ERROR_CREATE_FROM_STATIC_STRING("Can't decode DiscoveryResponse.");
     return result;
   }
-  MaybeLogDiscoveryResponse(client_, tracer_, response);
+  MaybeLogDiscoveryResponse(client_, tracer_, symtab_.ptr(), response);
   // Record the type_url, the version_info, and the nonce of the response.
   result.type_url = TypeUrlInternalToExternal(UpbStringToAbsl(
       envoy_service_discovery_v3_DiscoveryResponse_type_url(response)));
@@ -2066,21 +2242,38 @@ XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
       envoy_service_discovery_v3_DiscoveryResponse_nonce(response));
   // Parse the response according to the resource type.
   if (IsLds(result.type_url)) {
-    result.parse_error =
-        LdsResponseParse(client_, tracer_, response, expected_server_name,
-                         &result.lds_update, arena.ptr());
+    result.parse_error = LdsResponseParse(
+        client_, tracer_, symtab_.ptr(), response, expected_listener_names,
+        &result.lds_update_map, &result.resource_names_failed, arena.ptr());
+    if (result.parse_error != GRPC_ERROR_NONE) {
+      MoveUpdatesToFailedSet(&result.lds_update_map,
+                             &result.resource_names_failed);
+    }
   } else if (IsRds(result.type_url)) {
-    result.parse_error = RdsResponseParse(client_, tracer_, response,
-                                          expected_route_configuration_names,
-                                          &result.rds_update, arena.ptr());
+    result.parse_error = RdsResponseParse(
+        client_, tracer_, symtab_.ptr(), response,
+        expected_route_configuration_names, &result.rds_update_map,
+        &result.resource_names_failed, arena.ptr());
+    if (result.parse_error != GRPC_ERROR_NONE) {
+      MoveUpdatesToFailedSet(&result.rds_update_map,
+                             &result.resource_names_failed);
+    }
   } else if (IsCds(result.type_url)) {
-    result.parse_error =
-        CdsResponseParse(client_, tracer_, response, expected_cluster_names,
-                         &result.cds_update_map, arena.ptr());
+    result.parse_error = CdsResponseParse(
+        client_, tracer_, symtab_.ptr(), response, expected_cluster_names,
+        &result.cds_update_map, &result.resource_names_failed, arena.ptr());
+    if (result.parse_error != GRPC_ERROR_NONE) {
+      MoveUpdatesToFailedSet(&result.cds_update_map,
+                             &result.resource_names_failed);
+    }
   } else if (IsEds(result.type_url)) {
-    result.parse_error =
-        EdsResponseParse(client_, tracer_, response, expected_eds_service_names,
-                         &result.eds_update_map, arena.ptr());
+    result.parse_error = EdsResponseParse(
+        client_, tracer_, symtab_.ptr(), response, expected_eds_service_names,
+        &result.eds_update_map, &result.resource_names_failed, arena.ptr());
+    if (result.parse_error != GRPC_ERROR_NONE) {
+      MoveUpdatesToFailedSet(&result.eds_update_map,
+                             &result.resource_names_failed);
+    }
   }
   return result;
 }
@@ -2088,120 +2281,16 @@ XdsApi::AdsParseResult XdsApi::ParseAdsResponse(
 namespace {
 
 void MaybeLogLrsRequest(
-    XdsClient* client, TraceFlag* tracer,
-    const envoy_service_load_stats_v3_LoadStatsRequest* request,
-    const std::string& build_version) {
+    XdsClient* client, TraceFlag* tracer, upb_symtab* symtab,
+    const envoy_service_load_stats_v3_LoadStatsRequest* request) {
   if (GRPC_TRACE_FLAG_ENABLED(*tracer) &&
       gpr_should_log(GPR_LOG_SEVERITY_DEBUG)) {
-    // TODO(roth): When we can upgrade upb, use upb textformat code to dump
-    // the raw proto instead of doing this manually.
-    std::vector<std::string> fields;
-    // node
-    const auto* node =
-        envoy_service_load_stats_v3_LoadStatsRequest_node(request);
-    if (node != nullptr) {
-      AddNodeLogFields(node, build_version, &fields);
-    }
-    // cluster_stats
-    size_t num_cluster_stats;
-    const struct envoy_config_endpoint_v3_ClusterStats* const* cluster_stats =
-        envoy_service_load_stats_v3_LoadStatsRequest_cluster_stats(
-            request, &num_cluster_stats);
-    for (size_t i = 0; i < num_cluster_stats; ++i) {
-      const auto* cluster_stat = cluster_stats[i];
-      fields.emplace_back("cluster_stats {");
-      // cluster_name
-      AddStringField(
-          "  cluster_name",
-          envoy_config_endpoint_v3_ClusterStats_cluster_name(cluster_stat),
-          &fields);
-      // cluster_service_name
-      AddStringField("  cluster_service_name",
-                     envoy_config_endpoint_v3_ClusterStats_cluster_service_name(
-                         cluster_stat),
-                     &fields);
-      // upstream_locality_stats
-      size_t num_stats;
-      const envoy_config_endpoint_v3_UpstreamLocalityStats* const* stats =
-          envoy_config_endpoint_v3_ClusterStats_upstream_locality_stats(
-              cluster_stat, &num_stats);
-      for (size_t j = 0; j < num_stats; ++j) {
-        const auto* stat = stats[j];
-        fields.emplace_back("  upstream_locality_stats {");
-        // locality
-        const auto* locality =
-            envoy_config_endpoint_v3_UpstreamLocalityStats_locality(stat);
-        if (locality != nullptr) {
-          fields.emplace_back("    locality {");
-          AddLocalityField(3, locality, &fields);
-          fields.emplace_back("    }");
-        }
-        // total_successful_requests
-        fields.emplace_back(absl::StrCat(
-            "    total_successful_requests: ",
-            envoy_config_endpoint_v3_UpstreamLocalityStats_total_successful_requests(
-                stat)));
-        // total_requests_in_progress
-        fields.emplace_back(absl::StrCat(
-            "    total_requests_in_progress: ",
-            envoy_config_endpoint_v3_UpstreamLocalityStats_total_requests_in_progress(
-                stat)));
-        // total_error_requests
-        fields.emplace_back(absl::StrCat(
-            "    total_error_requests: ",
-            envoy_config_endpoint_v3_UpstreamLocalityStats_total_error_requests(
-                stat)));
-        // total_issued_requests
-        fields.emplace_back(absl::StrCat(
-            "    total_issued_requests: ",
-            envoy_config_endpoint_v3_UpstreamLocalityStats_total_issued_requests(
-                stat)));
-        fields.emplace_back("  }");
-      }
-      // total_dropped_requests
-      fields.emplace_back(absl::StrCat(
-          "  total_dropped_requests: ",
-          envoy_config_endpoint_v3_ClusterStats_total_dropped_requests(
-              cluster_stat)));
-      // dropped_requests
-      size_t num_drops;
-      const envoy_config_endpoint_v3_ClusterStats_DroppedRequests* const*
-          drops = envoy_config_endpoint_v3_ClusterStats_dropped_requests(
-              cluster_stat, &num_drops);
-      for (size_t j = 0; j < num_drops; ++j) {
-        const auto* drop = drops[j];
-        fields.emplace_back("  dropped_requests {");
-        // category
-        AddStringField(
-            "    category",
-            envoy_config_endpoint_v3_ClusterStats_DroppedRequests_category(
-                drop),
-            &fields);
-        // dropped_count
-        fields.emplace_back(absl::StrCat(
-            "    dropped_count: ",
-            envoy_config_endpoint_v3_ClusterStats_DroppedRequests_dropped_count(
-                drop)));
-        fields.emplace_back("  }");
-      }
-      // load_report_interval
-      const auto* load_report_interval =
-          envoy_config_endpoint_v3_ClusterStats_load_report_interval(
-              cluster_stat);
-      if (load_report_interval != nullptr) {
-        fields.emplace_back("  load_report_interval {");
-        fields.emplace_back(absl::StrCat(
-            "    seconds: ",
-            google_protobuf_Duration_seconds(load_report_interval)));
-        fields.emplace_back(
-            absl::StrCat("    nanos: ",
-                         google_protobuf_Duration_nanos(load_report_interval)));
-        fields.emplace_back("  }");
-      }
-      fields.emplace_back("}");
-    }
+    const upb_msgdef* msg_type =
+        envoy_service_load_stats_v3_LoadStatsRequest_getmsgdef(symtab);
+    char buf[10240];
+    upb_text_encode(request, msg_type, nullptr, 0, buf, sizeof(buf));
     gpr_log(GPR_DEBUG, "[xds_client %p] constructed LRS request: %s", client,
-            absl::StrJoin(fields, "\n").c_str());
+            buf);
   }
 }
 
@@ -2216,7 +2305,8 @@ grpc_slice SerializeLrsRequest(
 
 }  // namespace
 
-grpc_slice XdsApi::CreateLrsInitialRequest(const std::string& server_name) {
+grpc_slice XdsApi::CreateLrsInitialRequest(
+    const XdsBootstrap::XdsServer& server) {
   upb::Arena arena;
   // Create a request.
   envoy_service_load_stats_v3_LoadStatsRequest* request =
@@ -2225,12 +2315,12 @@ grpc_slice XdsApi::CreateLrsInitialRequest(const std::string& server_name) {
   envoy_config_core_v3_Node* node_msg =
       envoy_service_load_stats_v3_LoadStatsRequest_mutable_node(request,
                                                                 arena.ptr());
-  PopulateNode(arena.ptr(), bootstrap_, build_version_, user_agent_name_,
-               server_name, node_msg);
+  PopulateNode(arena.ptr(), node_, server.ShouldUseV3(), build_version_,
+               user_agent_name_, node_msg);
   envoy_config_core_v3_Node_add_client_features(
       node_msg, upb_strview_makez("envoy.lrs.supports_send_all_clusters"),
       arena.ptr());
-  MaybeLogLrsRequest(client_, tracer_, request, build_version_);
+  MaybeLogLrsRequest(client_, tracer_, symtab_.ptr(), request);
   return SerializeLrsRequest(request, arena.ptr());
 }
 
@@ -2317,7 +2407,7 @@ grpc_slice XdsApi::CreateLrsRequest(
     }
     // Add dropped requests.
     uint64_t total_dropped_requests = 0;
-    for (const auto& p : load_report.dropped_requests) {
+    for (const auto& p : load_report.dropped_requests.categorized_drops) {
       const std::string& category = p.first;
       const uint64_t count = p.second;
       envoy_config_endpoint_v3_ClusterStats_DroppedRequests* dropped_requests =
@@ -2329,6 +2419,7 @@ grpc_slice XdsApi::CreateLrsRequest(
           dropped_requests, count);
       total_dropped_requests += count;
     }
+    total_dropped_requests += load_report.dropped_requests.uncategorized_drops;
     // Set total dropped requests.
     envoy_config_endpoint_v3_ClusterStats_set_total_dropped_requests(
         cluster_stats, total_dropped_requests);
@@ -2341,7 +2432,7 @@ grpc_slice XdsApi::CreateLrsRequest(
     google_protobuf_Duration_set_seconds(load_report_interval, timespec.tv_sec);
     google_protobuf_Duration_set_nanos(load_report_interval, timespec.tv_nsec);
   }
-  MaybeLogLrsRequest(client_, tracer_, request, build_version_);
+  MaybeLogLrsRequest(client_, tracer_, symtab_.ptr(), request);
   return SerializeLrsRequest(request, arena.ptr());
 }