grpc 1.43.1 → 1.44.0.pre2

data/src/core/ext/xds/xds_server_config_fetcher.cc

@@ -26,7 +26,10 @@
 #include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/ext/xds/xds_channel_stack_modifier.h"
 #include "src/core/ext/xds/xds_client.h"
+#include "src/core/ext/xds/xds_listener.h"
+#include "src/core/ext/xds/xds_route_config.h"
 #include "src/core/ext/xds/xds_routing.h"
+#include "src/core/lib/address_utils/parse_address.h"
 #include "src/core/lib/address_utils/sockaddr_utils.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/config/core_configuration.h"
@@ -68,8 +71,8 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
  private:
   class ListenerWatcher;
 
-  RefCountedPtr<XdsClient> xds_client_;
-  grpc_server_xds_status_notifier serving_status_notifier_;
+  const RefCountedPtr<XdsClient> xds_client_;
+  const grpc_server_xds_status_notifier serving_status_notifier_;
   Mutex mu_;
   std::map<grpc_server_config_fetcher::WatcherInterface*, ListenerWatcher*>
       listener_watchers_ ABSL_GUARDED_BY(mu_);
@@ -86,7 +89,7 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
 // update received was a fatal error (resource does not exist), the server
 // listener is made to stop listening.
 class XdsServerConfigFetcher::ListenerWatcher
-    : public XdsClient::ListenerWatcherInterface {
+    : public XdsListenerResourceType::WatcherInterface {
  public:
   ListenerWatcher(RefCountedPtr<XdsClient> xds_client,
                   std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
@@ -94,7 +97,7 @@ class XdsServerConfigFetcher::ListenerWatcher
                   grpc_server_xds_status_notifier serving_status_notifier,
                   std::string listening_address);
 
-  void OnListenerChanged(XdsApi::LdsUpdate listener) override;
+  void OnResourceChanged(XdsListenerResource listener) override;
 
   void OnError(grpc_error_handle error) override;
 
@@ -140,10 +143,10 @@ class XdsServerConfigFetcher::ListenerWatcher
 class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
     : public grpc_server_config_fetcher::ConnectionManager {
  public:
-  FilterChainMatchManager(
-      RefCountedPtr<XdsClient> xds_client,
-      XdsApi::LdsUpdate::FilterChainMap filter_chain_map,
-      absl::optional<XdsApi::LdsUpdate::FilterChainData> default_filter_chain);
+  FilterChainMatchManager(RefCountedPtr<XdsClient> xds_client,
+                          XdsListenerResource::FilterChainMap filter_chain_map,
+                          absl::optional<XdsListenerResource::FilterChainData>
+                              default_filter_chain);
 
   absl::StatusOr<grpc_channel_args*> UpdateChannelArgsForConnection(
       grpc_channel_args* args, grpc_endpoint* tcp) override;
@@ -154,11 +157,11 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
   void StartRdsWatch(RefCountedPtr<ListenerWatcher> listener_watcher)
       ABSL_EXCLUSIVE_LOCKS_REQUIRED(&ListenerWatcher::mu_);
 
-  const XdsApi::LdsUpdate::FilterChainMap& filter_chain_map() const {
+  const XdsListenerResource::FilterChainMap& filter_chain_map() const {
     return filter_chain_map_;
   }
 
-  const absl::optional<XdsApi::LdsUpdate::FilterChainData>&
+  const absl::optional<XdsListenerResource::FilterChainData>&
   default_filter_chain() const {
     return default_filter_chain_;
   }
@@ -176,7 +179,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
   class RouteConfigWatcher;
   struct RdsUpdateState {
     RouteConfigWatcher* watcher;
-    absl::optional<absl::StatusOr<XdsApi::RdsUpdate>> rds_update;
+    absl::optional<absl::StatusOr<XdsRouteConfigResource>> rds_update;
   };
 
   class XdsServerConfigSelector;
@@ -185,12 +188,12 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
 
   absl::StatusOr<RefCountedPtr<XdsCertificateProvider>>
   CreateOrGetXdsCertificateProviderFromFilterChainData(
-      const XdsApi::LdsUpdate::FilterChainData* filter_chain);
+      const XdsListenerResource::FilterChainData* filter_chain);
 
   // Helper functions invoked by RouteConfigWatcher when there are updates to
   // RDS resources.
   void OnRouteConfigChanged(const std::string& resource_name,
-                            XdsApi::RdsUpdate route_config);
+                            XdsRouteConfigResource route_config);
   void OnError(const std::string& resource_name, grpc_error_handle error);
   void OnResourceDoesNotExist(const std::string& resource_name);
 
@@ -198,14 +201,13 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
   // This ref is only kept around till the FilterChainMatchManager becomes
   // ready.
   RefCountedPtr<ListenerWatcher> listener_watcher_;
-  const XdsApi::LdsUpdate::FilterChainMap filter_chain_map_;
-  const absl::optional<XdsApi::LdsUpdate::FilterChainData>
-      default_filter_chain_;
+  XdsListenerResource::FilterChainMap filter_chain_map_;
+  absl::optional<XdsListenerResource::FilterChainData> default_filter_chain_;
   Mutex mu_;
   size_t rds_resources_yet_to_fetch_ ABSL_GUARDED_BY(mu_) = 0;
   std::map<std::string /* resource_name */, RdsUpdateState> rds_map_
       ABSL_GUARDED_BY(mu_);
-  std::map<const XdsApi::LdsUpdate::FilterChainData*, CertificateProviders>
+  std::map<const XdsListenerResource::FilterChainData*, CertificateProviders>
       certificate_providers_map_ ABSL_GUARDED_BY(mu_);
 };
 
@@ -217,7 +219,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager
 // with the latest updates and new connections do not need to wait for the RDS
 // resources to be fetched.
 class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
-    RouteConfigWatcher : public XdsClient::RouteConfigWatcherInterface {
+    RouteConfigWatcher : public XdsRouteConfigResourceType::WatcherInterface {
  public:
   RouteConfigWatcher(
       std::string resource_name,
@@ -225,7 +227,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
       : resource_name_(std::move(resource_name)),
         filter_chain_match_manager_(std::move(filter_chain_match_manager)) {}
 
-  void OnRouteConfigChanged(XdsApi::RdsUpdate route_config) override {
+  void OnResourceChanged(XdsRouteConfigResource route_config) override {
     filter_chain_match_manager_->OnRouteConfigChanged(resource_name_,
                                                       std::move(route_config));
   }
@@ -251,8 +253,8 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     XdsServerConfigSelector : public ServerConfigSelector {
  public:
   static absl::StatusOr<RefCountedPtr<XdsServerConfigSelector>> Create(
-      XdsApi::RdsUpdate rds_update,
-      const std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>&
+      XdsRouteConfigResource rds_update,
+      const std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>&
           http_filters);
   ~XdsServerConfigSelector() override = default;
 
@@ -263,7 +265,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     struct Route {
       // true if an action other than kNonForwardingAction is configured.
       bool unsupported_action;
-      XdsApi::Route::Matchers matchers;
+      XdsRouteConfigResource::Route::Matchers matchers;
       RefCountedPtr<ServiceConfig> method_config;
     };
 
@@ -274,7 +276,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
 
       size_t Size() const override { return routes_->size(); }
 
-      const XdsApi::Route::Matchers& GetMatchersForRoute(
+      const XdsRouteConfigResource::Route::Matchers& GetMatchersForRoute(
           size_t index) const override {
         return (*routes_)[index].matchers;
       }
@@ -314,8 +316,8 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     : public ServerConfigSelectorProvider {
  public:
   StaticXdsServerConfigSelectorProvider(
-      absl::StatusOr<XdsApi::RdsUpdate> static_resource,
-      std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>
+      absl::StatusOr<XdsRouteConfigResource> static_resource,
+      std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>
           http_filters)
       : static_resource_(std::move(static_resource)),
         http_filters_(std::move(http_filters)) {}
@@ -332,11 +334,13 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
                                            http_filters_);
   }
 
+  void Orphan() override {}
+
   void CancelWatch() override { watcher_.reset(); }
 
  private:
-  absl::StatusOr<XdsApi::RdsUpdate> static_resource_;
-  std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>
+  absl::StatusOr<XdsRouteConfigResource> static_resource_;
+  std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>
       http_filters_;
   std::unique_ptr<ServerConfigSelectorProvider::ServerConfigSelectorWatcher>
       watcher_;
@@ -350,10 +354,12 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
  public:
   DynamicXdsServerConfigSelectorProvider(
       RefCountedPtr<XdsClient> xds_client, std::string resource_name,
-      absl::StatusOr<XdsApi::RdsUpdate> initial_resource,
-      std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>
+      absl::StatusOr<XdsRouteConfigResource> initial_resource,
+      std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>
           http_filters);
 
+  void Orphan() override;
+
   absl::StatusOr<RefCountedPtr<ServerConfigSelector>> Watch(
       std::unique_ptr<ServerConfigSelectorProvider::ServerConfigSelectorWatcher>
           watcher) override;
@@ -362,32 +368,32 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
  private:
   class RouteConfigWatcher;
 
-  void OnRouteConfigChanged(XdsApi::RdsUpdate rds_update);
+  void OnRouteConfigChanged(XdsRouteConfigResource rds_update);
   void OnError(grpc_error_handle error);
   void OnResourceDoesNotExist();
 
   RefCountedPtr<XdsClient> xds_client_;
   std::string resource_name_;
-  std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>
+  std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>
       http_filters_;
   RouteConfigWatcher* route_config_watcher_ = nullptr;
   Mutex mu_;
   std::unique_ptr<ServerConfigSelectorProvider::ServerConfigSelectorWatcher>
       watcher_ ABSL_GUARDED_BY(mu_);
-  absl::StatusOr<XdsApi::RdsUpdate> resource_ ABSL_GUARDED_BY(mu_);
+  absl::StatusOr<XdsRouteConfigResource> resource_ ABSL_GUARDED_BY(mu_);
 };
 
 // A watcher implementation for updating the RDS resource used by
 // DynamicXdsServerConfigSelectorProvider
 class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     DynamicXdsServerConfigSelectorProvider::RouteConfigWatcher
-    : public XdsClient::RouteConfigWatcherInterface {
+    : public XdsRouteConfigResourceType::WatcherInterface {
  public:
   explicit RouteConfigWatcher(
-      RefCountedPtr<DynamicXdsServerConfigSelectorProvider> parent)
+      WeakRefCountedPtr<DynamicXdsServerConfigSelectorProvider> parent)
       : parent_(std::move(parent)) {}
 
-  void OnRouteConfigChanged(XdsApi::RdsUpdate route_config) override {
+  void OnResourceChanged(XdsRouteConfigResource route_config) override {
     parent_->OnRouteConfigChanged(std::move(route_config));
   }
 
@@ -396,7 +402,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
   void OnResourceDoesNotExist() override { parent_->OnResourceDoesNotExist(); }
 
  private:
-  RefCountedPtr<DynamicXdsServerConfigSelectorProvider> parent_;
+  WeakRefCountedPtr<DynamicXdsServerConfigSelectorProvider> parent_;
 };
 
 //
@@ -410,6 +416,17 @@ XdsServerConfigFetcher::XdsServerConfigFetcher(
   GPR_ASSERT(xds_client_ != nullptr);
 }
 
+std::string ListenerResourceName(absl::string_view resource_name_template,
+                                 absl::string_view listening_address) {
+  std::string tmp;
+  if (absl::StartsWith(resource_name_template, "xdstp:")) {
+    tmp = URI::PercentEncodePath(listening_address);
+    listening_address = tmp;
+  }
+  return absl::StrReplaceAll(resource_name_template,
+                             {{"%s", listening_address}});
+}
+
 void XdsServerConfigFetcher::StartWatch(
     std::string listening_address,
     std::unique_ptr<grpc_server_config_fetcher::WatcherInterface> watcher) {
@@ -418,10 +435,11 @@ void XdsServerConfigFetcher::StartWatch(
       xds_client_, std::move(watcher), serving_status_notifier_,
       listening_address);
   auto* listener_watcher_ptr = listener_watcher.get();
-  xds_client_->WatchListenerData(
-      absl::StrReplaceAll(
+  XdsListenerResourceType::StartWatch(
+      xds_client_.get(),
+      ListenerResourceName(
           xds_client_->bootstrap().server_listener_resource_name_template(),
-          {{"%s", listening_address}}),
+          listening_address),
       std::move(listener_watcher));
   MutexLock lock(&mu_);
   listener_watchers_.emplace(watcher_ptr, listener_watcher_ptr);
@@ -433,10 +451,11 @@ void XdsServerConfigFetcher::CancelWatch(
   auto it = listener_watchers_.find(watcher);
   if (it != listener_watchers_.end()) {
     // Cancel the watch on the listener before erasing
-    xds_client_->CancelListenerDataWatch(
-        absl::StrReplaceAll(
+    XdsListenerResourceType::CancelWatch(
+        xds_client_.get(),
+        ListenerResourceName(
             xds_client_->bootstrap().server_listener_resource_name_template(),
-            {{"%s", it->second->listening_address()}}),
+            it->second->listening_address()),
         it->second, false /* delay_unsubscription */);
     listener_watchers_.erase(it);
   }
@@ -457,8 +476,8 @@ XdsServerConfigFetcher::ListenerWatcher::ListenerWatcher(
       serving_status_notifier_(serving_status_notifier),
       listening_address_(std::move(listening_address)) {}
 
-void XdsServerConfigFetcher::ListenerWatcher::OnListenerChanged(
-    XdsApi::LdsUpdate listener) {
+void XdsServerConfigFetcher::ListenerWatcher::OnResourceChanged(
+    XdsListenerResource listener) {
   if (GRPC_TRACE_FLAG_ENABLED(grpc_xds_server_config_fetcher_trace)) {
     gpr_log(GPR_INFO,
             "[ListenerWatcher %p] Received LDS update from xds client %p: %s",
@@ -578,16 +597,20 @@ void XdsServerConfigFetcher::ListenerWatcher::
 XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     FilterChainMatchManager(
         RefCountedPtr<XdsClient> xds_client,
-        XdsApi::LdsUpdate::FilterChainMap filter_chain_map,
-        absl::optional<XdsApi::LdsUpdate::FilterChainData> default_filter_chain)
+        XdsListenerResource::FilterChainMap filter_chain_map,
+        absl::optional<XdsListenerResource::FilterChainData>
+            default_filter_chain)
     : xds_client_(std::move(xds_client)),
       filter_chain_map_(std::move(filter_chain_map)),
       default_filter_chain_(std::move(default_filter_chain)) {}
 
 void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     StartRdsWatch(RefCountedPtr<ListenerWatcher> listener_watcher) {
-  // Get the set of RDS resources to watch on
+  // Get the set of RDS resources to watch on. Also get the set of
+  // FilterChainData so that we can reverse the list of HTTP filters since
+  // received data moves *up* the stack in Core.
   std::set<std::string> resource_names;
+  std::set<XdsListenerResource::FilterChainData*> filter_chain_data_set;
   for (const auto& destination_ip : filter_chain_map_.destination_ip_vector) {
     for (const auto& source_type : destination_ip.source_types_array) {
       for (const auto& source_ip : source_type) {
@@ -598,17 +621,34 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
                 source_port_pair.second.data->http_connection_manager
                     .route_config_name);
           }
+          filter_chain_data_set.insert(source_port_pair.second.data.get());
         }
       }
     }
   }
-  if (default_filter_chain_.has_value() &&
-      !default_filter_chain_->http_connection_manager.route_config_name
-           .empty()) {
-    resource_names.insert(
-        default_filter_chain_->http_connection_manager.route_config_name);
+  if (default_filter_chain_.has_value()) {
+    if (!default_filter_chain_->http_connection_manager.route_config_name
+             .empty()) {
+      resource_names.insert(
+          default_filter_chain_->http_connection_manager.route_config_name);
+    }
+    std::reverse(
+        default_filter_chain_->http_connection_manager.http_filters.begin(),
+        default_filter_chain_->http_connection_manager.http_filters.end());
+  }
+  // Reverse the lists of HTTP filters in all the filter chains
+  for (auto* filter_chain_data : filter_chain_data_set) {
+    std::reverse(
+        filter_chain_data->http_connection_manager.http_filters.begin(),
+        filter_chain_data->http_connection_manager.http_filters.end());
   }
   // Start watching on referenced RDS resources
+  struct WatcherToStart {
+    std::string resource_name;
+    RefCountedPtr<RouteConfigWatcher> watcher;
+  };
+  std::vector<WatcherToStart> watchers_to_start;
+  watchers_to_start.reserve(resource_names.size());
   {
     MutexLock lock(&mu_);
     for (const auto& resource_name : resource_names) {
@@ -617,14 +657,19 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
           MakeRefCounted<RouteConfigWatcher>(resource_name, WeakRef());
       rds_map_.emplace(resource_name, RdsUpdateState{route_config_watcher.get(),
                                                      absl::nullopt});
-      xds_client_->WatchRouteConfigData(resource_name,
-                                        std::move(route_config_watcher));
+      watchers_to_start.push_back(
+          WatcherToStart{resource_name, std::move(route_config_watcher)});
     }
     if (rds_resources_yet_to_fetch_ != 0) {
       listener_watcher_ = std::move(listener_watcher);
       listener_watcher = nullptr;
     }
   }
+  for (auto& watcher_to_start : watchers_to_start) {
+    XdsRouteConfigResourceType::StartWatch(xds_client_.get(),
+                                           watcher_to_start.resource_name,
+                                           std::move(watcher_to_start.watcher));
+  }
   // Promote this filter chain match manager if all referenced resources are
   // fetched.
   if (listener_watcher != nullptr) {
@@ -637,7 +682,8 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
   MutexLock lock(&mu_);
   // Cancel the RDS watches to clear up the weak refs
   for (const auto& entry : rds_map_) {
-    xds_client_->CancelRouteConfigDataWatch(entry.first, entry.second.watcher,
+    XdsRouteConfigResourceType::CancelWatch(xds_client_.get(), entry.first,
+                                            entry.second.watcher,
                                             false /* delay_unsubscription */);
   }
   // Also give up the ref on ListenerWatcher since it won't be needed anymore
@@ -647,7 +693,7 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
 absl::StatusOr<RefCountedPtr<XdsCertificateProvider>>
 XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     CreateOrGetXdsCertificateProviderFromFilterChainData(
-        const XdsApi::LdsUpdate::FilterChainData* filter_chain) {
+        const XdsListenerResource::FilterChainData* filter_chain) {
   MutexLock lock(&mu_);
   auto it = certificate_providers_map_.find(filter_chain);
   if (it != certificate_providers_map_.end()) {
@@ -711,7 +757,7 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
 
 void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     OnRouteConfigChanged(const std::string& resource_name,
-                         XdsApi::RdsUpdate route_config) {
+                         XdsRouteConfigResource route_config) {
   RefCountedPtr<ListenerWatcher> listener_watcher;
   {
     MutexLock lock(&mu_);
@@ -777,8 +823,8 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
   }
 }
 
-const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourcePort(
-    const XdsApi::LdsUpdate::FilterChainMap::SourcePortsMap& source_ports_map,
+const XdsListenerResource::FilterChainData* FindFilterChainDataForSourcePort(
+    const XdsListenerResource::FilterChainMap::SourcePortsMap& source_ports_map,
     absl::string_view port_str) {
   int port = 0;
   if (!absl::SimpleAtoi(port_str, &port)) return nullptr;
@@ -794,10 +840,10 @@ const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourcePort(
   return nullptr;
 }
 
-const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourceIp(
-    const XdsApi::LdsUpdate::FilterChainMap::SourceIpVector& source_ip_vector,
+const XdsListenerResource::FilterChainData* FindFilterChainDataForSourceIp(
+    const XdsListenerResource::FilterChainMap::SourceIpVector& source_ip_vector,
     const grpc_resolved_address* source_ip, absl::string_view port) {
-  const XdsApi::LdsUpdate::FilterChainMap::SourceIp* best_match = nullptr;
+  const XdsListenerResource::FilterChainMap::SourceIp* best_match = nullptr;
   for (const auto& entry : source_ip_vector) {
     // Special case for catch-all
     if (!entry.prefix_range.has_value()) {
@@ -840,8 +886,8 @@ bool IsLoopbackIp(const grpc_resolved_address* address) {
   return false;
 }
 
-const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourceType(
-    const XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceTypesArray&
+const XdsListenerResource::FilterChainData* FindFilterChainDataForSourceType(
+    const XdsListenerResource::FilterChainMap::ConnectionSourceTypesArray&
         source_types_array,
     grpc_endpoint* tcp, absl::string_view destination_ip) {
   auto source_uri = URI::Parse(grpc_endpoint_get_peer(tcp));
@@ -865,34 +911,34 @@ const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourceType(
   }
   // Use kAny only if kSameIporLoopback and kExternal are empty
   if (source_types_array[static_cast<int>(
-                             XdsApi::LdsUpdate::FilterChainMap::
+                             XdsListenerResource::FilterChainMap::
                                  ConnectionSourceType::kSameIpOrLoopback)]
           .empty() &&
-      source_types_array[static_cast<int>(XdsApi::LdsUpdate::FilterChainMap::
+      source_types_array[static_cast<int>(XdsListenerResource::FilterChainMap::
                                               ConnectionSourceType::kExternal)]
           .empty()) {
     return FindFilterChainDataForSourceIp(
         source_types_array[static_cast<int>(
-            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::kAny)],
+            XdsListenerResource::FilterChainMap::ConnectionSourceType::kAny)],
         &source_addr, port);
   }
   if (IsLoopbackIp(&source_addr) || host == destination_ip) {
     return FindFilterChainDataForSourceIp(
         source_types_array[static_cast<int>(
-            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::
+            XdsListenerResource::FilterChainMap::ConnectionSourceType::
                 kSameIpOrLoopback)],
         &source_addr, port);
   } else {
     return FindFilterChainDataForSourceIp(
         source_types_array[static_cast<int>(
-            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::
+            XdsListenerResource::FilterChainMap::ConnectionSourceType::
                 kExternal)],
         &source_addr, port);
   }
 }
 
-const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForDestinationIp(
-    const XdsApi::LdsUpdate::FilterChainMap::DestinationIpVector
+const XdsListenerResource::FilterChainData* FindFilterChainDataForDestinationIp(
+    const XdsListenerResource::FilterChainMap::DestinationIpVector
         destination_ip_vector,
     grpc_endpoint* tcp) {
   auto destination_uri = URI::Parse(grpc_endpoint_get_local_address(tcp));
@@ -914,7 +960,8 @@ const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForDestinationIp(
     GRPC_ERROR_UNREF(error);
     return nullptr;
   }
-  const XdsApi::LdsUpdate::FilterChainMap::DestinationIp* best_match = nullptr;
+  const XdsListenerResource::FilterChainMap::DestinationIp* best_match =
+      nullptr;
   for (const auto& entry : destination_ip_vector) {
     // Special case for catch-all
     if (!entry.prefix_range.has_value()) {
@@ -960,16 +1007,13 @@ absl::StatusOr<grpc_channel_args*> XdsServerConfigFetcher::ListenerWatcher::
     std::vector<const grpc_channel_filter*> filters;
     // Iterate the list of HTTP filters in reverse since in Core, received data
     // flows *up* the stack.
-    for (auto reverse_iterator =
-             filter_chain->http_connection_manager.http_filters.rbegin();
-         reverse_iterator !=
-         filter_chain->http_connection_manager.http_filters.rend();
-         ++reverse_iterator) {
+    for (const auto& http_filter :
+         filter_chain->http_connection_manager.http_filters) {
       // Find filter.  This is guaranteed to succeed, because it's checked
       // at config validation time in the XdsApi code.
       const XdsHttpFilterImpl* filter_impl =
           XdsHttpFilterRegistry::GetFilterForType(
-              reverse_iterator->config.config_proto_type_name);
+              http_filter.config.config_proto_type_name);
       GPR_ASSERT(filter_impl != nullptr);
       // Some filters like the router filter are no-op filters and do not have
       // an implementation.
@@ -986,7 +1030,7 @@ absl::StatusOr<grpc_channel_args*> XdsServerConfigFetcher::ListenerWatcher::
               filter_chain->http_connection_manager.rds_update.value(),
               filter_chain->http_connection_manager.http_filters);
     } else {
-      absl::StatusOr<XdsApi::RdsUpdate> initial_resource;
+      absl::StatusOr<XdsRouteConfigResource> initial_resource;
       {
         MutexLock lock(&mu_);
         initial_resource =
@@ -1035,8 +1079,9 @@ absl::StatusOr<
                       FilterChainMatchManager::XdsServerConfigSelector>>
 XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     XdsServerConfigSelector::Create(
-        XdsApi::RdsUpdate rds_update,
-        const std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>&
+        XdsRouteConfigResource rds_update,
+        const std::vector<
+            XdsListenerResource::HttpConnectionManager::HttpFilter>&
             http_filters) {
   auto config_selector = MakeRefCounted<XdsServerConfigSelector>();
   for (auto& vhost : rds_update.virtual_hosts) {
@@ -1048,8 +1093,8 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
       auto& config_selector_route = virtual_host.routes.back();
       config_selector_route.matchers = std::move(route.matchers);
       config_selector_route.unsupported_action =
-          absl::get_if<XdsApi::Route::NonForwardingAction>(&route.action) ==
-          nullptr;
+          absl::get_if<XdsRouteConfigResource::Route::NonForwardingAction>(
+              &route.action) == nullptr;
       XdsRouting::GeneratePerHttpFilterConfigsResult result =
           XdsRouting::GeneratePerHTTPFilterConfigs(http_filters, vhost, route,
                                                    nullptr, nullptr);
@@ -1089,19 +1134,19 @@ ServerConfigSelector::CallConfig XdsServerConfigFetcher::ListenerWatcher::
     FilterChainMatchManager::XdsServerConfigSelector::GetCallConfig(
         grpc_metadata_batch* metadata) {
   CallConfig call_config;
-  if (metadata->legacy_index()->named.path == nullptr) {
+  if (metadata->get_pointer(HttpPathMetadata()) == nullptr) {
     call_config.error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("No path found");
     return call_config;
   }
-  absl::string_view path = StringViewFromSlice(
-      GRPC_MDVALUE(metadata->legacy_index()->named.path->md));
-  if (metadata->legacy_index()->named.authority == nullptr) {
+  absl::string_view path =
+      metadata->get_pointer(HttpPathMetadata())->as_string_view();
+  if (metadata->get_pointer(HttpAuthorityMetadata()) == nullptr) {
     call_config.error =
         GRPC_ERROR_CREATE_FROM_STATIC_STRING("No authority found");
     return call_config;
   }
-  absl::string_view authority = StringViewFromSlice(
-      GRPC_MDVALUE(metadata->legacy_index()->named.authority->md));
+  absl::string_view authority =
+      metadata->get_pointer(HttpAuthorityMetadata())->as_string_view();
   auto vhost_index = XdsRouting::FindVirtualHostForDomain(
       VirtualHostListIterator(&virtual_hosts_), authority);
   if (!vhost_index.has_value()) {
@@ -1146,18 +1191,28 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     DynamicXdsServerConfigSelectorProvider::
         DynamicXdsServerConfigSelectorProvider(
             RefCountedPtr<XdsClient> xds_client, std::string resource_name,
-            absl::StatusOr<XdsApi::RdsUpdate> initial_resource,
-            std::vector<XdsApi::LdsUpdate::HttpConnectionManager::HttpFilter>
+            absl::StatusOr<XdsRouteConfigResource> initial_resource,
+            std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>
                 http_filters)
     : xds_client_(std::move(xds_client)),
       resource_name_(std::move(resource_name)),
       http_filters_(std::move(http_filters)),
       resource_(std::move(initial_resource)) {
   GPR_ASSERT(!resource_name_.empty());
-  auto route_config_watcher = MakeRefCounted<RouteConfigWatcher>(Ref());
+  // RouteConfigWatcher is being created here instead of in Watch() to avoid
+  // deadlocks from invoking XdsRouteConfigResourceType::StartWatch whilst in a
+  // critical region.
+  auto route_config_watcher = MakeRefCounted<RouteConfigWatcher>(WeakRef());
   route_config_watcher_ = route_config_watcher.get();
-  xds_client_->WatchRouteConfigData(resource_name_,
-                                    std::move(route_config_watcher));
+  XdsRouteConfigResourceType::StartWatch(xds_client_.get(), resource_name_,
+                                         std::move(route_config_watcher));
+}
+
+void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
+    DynamicXdsServerConfigSelectorProvider::Orphan() {
+  XdsRouteConfigResourceType::CancelWatch(xds_client_.get(), resource_name_,
+                                          route_config_watcher_,
+                                          false /* delay_unsubscription */);
 }
 
 absl::StatusOr<RefCountedPtr<ServerConfigSelector>>
@@ -1166,7 +1221,7 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
         std::unique_ptr<
             ServerConfigSelectorProvider::ServerConfigSelectorWatcher>
             watcher) {
-  absl::StatusOr<XdsApi::RdsUpdate> resource;
+  absl::StatusOr<XdsRouteConfigResource> resource;
   {
     MutexLock lock(&mu_);
     GPR_ASSERT(watcher_ == nullptr);
@@ -1181,20 +1236,22 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
 
 void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     DynamicXdsServerConfigSelectorProvider::CancelWatch() {
-  xds_client_->CancelRouteConfigDataWatch(resource_name_, route_config_watcher_,
-                                          false /* delay_unsubscription */);
   MutexLock lock(&mu_);
   watcher_.reset();
 }
 
 void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager::
     DynamicXdsServerConfigSelectorProvider::OnRouteConfigChanged(
-        XdsApi::RdsUpdate rds_update) {
+        XdsRouteConfigResource rds_update) {
   MutexLock lock(&mu_);
   resource_ = std::move(rds_update);
   if (watcher_ == nullptr) {
     return;
   }
+  // Currently server_config_selector_filter does not call into
+  // DynamicXdsServerConfigSelectorProvider while holding a lock, but if that
+  // ever changes, we would want to invoke the update outside the critical
+  // region with the use of a WorkSerializer.
   watcher_->OnServerConfigSelectorUpdate(
       XdsServerConfigSelector::Create(*resource_, http_filters_));
 }
@@ -1235,7 +1292,10 @@ grpc_server_config_fetcher* grpc_server_config_fetcher_xds_create(
   args = grpc_core::CoreConfiguration::Get()
              .channel_args_preconditioning()
              .PreconditionChannelArgs(args);
-  GRPC_API_TRACE("grpc_server_config_fetcher_xds_create()", 0, ());
+  GRPC_API_TRACE(
+      "grpc_server_config_fetcher_xds_create(notifier={on_serving_status_"
+      "update=%p, user_data=%p}, args=%p)",
+      3, (notifier.on_serving_status_update, notifier.user_data, args));
   grpc_error_handle error = GRPC_ERROR_NONE;
   grpc_core::RefCountedPtr<grpc_core::XdsClient> xds_client =
       grpc_core::XdsClient::GetOrCreate(args, &error);