Update grpc to 1.43.2 DTCC-864

ref:50a492c335cda70f458797cf945e49fe739c2715

22 files changed, 902 insertions, 345 deletions

diff --git a/contrib/libs/grpc/src/proto/grpc/auth/v1/authz_policy.proto b/contrib/libs/grpc/src/proto/grpc/auth/v1/authz_policy.proto
deleted file mode 100644
index 347386f3e6..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/auth/v1/authz_policy.proto
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright 2021 The gRPC Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package grpc.auth.v1;
-
-// Peer specifies attributes of a peer. Fields in the Peer are ANDed together, once
-// we support multiple fields in the future.
-message Peer {
-  // Optional. A list of peer identities to match for authorization. The principals
-  // are one of, i.e., it matches if one of the principals matches. The field
-  // supports Exact, Prefix, Suffix, and Presence matches.
-  // - Exact match: "abc" will match on value "abc".
-  // - Prefix match: "abc*" will match on value "abc" and "abcd".
-  // - Suffix match: "*abc" will match on value "abc" and "xabc".
-  // - Presence match: "*" will match when the value is not empty.
-  repeated string principals = 1;
-}
-
-// Specification of HTTP header match attributes.
-message Header {
-  // Required. The name of the HTTP header to match. The following headers are *not*
-  // supported: "hop-by-hop" headers (e.g., those listed in "Connection" header),
-  // HTTP/2 pseudo headers (":"-prefixed), the "Host" header, and headers prefixed
-  // with "grpc-".
-  string key = 1;
-
-  // Required. A list of header values to match. The header values are ORed together,
-  // i.e., it matches if one of the values matches. This field supports Exact,
-  // Prefix, Suffix, and Presence match. Multi-valued headers are considered a single
-  // value with commas added between values.
-  // - Exact match: "abc" will match on value "abc".
-  // - Prefix match: "abc*" will match on value "abc" and "abcd".
-  // - Suffix match: "*abc" will match on value "abc" and "xabc".
-  // - Presence match: "*" will match when the value is not empty.
-  repeated string values = 2;
-}
-
-// Request specifies attributes of a request. Fields in the Request are ANDed
-// together.
-message Request {
-  // Optional. A list of paths to match for authorization. This is the fully
-  // qualified name in the form of "/package.service/method". The paths are ORed
-  // together, i.e., it matches if one of the paths matches. This field supports
-  // Exact, Prefix, Suffix, and Presence matches.
-  // - Exact match: "abc" will match on value "abc".
-  // - Prefix match: "abc*" will match on value "abc" and "abcd".
-  // - Suffix match: "*abc" will match on value "abc" and "xabc".
-  // - Presence match: "*" will match when the value is not empty.
-  repeated string paths = 1;
-
-  // Optional. A list of HTTP header key/value pairs to match against, for
-  // potentially advanced use cases. The headers are ANDed together, i.e., it matches
-  // only if *all* the headers match.
-  repeated Header headers = 3;
-}
-
-// Specification of rules.
-message Rule {
-  // Required. The name of an authorization rule.
-  // It is mainly for monitoring and error message generation.
-  string name = 1;
-
-  // Optional. If not set, no checks will be performed against the source. An empty
-  // rule is always matched (i.e., both source and request are empty).
-  Peer source = 2;
-
-  // Optional. If not set, no checks will be performed against the request. An empty
-  // rule is always matched (i.e., both source and request are empty).
-  Request request = 3;
-}
-
-// AuthorizationPolicy defines which principals are permitted to access which
-// resource. Resources are RPC methods scoped by services.
-//
-// In the following yaml policy example, a peer identity from ["admin1", "admin2", "admin3"] 
-// is authorized to access any RPC methods in pkg.service, and peer identity "dev" is 
-// authorized to access the "foo" and "bar" RPC methods.
-//
-// name: example-policy
-// allow_rules:
-// - name: admin-access
-//   source:
-//     principals:
-//     - "spiffe://foo.com/sa/admin1"
-//     - "spiffe://foo.com/sa/admin2"
-//     - "spiffe://foo.com/sa/admin3"
-//   request:
-//     paths: ["/pkg.service/*"]
-// - name: dev-access
-//   source:
-//     principals: ["spiffe://foo.com/sa/dev"]
-//   request:
-//     paths: ["/pkg.service/foo", "/pkg.service/bar"]
-
-message AuthorizationPolicy {
-  // Required. The name of an authorization policy.
-  // It is mainly for monitoring and error message generation.
-  string name = 1;
-
-  // Optional. List of deny rules to match. If a request matches any of the deny
-  // rules, then it will be denied. If none of the deny rules matches or there are
-  // no deny rules, the allow rules will be evaluated.
-  repeated Rule deny_rules = 2;
-
-  // Required. List of allow rules to match. The allow rules will only be evaluated
-  // after the deny rules. If a request matches any of the allow rules, then it will
-  // allowed. If none of the allow rules matches, it will be denied. 
-  repeated Rule allow_rules = 3;
-}
diff --git a/contrib/libs/grpc/src/proto/grpc/binary_log/v1alpha/log.proto b/contrib/libs/grpc/src/proto/grpc/binary_log/v1alpha/log.proto
deleted file mode 100644
index 77100ebbef..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/binary_log/v1alpha/log.proto
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright 2016 gRPC authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-import "google/protobuf/timestamp.proto";
-
-package grpc.binary_log.v1alpha;
-
-enum Direction {
-  SERVER_SEND = 0;
-  SERVER_RECV = 1;
-  CLIENT_SEND = 2;
-  CLIENT_RECV = 3;
-}
-
-message KeyValuePair {
-  string key = 1;
-  string value = 2;
-}
-
-// Any sort of metadata that may be sent in either direction during a call
-message Metadata {
-  // Cryptographically unique identifier, generated on the client and sent
-  // to the server.
-  uint64 rpc_id = 1;
-  // Timestamp of logging the metadata
-  google.protobuf.Timestamp timestamp = 2;
-  Direction direction = 3;
-  // The actual metadata that is being sent
-  repeated KeyValuePair metadata = 4;
-
-  // Initial metadata sent by the client to initiate a request
-  message ClientInitialMetadata {
-    // The full method name that is being called
-    string method_name = 1;
-    // The call's deadline
-    google.protobuf.Timestamp deadline = 2;
-    // The address of the connected peer
-    string peer = 3;
-  }
-
-  // Arbitrary key/value pairs specified by the user that are not sent over
-  // the network but are nonetheless useful to log
-  message UserData {
-  }
-
-  // Initial metadata response sent by the server after accepting the request
-  message ServerInitialMetadata {
-  }
-
-  // Status sent by the server when closing the call on the server side
-  message ServerStatus {
-    // The status code
-    uint32 code = 1;
-    // The status details
-    string details = 2;
-  }
-
-  oneof kind {
-    ClientInitialMetadata client_initial_metadata = 5;
-    UserData user_data = 6;
-    ServerInitialMetadata server_initial_metadata = 7;
-    ServerStatus server_status = 8;
-  }
-}
-
-// A message that is sent during a call
-message Message {
-  // Cryptographically unique identifier, generated on the client and sent
-  // to the server.
-  uint64 rpc_id = 1;
-  // The sequence number of the message. Messages sent by the client and by the
-  // server should have independently incrementing sequence numbers.
-  uint32 sequence_number = 2;
-  Direction direction = 3;
-  // The length of the complete message.
-  uint32 length = 4;
-  // The contents of the message. May be a prefix instead of the complete
-  // message.
-  bytes data = 5;
-}
diff --git a/contrib/libs/grpc/src/proto/grpc/health/v1/health.options b/contrib/libs/grpc/src/proto/grpc/health/v1/health.options
deleted file mode 100644
index 240b498b58..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/health/v1/health.options
+++ /dev/null
@@ -1 +0,0 @@
-grpc.health.v1.HealthCheckRequest.service max_size:200
diff --git a/contrib/libs/grpc/src/proto/grpc/http_over_grpc/http_over_grpc.proto b/contrib/libs/grpc/src/proto/grpc/http_over_grpc/http_over_grpc.proto
deleted file mode 100644
index ccfa951cd4..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/http_over_grpc/http_over_grpc.proto
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright 2019 The gRPC Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package grpc.http_over_grpc;
-
-// Represents HTTP 1.1 header.
-message Header {
-  string key = 1;
-  repeated string values = 2;
-}
-
-// An HTTP 1.1 request encapsulated in a gRPC.
-message HTTPOverGRPCRequest {
-  // The HTTP request method.
-  string method = 1;
-  // The HTTP request URL.
-  string url = 2;
-  // The HTTP request headers.
-  repeated Header headers = 3;
-  // HTTP request body.
-  bytes body = 4;
-}
-
-// An HTTP 1.1 reply encapsulated in an RPC.
-message HTTPOverGRPCReply {
-  // The HTTP status code (e.g. 200, 400, 404).
-  int32 status = 1;
-  // The HTTP response headers.
-  repeated Header headers = 2;
-  // The HTTP response body.
-  bytes body = 3;
-}
-
-// Currently does not support HTTP chunked transfer encoding.
-service HTTPOverGRPC {
- // Perform the given HTTP request.
- rpc HTTPRequest(HTTPOverGRPCRequest) returns (HTTPOverGRPCReply) {}
-}
diff --git a/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.options b/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.options
deleted file mode 100644
index 7fbd44b9de..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.options
+++ /dev/null
@@ -1,5 +0,0 @@
-grpc.lb.v1.InitialLoadBalanceRequest.name max_size:128
-grpc.lb.v1.InitialLoadBalanceResponse.load_balancer_delegate max_size:64
-grpc.lb.v1.Server.ip_address max_size:16
-grpc.lb.v1.Server.load_balance_token max_size:50
-load_balancer.proto no_unions:true
diff --git a/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.proto b/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.proto
index ccf2efd629..00fc7096c9 100644
--- a/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.proto
+++ b/contrib/libs/grpc/src/proto/grpc/lb/v1/load_balancer.proto
@@ -26,7 +26,7 @@ import "google/protobuf/timestamp.proto";
 option go_package = "google.golang.org/grpc/balancer/grpclb/grpc_lb_v1";
 option java_multiple_files = true;
 option java_outer_classname = "LoadBalancerProto";
-option java_package = "io.grpc.grpclb";
+option java_package = "io.grpc.lb.v1";
 
 service LoadBalancer {
   // Bidirectional rpc to get a list of servers.
@@ -97,18 +97,14 @@ message LoadBalanceResponse {
 
     // If this field is set, then the client should eagerly enter fallback
     // mode (even if there are existing, healthy connections to backends).
-    // See go/grpclb-explicit-fallback for more details.
     FallbackResponse fallback_response = 3;
   }
 }
 
+message FallbackResponse {}
+
 message InitialLoadBalanceResponse {
-  // This is an application layer redirect that indicates the client should use
-  // the specified server for load balancing. When this field is non-empty in
-  // the response, the client should open a separate connection to the
-  // load_balancer_delegate and call the BalanceLoad method. Its length should
-  // be less than 64 bytes.
-  string load_balancer_delegate = 1;
+  reserved 1; // never-used load_balancer_delegate
 
   // This interval defines how often the client should send the client stats
   // to the load balancer. Stats should only be reported when the duration is
@@ -153,5 +149,3 @@ message Server {
 
   reserved 5;
 }
-
-message FallbackResponse {}
diff --git a/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls.proto b/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls.proto
new file mode 100644
index 0000000000..7d1735289d
--- /dev/null
+++ b/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls.proto
@@ -0,0 +1,62 @@
+// Copyright 2020 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grpc.lookup.v1;
+
+option go_package = "google.golang.org/grpc/lookup/grpc_lookup_v1";
+option java_multiple_files = true;
+option java_package = "io.grpc.lookup.v1";
+option java_outer_classname = "RlsProto";
+
+message RouteLookupRequest {
+  // Target type allows the client to specify what kind of target format it
+  // would like from RLS to allow it to find the regional server, e.g. "grpc".
+  string target_type = 3;
+  // Possible reasons for making a request.
+  enum Reason {
+    REASON_UNKNOWN = 0;  // Unused
+    REASON_MISS = 1;     // No data available in local cache
+    REASON_STALE = 2;    // Data in local cache is stale
+  }
+  // Reason for making this request.
+  Reason reason = 5;
+  // For REASON_STALE, the header_data from the stale response, if any.
+  string stale_header_data = 6;
+  // Map of key values extracted via key builders for the gRPC or HTTP request.
+  map<string, string> key_map = 4;
+
+  reserved 1, 2;
+  reserved "server", "path";
+}
+
+message RouteLookupResponse {
+  // Prioritized list (best one first) of addressable entities to use
+  // for routing, using syntax requested by the request target_type.
+  // The targets will be tried in order until a healthy one is found.
+  repeated string targets = 3;
+  // Optional header value to pass along to AFE in the X-Google-RLS-Data header.
+  // Cached with "target" and sent with all requests that match the request key.
+  // Allows the RLS to pass its work product to the eventual target.
+  string header_data = 2;
+
+  reserved 1;
+  reserved "target";
+}
+
+service RouteLookupService {
+  // Lookup returns a target for a single key.
+  rpc RouteLookup(RouteLookupRequest) returns (RouteLookupResponse) {}
+}
diff --git a/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls_config.proto b/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls_config.proto
new file mode 100644
index 0000000000..9d2b6c54cf
--- /dev/null
+++ b/contrib/libs/grpc/src/proto/grpc/lookup/v1/rls_config.proto
@@ -0,0 +1,225 @@
+// Copyright 2020 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grpc.lookup.v1;
+
+import "google/protobuf/duration.proto";
+
+option go_package = "google.golang.org/grpc/lookup/grpc_lookup_v1";
+option java_multiple_files = true;
+option java_package = "io.grpc.lookup.v1";
+option java_outer_classname = "RlsConfigProto";
+
+// Extract a key based on a given name (e.g. header name or query parameter
+// name).  The name must match one of the names listed in the "name" field.  If
+// the "required_match" field is true, one of the specified names must be
+// present for the keybuilder to match.
+message NameMatcher {
+  // The name that will be used in the RLS key_map to refer to this value.
+  // If required_match is true, you may omit this field or set it to an empty
+  // string, in which case the matcher will require a match, but won't update
+  // the key_map.
+  string key = 1;
+
+  // Ordered list of names (headers or query parameter names) that can supply
+  // this value; the first one with a non-empty value is used.
+  repeated string names = 2;
+
+  // If true, make this extraction required; the key builder will not match
+  // if no value is found.
+  bool required_match = 3;
+}
+
+// A GrpcKeyBuilder applies to a given gRPC service, name, and headers.
+message GrpcKeyBuilder {
+  // To match, one of the given Name fields must match; the service and method
+  // fields are specified as fixed strings.  The service name is required and
+  // includes the proto package name.  The method name may be omitted, in
+  // which case any method on the given service is matched.
+  message Name {
+    string service = 1;
+    string method = 2;
+  }
+  repeated Name names = 1;
+
+  // If you wish to include the host, service, or method names as keys in the
+  // generated RouteLookupRequest, specify key names to use in the extra_keys
+  // submessage. If a key name is empty, no key will be set for that value.
+  // If this submessage is specified, the normal host/path fields will be left
+  // unset in the RouteLookupRequest. We are deprecating host/path in the
+  // RouteLookupRequest, so services should migrate to the ExtraKeys approach.
+  message ExtraKeys {
+    string host = 1;
+    string service = 2;
+    string method = 3;
+  }
+  ExtraKeys extra_keys = 3;
+
+  // Extract keys from all listed headers.
+  // For gRPC, it is an error to specify "required_match" on the NameMatcher
+  // protos.
+  repeated NameMatcher headers = 2;
+
+  // You can optionally set one or more specific key/value pairs to be added to
+  // the key_map.  This can be useful to identify which builder built the key,
+  // for example if you are suppressing the actual method, but need to
+  // separately cache and request all the matched methods.
+  map<string, string> constant_keys = 4;
+}
+
+// An HttpKeyBuilder applies to a given HTTP URL and headers.
+//
+// Path and host patterns use the matching syntax from gRPC transcoding to
+// extract named key/value pairs from the path and host components of the URL:
+// https://github.com/googleapis/googleapis/blob/master/google/api/http.proto
+//
+// It is invalid to specify the same key name in multiple places in a pattern.
+//
+// For a service where the project id can be expressed either as a subdomain or
+// in the path, separate HttpKeyBuilders must be used:
+//     host_pattern: 'example.com' path_pattern: '/{id}/{object}/**'
+//     host_pattern: '{id}.example.com' path_pattern: '/{object}/**'
+// If the host is exactly 'example.com', the first path segment will be used as
+// the id and the second segment as the object. If the host has a subdomain, the
+// subdomain will be used as the id and the first segment as the object. If
+// neither pattern matches, no keys will be extracted.
+message HttpKeyBuilder {
+  // host_pattern is an ordered list of host template patterns for the desired
+  // value.  If any host_pattern values are specified, then at least one must
+  // match, and the last one wins and sets any specified variables.  A host
+  // consists of labels separated by dots. Each label is matched against the
+  // label in the pattern as follows:
+  //   - "*": Matches any single label.
+  //   - "**": Matches zero or more labels (first or last part of host only).
+  //   - "{<name>=...}": One or more label capture, where "..." can be any
+  //      template that does not include a capture.
+  //   - "{<name>}": A single label capture. Identical to {<name>=*}.
+  //
+  // Examples:
+  //   - "example.com": Only applies to the exact host example.com.
+  //   - "*.example.com": Matches subdomains of example.com.
+  //   - "**.example.com": matches example.com, and all levels of subdomains.
+  //   - "{project}.example.com": Extracts the third level subdomain.
+  //   - "{project=**}.example.com": Extracts the third level+ subdomains.
+  //   - "{project=**}": Extracts the entire host.
+  repeated string host_patterns = 1;
+
+  // path_pattern is an ordered list of path template patterns for the desired
+  // value.  If any path_pattern values are specified, then at least one must
+  // match, and the last one wins and sets any specified variables.  A path
+  // consists of segments separated by slashes. Each segment is matched against
+  // the segment in the pattern as follows:
+  //   - "*": Matches any single segment.
+  //   - "**": Matches zero or more segments (first or last part of path only).
+  //   - "{<name>=...}": One or more segment capture, where "..." can be any
+  //      template that does not include a capture.
+  //   - "{<name>}": A single segment capture. Identical to {<name>=*}.
+  // A custom method may also be specified by appending ":" and the custom
+  // method name or "*" to indicate any custom method (including no custom
+  // method).  For example, "/*/projects/{project_id}/**:*" extracts
+  // `{project_id}` for any version, resource and custom method that includes
+  // it.  By default, any custom method will be matched.
+  //
+  // Examples:
+  //   - "/v1/{name=messages/*}": extracts a name like "messages/12345".
+  //   - "/v1/messages/{message_id}": extracts a message_id like "12345".
+  //   - "/v1/users/{user_id}/messages/{message_id}": extracts two key values.
+  repeated string path_patterns = 2;
+
+  // List of query parameter names to try to match.
+  // For example: ["parent", "name", "resource.name"]
+  // We extract all the specified query_parameters (case-sensitively).  If any
+  // are marked as "required_match" and are not present, this keybuilder fails
+  // to match.  If a given parameter appears multiple times (?foo=a&foo=b) we
+  // will report it as a comma-separated string (foo=a,b).
+  repeated NameMatcher query_parameters = 3;
+
+  // List of headers to try to match.
+  // We extract all the specified header values (case-insensitively).  If any
+  // are marked as "required_match" and are not present, this keybuilder fails
+  // to match.  If a given header appears multiple times in the request we will
+  // report it as a comma-separated string, in standard HTTP fashion.
+  repeated NameMatcher headers = 4;
+
+  // You can optionally set one or more specific key/value pairs to be added to
+  // the key_map.  This can be useful to identify which builder built the key,
+  // for example if you are suppressing a lot of information from the URL, but
+  // need to separately cache and request URLs with that content.
+  map<string, string> constant_keys = 5;
+}
+
+message RouteLookupConfig {
+  // Ordered specifications for constructing keys for HTTP requests.  Last
+  // match wins.  If no HttpKeyBuilder matches, an empty key_map will be sent to
+  // the lookup service; it should likely reply with a global default route
+  // and raise an alert.
+  repeated HttpKeyBuilder http_keybuilders = 1;
+
+  // Unordered specifications for constructing keys for gRPC requests.  All
+  // GrpcKeyBuilders on this list must have unique "name" fields so that the
+  // client is free to prebuild a hash map keyed by name.  If no GrpcKeyBuilder
+  // matches, an empty key_map will be sent to the lookup service; it should
+  // likely reply with a global default route and raise an alert.
+  repeated GrpcKeyBuilder grpc_keybuilders = 2;
+
+  // The name of the lookup service as a gRPC URI.  Typically, this will be
+  // a subdomain of the target, such as "lookup.datastore.googleapis.com".
+  string lookup_service = 3;
+
+  // Configure a timeout value for lookup service requests.
+  // Defaults to 10 seconds if not specified.
+  google.protobuf.Duration lookup_service_timeout = 4;
+
+  // How long are responses valid for (like HTTP Cache-Control).
+  // If omitted or zero, the longest valid cache time is used.
+  // This value is clamped to 5 minutes to avoid unflushable bad responses.
+  google.protobuf.Duration max_age = 5;
+
+  // After a response has been in the client cache for this amount of time
+  // and is re-requested, start an asynchronous RPC to re-validate it.
+  // This value should be less than max_age by at least the length of a
+  // typical RTT to the Route Lookup Service to fully mask the RTT latency.
+  // If omitted, keys are only re-requested after they have expired.
+  google.protobuf.Duration stale_age = 6;
+
+  // Rough indicator of amount of memory to use for the client cache.  Some of
+  // the data structure overhead is not accounted for, so actual memory consumed
+  // will be somewhat greater than this value.  If this field is omitted or set
+  // to zero, a client default will be used.  The value may be capped to a lower
+  // amount based on client configuration.
+  int64 cache_size_bytes = 7;
+
+  // This is a list of all the possible targets that can be returned by the
+  // lookup service.  If a target not on this list is returned, it will be
+  // treated the same as an unhealthy target.
+  repeated string valid_targets = 8;
+
+  // This value provides a default target to use if needed.  If set, it will be
+  // used if RLS returns an error, times out, or returns an invalid response.
+  // Note that requests can be routed only to a subdomain of the original
+  // target, e.g. "us_east_1.cloudbigtable.googleapis.com".
+  string default_target = 9;
+
+  reserved 10;
+  reserved "request_processing_strategy";
+}
+
+// RouteLookupClusterSpecifier is used in xDS to represent a cluster specifier
+// plugin for RLS.
+message RouteLookupClusterSpecifier {
+  // The RLS config for this cluster specifier plugin instance.
+  RouteLookupConfig route_lookup_config = 1;
+}
diff --git a/contrib/libs/grpc/src/proto/grpc/reflection/v1/reflection.proto b/contrib/libs/grpc/src/proto/grpc/reflection/v1/reflection.proto
new file mode 100644
index 0000000000..1a2ceedc3d
--- /dev/null
+++ b/contrib/libs/grpc/src/proto/grpc/reflection/v1/reflection.proto
@@ -0,0 +1,147 @@
+// Copyright 2016 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Service exported by server reflection.  A more complete description of how
+// server reflection works can be found at
+// https://github.com/grpc/grpc/blob/master/doc/server-reflection.md
+//
+// The canonical version of this proto can be found at
+// https://github.com/grpc/grpc-proto/blob/master/grpc/reflection/v1/reflection.proto
+
+syntax = "proto3";
+
+package grpc.reflection.v1;
+
+option go_package = "google.golang.org/grpc/reflection/grpc_reflection_v1";
+option java_multiple_files = true;
+option java_package = "io.grpc.reflection.v1";
+option java_outer_classname = "ServerReflectionProto";
+
+service ServerReflection {
+  // The reflection service is structured as a bidirectional stream, ensuring
+  // all related requests go to a single server.
+  rpc ServerReflectionInfo(stream ServerReflectionRequest)
+      returns (stream ServerReflectionResponse);
+}
+
+// The message sent by the client when calling ServerReflectionInfo method.
+message ServerReflectionRequest {
+  string host = 1;
+  // To use reflection service, the client should set one of the following
+  // fields in message_request. The server distinguishes requests by their
+  // defined field and then handles them using corresponding methods.
+  oneof message_request {
+    // Find a proto file by the file name.
+    string file_by_filename = 3;
+
+    // Find the proto file that declares the given fully-qualified symbol name.
+    // This field should be a fully-qualified symbol name
+    // (e.g. <package>.<service>[.<method>] or <package>.<type>).
+    string file_containing_symbol = 4;
+
+    // Find the proto file which defines an extension extending the given
+    // message type with the given field number.
+    ExtensionRequest file_containing_extension = 5;
+
+    // Finds the tag numbers used by all known extensions of the given message
+    // type, and appends them to ExtensionNumberResponse in an undefined order.
+    // Its corresponding method is best-effort: it's not guaranteed that the
+    // reflection service will implement this method, and it's not guaranteed
+    // that this method will provide all extensions. Returns
+    // StatusCode::UNIMPLEMENTED if it's not implemented.
+    // This field should be a fully-qualified type name. The format is
+    // <package>.<type>
+    string all_extension_numbers_of_type = 6;
+
+    // List the full names of registered services. The content will not be
+    // checked.
+    string list_services = 7;
+  }
+}
+
+// The type name and extension number sent by the client when requesting
+// file_containing_extension.
+message ExtensionRequest {
+  // Fully-qualified type name. The format should be <package>.<type>
+  string containing_type = 1;
+  int32 extension_number = 2;
+}
+
+// The message sent by the server to answer ServerReflectionInfo method.
+message ServerReflectionResponse {
+  string valid_host = 1;
+  ServerReflectionRequest original_request = 2;
+  // The server sets one of the following fields according to the message_request
+  // in the request.
+  oneof message_response {
+    // This message is used to answer file_by_filename, file_containing_symbol,
+    // file_containing_extension requests with transitive dependencies.
+    // As the repeated label is not allowed in oneof fields, we use a
+    // FileDescriptorResponse message to encapsulate the repeated fields.
+    // The reflection service is allowed to avoid sending FileDescriptorProtos
+    // that were previously sent in response to earlier requests in the stream.
+    FileDescriptorResponse file_descriptor_response = 4;
+
+    // This message is used to answer all_extension_numbers_of_type requests.
+    ExtensionNumberResponse all_extension_numbers_response = 5;
+
+    // This message is used to answer list_services requests.
+    ListServiceResponse list_services_response = 6;
+
+    // This message is used when an error occurs.
+    ErrorResponse error_response = 7;
+  }
+}
+
+// Serialized FileDescriptorProto messages sent by the server answering
+// a file_by_filename, file_containing_symbol, or file_containing_extension
+// request.
+message FileDescriptorResponse {
+  // Serialized FileDescriptorProto messages. We avoid taking a dependency on
+  // descriptor.proto, which uses proto2 only features, by making them opaque
+  // bytes instead.
+  repeated bytes file_descriptor_proto = 1;
+}
+
+// A list of extension numbers sent by the server answering
+// all_extension_numbers_of_type request.
+message ExtensionNumberResponse {
+  // Full name of the base type, including the package name. The format
+  // is <package>.<type>
+  string base_type_name = 1;
+  repeated int32 extension_number = 2;
+}
+
+// A list of ServiceResponse sent by the server answering list_services request.
+message ListServiceResponse {
+  // The information of each service may be expanded in the future, so we use
+  // ServiceResponse message to encapsulate it.
+  repeated ServiceResponse service = 1;
+}
+
+// The information of a single service used by ListServiceResponse to answer
+// list_services request.
+message ServiceResponse {
+  // Full name of a registered service, including its package name. The format
+  // is <package>.<service>
+  string name = 1;
+}
+
+// The error code and error message sent by the server when an error occurs.
+message ErrorResponse {
+  // This field uses the error codes defined in grpc::StatusCode.
+  int32 error_code = 1;
+  string error_message = 2;
+}
+
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/echo.proto b/contrib/libs/grpc/src/proto/grpc/testing/echo.proto
index 33db111864..ae38aeaf19 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/echo.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/echo.proto
@@ -33,6 +33,7 @@ service EchoTestService {
   rpc ResponseStream(EchoRequest) returns (stream EchoResponse);
   rpc BidiStream(stream EchoRequest) returns (stream EchoResponse);
   rpc Unimplemented(EchoRequest) returns (EchoResponse);
+  rpc UnimplementedBidi(stream EchoRequest) returns (stream EchoResponse);
 }
 
 service EchoTest1Service {
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/orca_load_report_for_test.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/orca_load_report_for_test.proto
deleted file mode 100644
index 1feaedd6a4..0000000000
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/orca_load_report_for_test.proto
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2019 The gRPC Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// This file contains a copy of the ORCA load reporting protos, with the
-// validation options stripped out to avoid the extra dependency on
-// protoc-gen-validate.
-//
-// TODO(juanlishen): This file is a hack to avoid a problem we're
-// currently having where we can't depend on a proto file in an external
-// repo due to bazel limitations.  Once that's fixed, this should be
-// removed.  Until this, it should be used in the gRPC tests only, or else it
-// will cause a conflict due to the same proto messages being defined in
-// multiple files in the same binary.
-
-syntax = "proto3";
-
-package udpa.data.orca.v1;
-
-option java_outer_classname = "OrcaLoadReportProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.udpa.data.orca.v1";
-option go_package = "v1";
-
-// See section `ORCA load report format` of the design document in
-// :ref:`https://github.com/envoyproxy/envoy/issues/6614`.
-
-message OrcaLoadReport {
-  // CPU utilization expressed as a fraction of available CPU resources. This
-  // should be derived from the latest sample or measurement.
-  double cpu_utilization = 1;
-
-  // Memory utilization expressed as a fraction of available memory
-  // resources. This should be derived from the latest sample or measurement.
-  double mem_utilization = 2;
-
-  // Total RPS being served by an endpoint. This should cover all services that an endpoint is
-  // responsible for.
-  uint64 rps = 3;
-
-  // Application specific requests costs. Each value is an absolute cost (e.g. 3487 bytes of
-  // storage) associated with the request.
-  map<string, double> request_cost = 4;
-
-  // Resource utilization values. Each value is expressed as a fraction of total resources
-  // available, derived from the latest sample or measurement.
-  map<string, double> utilization = 5;
-}
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/address.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/address.proto
index 38592ccfda..47efbed8e0 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/address.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/address.proto
@@ -40,6 +40,13 @@ message SocketAddress {
   oneof port_specifier {
     uint32 port_value = 3;
   }
+
+  // The name of the custom resolver. This must have been registered with Envoy. If
+  // this is empty, a context dependent default applies. If the address is a concrete
+  // IP address, no resolution will occur. If address is a hostname this
+  // should be set for resolution other than DNS. Specifying a custom resolver with
+  // *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime.
+  string resolver_name = 5;
 }
 
 // Addresses specify either a logical or physical address and port, which are
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/ads.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/ads.proto
index d576c1ddc5..4688aeedb2 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/ads.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/ads.proto
@@ -40,6 +40,6 @@ service AggregatedDiscoveryService {
 }
 
 // [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
-// services: https://github.com/google/protobuf/issues/4221
+// services: https://github.com/protocolbuffers/protobuf/issues/4221
 message AdsPhony {
 }
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/base.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/base.proto
index b5acb0945b..33719f687c 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/base.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/base.proto
@@ -96,6 +96,9 @@ message Node {
   repeated string client_features = 10;
 }
 
+// Data source consisting of either a file or an inline value.
+message DataSource {}
+
 // Runtime derived FractionalPercent with defaults for when the numerator or denominator is not
 // specified via a runtime key.
 //
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/cluster.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/cluster.proto
index c04fe20a91..1bc2d51b50 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/cluster.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/cluster.proto
@@ -20,6 +20,7 @@ package envoy.config.cluster.v3;
 
 import "src/proto/grpc/testing/xds/v3/base.proto";
 import "src/proto/grpc/testing/xds/v3/config_source.proto";
+import "src/proto/grpc/testing/xds/v3/endpoint.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/wrappers.proto";
@@ -153,12 +154,63 @@ message Cluster {
   // Configuration to use for EDS updates for the Cluster.
   EdsClusterConfig eds_cluster_config = 3;
 
+  // Specific configuration for the :ref:`RingHash<arch_overview_load_balancing_types_ring_hash>`
+  // load balancing policy.
+  message RingHashLbConfig {
+    // The hash function used to hash hosts onto the ketama ring.
+    enum HashFunction {
+      // Use `xxHash <https://github.com/Cyan4973/xxHash>`_, this is the default hash function.
+      XX_HASH = 0;
+      MURMUR_HASH_2 = 1;
+    }
+
+    reserved 2;
+
+    // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each
+    // provided host) the better the request distribution will reflect the desired weights. Defaults
+    // to 1024 entries, and limited to 8M entries. See also
+    // :ref:`maximum_ring_size<envoy_api_field_config.cluster.v3.Cluster.RingHashLbConfig.maximum_ring_size>`.
+    google.protobuf.UInt64Value minimum_ring_size = 1;
+
+    // The hash function used to hash hosts onto the ketama ring. The value defaults to
+    // :ref:`XX_HASH<envoy_api_enum_value_config.cluster.v3.Cluster.RingHashLbConfig.HashFunction.XX_HASH>`.
+    HashFunction hash_function = 3;
+
+    // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered
+    // to further constrain resource use. See also
+    // :ref:`minimum_ring_size<envoy_api_field_config.cluster.v3.Cluster.RingHashLbConfig.minimum_ring_size>`.
+    google.protobuf.UInt64Value maximum_ring_size = 4;
+  }
+
   // The :ref:`load balancer type <arch_overview_load_balancing_types>` to use
   // when picking a host in the cluster.
   LbPolicy lb_policy = 6;
 
+  // Setting this is required for specifying members of
+  // :ref:`STATIC<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STATIC>`,
+  // :ref:`STRICT_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
+  // or :ref:`LOGICAL_DNS<envoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>` clusters.
+  // This field supersedes the *hosts* field in the v2 API.
+  //
+  // .. attention::
+  //
+  //   Setting this allows non-EDS cluster types to contain embedded EDS equivalent
+  //   :ref:`endpoint assignments<envoy_api_msg_config.endpoint.v3.ClusterLoadAssignment>`.
+  //
+  endpoint.v3.ClusterLoadAssignment load_assignment = 33;
+
   CircuitBreakers circuit_breakers = 10;
 
+  // Optional configuration for the load balancing algorithm selected by
+  // LbPolicy. Currently only
+  // :ref:`RING_HASH<envoy_api_enum_value_config.cluster.v3.Cluster.LbPolicy.RING_HASH>`,
+  // Specifying ring_hash_lb_config without setting the corresponding
+  // LbPolicy will generate an error at runtime.
+  oneof lb_config {
+    // Optional configuration for the Ring Hash load balancing policy.
+    RingHashLbConfig ring_hash_lb_config = 23;
+  }
+
   // Optional custom transport socket implementation to use for upstream connections.
   // To setup TLS, set a transport socket with name `tls` and
   // :ref:`UpstreamTlsContexts <envoy_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>` in the `typed_config`.
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/csds.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/csds.proto
index bbdfd4e048..79b8bc8b64 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/csds.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/csds.proto
@@ -21,6 +21,9 @@ package envoy.service.status.v3;
 import "src/proto/grpc/testing/xds/v3/config_dump.proto";
 import "src/proto/grpc/testing/xds/v3/base.proto";
 
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
 
 // CSDS is Client Status Discovery Service. It can be used to get the status of
 // an xDS-compliant client from the management server's point of view. It can
@@ -77,10 +80,58 @@ message PerXdsConfig {
 
 // All xds configs for a particular client.
 message ClientConfig {
+  // GenericXdsConfig is used to specify the config status and the dump
+  // of any xDS resource identified by their type URL. It is the generalized
+  // version of the now deprecated ListenersConfigDump, ClustersConfigDump etc
+  // [#next-free-field: 10]
+  message GenericXdsConfig {
+    // Type_url represents the fully qualified name of xDS resource type
+    // like envoy.v3.Cluster, envoy.v3.ClusterLoadAssignment etc.
+    string type_url = 1;
+
+    // Name of the xDS resource
+    string name = 2;
+
+    // This is the :ref:`version_info <envoy_v3_api_field_service.discovery.v3.DiscoveryResponse.version_info>`
+    // in the last processed xDS discovery response. If there are only
+    // static bootstrap listeners, this field will be ""
+    string version_info = 3;
+
+    // The xDS resource config. Actual content depends on the type
+    google.protobuf.Any xds_config = 4;
+
+    // Timestamp when the xDS resource was last updated
+    google.protobuf.Timestamp last_updated = 5;
+
+    // Per xDS resource config status. It is generated by management servers.
+    // It will not be present if the CSDS server is an xDS client.
+    ConfigStatus config_status = 6;
+
+    // Per xDS resource status from the view of a xDS client
+    admin.v3.ClientResourceStatus client_status = 7;
+
+    // Set if the last update failed, cleared after the next successful
+    // update. The *error_state* field contains the rejected version of
+    // this particular resource along with the reason and timestamp. For
+    // successfully updated or acknowledged resource, this field should
+    // be empty.
+    admin.v3.UpdateFailureState error_state = 8;
+
+    // Is static resource is true if it is specified in the config supplied
+    // through the file at the startup.
+    bool is_static_resource = 9;
+  }
+
   // Node for a particular client.
   config.core.v3.Node node = 1;
 
-  repeated PerXdsConfig xds_config = 2;
+  // This field is deprecated in favor of generic_xds_configs which is
+  // much simpler and uniform in structure.
+  repeated PerXdsConfig xds_config = 2 [deprecated = true];
+
+  // Represents generic xDS config and the exact config structure depends on
+  // the type URL (like Cluster if it is CDS)
+  repeated GenericXdsConfig generic_xds_configs = 3;
 }
 
 message ClientStatusResponse {
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/endpoint.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/endpoint.proto
index 7cc1d40ca6..7cbea7f443 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/endpoint.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/endpoint.proto
@@ -76,6 +76,17 @@ message LbEndpoint {
 
   // Optional health status when known and supplied by EDS server.
   HealthStatus health_status = 2;
+
+  // The optional load balancing weight of the upstream host; at least 1.
+  // Envoy uses the load balancing weight in some of the built in load
+  // balancers. The load balancing weight for an endpoint is divided by the sum
+  // of the weights of all endpoints in the endpoint's locality to produce a
+  // percentage of traffic for the endpoint. This percentage is then further
+  // weighted by the endpoint's locality's load balancing weight from
+  // LocalityLbEndpoints. If unspecified, each host is presumed to have equal
+  // weight in a locality. The sum of the weights of all endpoints in the
+  // endpoint's locality must not exceed uint32_t maximal value (4294967295).
+  google.protobuf.UInt32Value load_balancing_weight = 4;
 }
 
 // A group of endpoints belonging to a Locality.
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/extension.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/extension.proto
new file mode 100644
index 0000000000..10f4b00208
--- /dev/null
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/extension.proto
@@ -0,0 +1,38 @@
+// Copyright 2021 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Local copy of Envoy xDS proto file, used for testing only.
+
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "google/protobuf/any.proto";
+
+// [#protodoc-title: Extension configuration]
+
+// Message type for extension configuration.
+// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.].
+message TypedExtensionConfig {
+  // The name of an extension. This is not used to select the extension, instead
+  // it serves the role of an opaque identifier.
+  string name = 1;
+
+  // The typed config for the extension. The type URL will be used to identify
+  // the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*,
+  // the inner type URL of *TypedStruct* will be utilized. See the
+  // :ref:`extension configuration overview
+  // <config_overview_extension_configuration>` for further details.
+  google.protobuf.Any typed_config = 2;
+}
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/orca_load_report.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/orca_load_report.proto
index 0d6a1699a2..033e64ba49 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/orca_load_report.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/orca_load_report.proto
@@ -16,7 +16,7 @@
 
 syntax = "proto3";
 
-package udpa.data.orca.v1;
+package xds.data.orca.v3;
 
 // See section `ORCA load report format` of the design document in
 // :ref:`https://github.com/envoyproxy/envoy/issues/6614`.
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/regex.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/regex.proto
index af9045774f..9039ed4644 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/regex.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/regex.proto
@@ -36,3 +36,8 @@ message RegexMatcher {
   // The regex match string. The string must be supported by the configured engine.
   string regex = 2;
 }
+
+message RegexMatchAndSubstitute {
+  RegexMatcher pattern = 1;
+  string substitution = 2;
+}
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/route.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/route.proto
index baeaaf644d..7109fe21db 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/route.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/route.proto
@@ -31,6 +31,18 @@ import "google/protobuf/wrappers.proto";
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
 // * HTTP :ref:`router filter <config_http_filters_router>`
 
+message RetryPolicy {
+  string retry_on = 1;
+  google.protobuf.UInt32Value num_retries = 2;
+
+  message RetryBackOff {
+    google.protobuf.Duration base_interval = 1;
+    google.protobuf.Duration max_interval = 2;
+  }
+
+  RetryBackOff retry_back_off = 8;
+}
+
 // The top level element in the routing configuration is a virtual host. Each virtual host has
 // a logical name as well as a set of domains that get routed to it based on the incoming request's
 // host header. This allows a single listener to service multiple top level domain path trees. Once
@@ -72,6 +84,8 @@ message VirtualHost {
   // specific; see the :ref:`HTTP filter documentation <config_http_filters>`
   // for if and how it is utilized.
   map<string, google.protobuf.Any> typed_per_filter_config = 15;
+
+  RetryPolicy retry_policy = 16;
 }
 
 // A route is both a specification of how to match a request as well as an indication of what to do
@@ -89,12 +103,21 @@ message Route {
   // Route matching parameters.
   RouteMatch match = 1;
 
+  message NonForwardingAction {
+  }  
+
   oneof action {
     // Route request to some upstream cluster.
     RouteAction route = 2;
 
     // Return a redirect.
     RedirectAction redirect = 3;
+
+    // An action used when the route will generate a response directly,
+    // without forwarding to an upstream host. This will be used in non-proxy
+    // xDS clients like the gRPC server. It could also be used in the future
+    // in Envoy for a filter that directly generates responses for requests.
+    NonForwardingAction non_forwarding_action = 18;
   }
 
   // The typed_per_filter_config field can be used to provide route-specific
@@ -246,6 +269,80 @@ message RouteAction {
     // for additional documentation.
     WeightedCluster weighted_clusters = 3;
   }
+
+  message HashPolicy {
+    message Header {
+      // The name of the request header that will be used to obtain the hash
+      // key. If the request header is not present, no hash will be produced.
+      string header_name = 1;
+
+      // If specified, the request header value will be rewritten and used
+      // to produce the hash key.
+      type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2;
+    }
+    
+    message Cookie {
+      string name = 1;
+    }
+
+    message ConnectionProperties {
+      bool source_ip = 1;
+    }
+
+    message QueryParameter {
+      string name = 1;
+    }
+
+    message FilterState {
+      // The name of the Object in the per-request filterState, which is an
+      // Envoy::Http::Hashable object. If there is no data associated with the key,
+      // or the stored object is not Envoy::Http::Hashable, no hash will be produced.
+      string key = 1;
+    }
+
+    oneof policy_specifier {
+      // Header hash policy.
+      Header header = 1;
+
+      // Cookie hash policy.
+      Cookie cookie = 2;
+
+      // Connection properties hash policy.
+      ConnectionProperties connection_properties = 3;
+
+      // Query parameter hash policy.
+      QueryParameter query_parameter = 5;
+
+      // Filter state hash policy.
+      FilterState filter_state = 6;
+    }
+
+    // The flag that short-circuits the hash computing. This field provides a
+    // 'fallback' style of configuration: "if a terminal policy doesn't work,
+    // fallback to rest of the policy list", it saves time when the terminal
+    // policy works.
+    //
+    // If true, and there is already a hash computed, ignore rest of the
+    // list of hash polices.
+    // For example, if the following hash methods are configured:
+    //
+    //  ========= ========
+    //  specifier terminal
+    //  ========= ========
+    //  Header A  true
+    //  Header B  false
+    //  Header C  false
+    //  ========= ========
+    //
+    // The generateHash process ends if policy "header A" generates a hash, as
+    // it's a terminal policy.
+    bool terminal = 4;
+  }
+
+  repeated HashPolicy hash_policy = 15;
+
+  RetryPolicy retry_policy = 9;
+
   // Specifies the maximum stream duration for this route.
   MaxStreamDuration max_stream_duration = 36;
 }
diff --git a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/tls.proto b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/tls.proto
index e9acfb52a6..b2fc4532d8 100644
--- a/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/tls.proto
+++ b/contrib/libs/grpc/src/proto/grpc/testing/xds/v3/tls.proto
@@ -18,16 +18,104 @@ syntax = "proto3";
 
 package envoy.extensions.transport_sockets.tls.v3;
 
+import "src/proto/grpc/testing/xds/v3/base.proto";
+import "src/proto/grpc/testing/xds/v3/extension.proto";
 import "src/proto/grpc/testing/xds/v3/string.proto";
 
 import "google/protobuf/wrappers.proto";
 
+// Indicates a certificate to be obtained from a named CertificateProvider plugin instance.
+// The plugin instances are defined in the client's bootstrap file.
+// The plugin allows certificates to be fetched/refreshed over the network asynchronously with
+// respect to the TLS handshake.
+// [#not-implemented-hide:]
+message CertificateProviderPluginInstance {
+  // Provider instance name. If not present, defaults to "default".
+  //
+  // Instance names should generally be defined not in terms of the underlying provider
+  // implementation (e.g., "file_watcher") but rather in terms of the function of the
+  // certificates (e.g., "foo_deployment_identity").
+  string instance_name = 1;
+
+  // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
+  // a root-certificate (validation context) or "example.com" to specify a certificate for a
+  // particular domain. Not all provider instances will actually use this field, so the value
+  // defaults to the empty string.
+  string certificate_name = 2;
+}
+
 message CertificateValidationContext {
+  // Certificate provider instance for fetching TLS certificates.
+  //
+  // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
+  // [#not-implemented-hide:]
+  CertificateProviderPluginInstance ca_certificate_provider_instance = 13;
+
+  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
+  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
+  // matches one of the specified values.
+  //
+  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
+  // can be generated with the following command:
+  //
+  // .. code-block:: bash
+  //
+  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
+  //     | openssl pkey -pubin -outform DER
+  //     | openssl dgst -sha256 -binary
+  //     | openssl enc -base64
+  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
+  //
+  // This is the format used in HTTP Public Key Pinning.
+  //
+  // When both:
+  // :ref:`verify_certificate_hash
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
+  // :ref:`verify_certificate_spki
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
+  // a hash matching value from either of the lists will result in the certificate being accepted.
+  //
+  // .. attention::
+  //
+  //   This option is preferred over :ref:`verify_certificate_hash
+  //   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
+  //   because SPKI is tied to a private key, so it doesn't change when the certificate
+  //   is renewed using the same private key.
+  repeated string verify_certificate_spki = 3;
+
+  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
+  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+  //
+  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
+  //
+  // .. code-block:: bash
+  //
+  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
+  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
+  //
+  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
+  // can be generated with the following command:
+  //
+  // .. code-block:: bash
+  //
+  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
+  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
+  //
+  // Both of those formats are acceptable.
+  //
+  // When both:
+  // :ref:`verify_certificate_hash
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
+  // :ref:`verify_certificate_spki
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
+  // a hash matching value from either of the lists will result in the certificate being accepted.
+  repeated string verify_certificate_hash = 2;
+
   // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
   // Subject Alternative Name of the presented certificate matches one of the specified matchers.
   //
   // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
-  // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
+  // configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
   // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
   // it should be configured as shown below.
   //
@@ -40,8 +128,29 @@ message CertificateValidationContext {
   //
   //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   //   therefore this option must be used together with :ref:`trusted_ca
-  //   <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
+  //   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
   repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
+
+  // [#not-implemented-hide:] Must present signed certificate time-stamp.
+  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
+
+  // An optional `certificate revocation list
+  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
+  // (in PEM format). If specified, Envoy will verify that the presented peer
+  // certificate has not been revoked by this CRL. If this DataSource contains
+  // multiple CRLs, all of them will be used. Note that if a CRL is provided
+  // for any certificate authority in a trust chain, a CRL must be provided
+  // for all certificate authorities in that chain. Failure to do so will
+  // result in verification failure for both revoked and unrevoked certificates
+  // from that chain.
+  config.core.v3.DataSource crl = 7;
+
+  // The configuration of an extension specific certificate validator.
+  // If specified, all validation is done by the specified validator,
+  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
+  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
+  // [#extension-category: envoy.tls.cert_validator]
+  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
 }
 
 message UpstreamTlsContext {
@@ -56,12 +165,43 @@ message UpstreamTlsContext {
 }
 
 message DownstreamTlsContext {
+  enum OcspStaplePolicy {
+    // OCSP responses are optional. If an OCSP response is absent
+    // or expired, the associated certificate will be used for
+    // connections without an OCSP staple.
+    LENIENT_STAPLING = 0;
+
+    // OCSP responses are optional. If an OCSP response is absent,
+    // the associated certificate will be used without an
+    // OCSP staple. If a response is provided but is expired,
+    // the associated certificate will not be used for
+    // subsequent connections. If no suitable certificate is found,
+    // the connection is rejected.
+    STRICT_STAPLING = 1;
+
+    // OCSP responses are required. Configuration will fail if
+    // a certificate is provided without an OCSP response. If a
+    // response expires, the associated certificate will not be
+    // used connections. If no suitable certificate is found, the
+    // connection is rejected.
+    MUST_STAPLE = 2;
+  }
+
   // Common TLS context settings.
   CommonTlsContext common_tls_context = 1;
 
   // If specified, Envoy will reject connections without a valid client
   // certificate.
   google.protobuf.BoolValue require_client_certificate = 2;
+
+  // If specified, Envoy will reject connections without a valid and matching SNI.
+  // [#not-implemented-hide:]
+  google.protobuf.BoolValue require_sni = 3;
+
+  // Config for whether to use certificates if they do not have
+  // an accompanying OCSP response or if the response expires at runtime.
+  // Defaults to LENIENT_STAPLING
+  OcspStaplePolicy ocsp_staple_policy = 8;
 }
 
 
@@ -98,10 +238,60 @@ message CommonTlsContext {
     CertificateProviderInstance validation_context_certificate_provider_instance = 4;
   }
 
+  message TlsParameters {}
+
+  // TLS protocol versions, cipher suites etc.
+  TlsParameters tls_params = 1;
+
+  message TlsCertificate {}
+
+  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
+  // same context to allow both RSA and ECDSA certificates.
+  //
+  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
+  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
+  // used for clients that support ECDSA.
+  //
+  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
+  // and *tls_certificate_provider_instance* may be used.
+  // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
+  // not legal to put a repeated field in a oneof. In the next major version, we should rework
+  // this to avoid this problem.]
+  repeated TlsCertificate tls_certificates = 2;
+
+  message SdsSecretConfig {}
+
+  // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
+  // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
+  //
+  // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
+  // are valid in the the certificates fetched through this setting.
+  //
+  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
+  // and *tls_certificate_provider_instance* may be used.
+  // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
+  // not legal to put a repeated field in a oneof. In the next major version, we should rework
+  // this to avoid this problem.]
+  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
+
+  // Certificate provider instance for fetching TLS certs.
+  //
+  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
+  // and *tls_certificate_provider_instance* may be used.
+  // [#not-implemented-hide:]
+  CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
+
   // Certificate provider instance for fetching TLS certificates.
   CertificateProviderInstance tls_certificate_certificate_provider_instance = 11;
 
   oneof validation_context_type {
+    // How to validate peer certificates.
+    CertificateValidationContext validation_context = 3;
+
+    // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
+    // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
+    SdsSecretConfig validation_context_sds_secret_config = 7;
+
     // Combined certificate validation context holds a default CertificateValidationContext
     // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
     // and default CertificateValidationContext are merged into a new CertificateValidationContext
@@ -111,4 +301,8 @@ message CommonTlsContext {
     // CertificateValidationContext, and logical OR is applied to boolean fields.
     CombinedCertificateValidationContext combined_validation_context = 8;
   }
+
+  // Custom TLS handshaker. If empty, defaults to native TLS handshaking
+  // behavior.
+  config.core.v3.TypedExtensionConfig custom_handshaker = 13;
 }