Fix for issue Switch PGV string annotations using min_bytes to min_len. (#12631)

Risk Level: LOW
Testing: Unit and format

Fixes #10535

Signed-off-by: Abhay Narayan Katare <abhay.katare@india.nec.com>

Mirrored from https://github.com/envoyproxy/envoy @ 6321e5d95f7e435625d762ea82316b7a9f7071a4

envoy/admin/v3/tap.proto

@@ -21,7 +21,7 @@ message TapRequest {
 
   // The opaque configuration ID used to match the configuration to a loaded extension.
   // A tap extension configures a similar opaque ID that is used to match.
-  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string config_id = 1 [(validate.rules).string = {min_len: 1}];
 
   // The tap configuration to load.
   config.tap.v3.TapConfig tap_config = 2 [(validate.rules).message = {required: true}];

envoy/admin/v4alpha/tap.proto

@@ -21,7 +21,7 @@ message TapRequest {
 
   // The opaque configuration ID used to match the configuration to a loaded extension.
   // A tap extension configures a similar opaque ID that is used to match.
-  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string config_id = 1 [(validate.rules).string = {min_len: 1}];
 
   // The tap configuration to load.
   config.tap.v4alpha.TapConfig tap_config = 2 [(validate.rules).message = {required: true}];

envoy/config/accesslog/v3/accesslog.proto

@@ -164,7 +164,7 @@ message RuntimeFilter {
   // Runtime key to get an optional overridden numerator for use in the
   // *percent_sampled* field. If found in runtime, this value will replace the
   // default numerator.
-  string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 1 [(validate.rules).string = {min_len: 1}];
 
   // The default sampling percentage. If not specified, defaults to 0% with
   // denominator of 100.

envoy/config/accesslog/v4alpha/accesslog.proto

@@ -164,7 +164,7 @@ message RuntimeFilter {
   // Runtime key to get an optional overridden numerator for use in the
   // *percent_sampled* field. If found in runtime, this value will replace the
   // default numerator.
-  string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 1 [(validate.rules).string = {min_len: 1}];
 
   // The default sampling percentage. If not specified, defaults to 0% with
   // denominator of 100.

envoy/config/bootstrap/v3/bootstrap.proto

@@ -503,7 +503,7 @@ message RuntimeLayer {
 
   // Descriptive name for the runtime layer. This is only used for the runtime
   // :http:get:`/runtime` output.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof layer_specifier {
     option (validate.required) = true;

envoy/config/bootstrap/v4alpha/bootstrap.proto

@@ -496,7 +496,7 @@ message RuntimeLayer {
 
   // Descriptive name for the runtime layer. This is only used for the runtime
   // :http:get:`/runtime` output.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof layer_specifier {
     option (validate.required) = true;

envoy/config/cluster/v3/cluster.proto

@@ -170,7 +170,7 @@ message Cluster {
         "envoy.api.v2.Cluster.CustomClusterType";
 
     // The type of the cluster to instantiate. The name must match a supported cluster type.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Cluster specific configuration which depends on the cluster being instantiated.
     // See the supported cluster for further documentation.
@@ -700,7 +700,7 @@ message Cluster {
   // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name
   // <envoy_api_field_config.cluster.v3.Cluster.alt_stat_name>` is not provided.
   // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // An optional alternative to the cluster name to be used while emitting stats.
   // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be

envoy/config/cluster/v3/filter.proto

@@ -21,7 +21,7 @@ message Filter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.

envoy/config/cluster/v4alpha/cluster.proto

@@ -172,7 +172,7 @@ message Cluster {
         "envoy.config.cluster.v3.Cluster.CustomClusterType";
 
     // The type of the cluster to instantiate. The name must match a supported cluster type.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Cluster specific configuration which depends on the cluster being instantiated.
     // See the supported cluster for further documentation.
@@ -710,7 +710,7 @@ message Cluster {
   // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name
   // <envoy_api_field_config.cluster.v4alpha.Cluster.alt_stat_name>` is not provided.
   // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // An optional alternative to the cluster name to be used while emitting stats.
   // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be

envoy/config/cluster/v4alpha/filter.proto

@@ -21,7 +21,7 @@ message Filter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.

envoy/config/core/v3/address.proto

@@ -24,7 +24,7 @@ message Pipe {
   // abstract namespace. The starting '@' is replaced by a null byte by Envoy.
   // Paths starting with '@' will result in an error in environments other than
   // Linux.
-  string path = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path = 1 [(validate.rules).string = {min_len: 1}];
 
   // The mode for the Pipe. Not applicable for abstract sockets.
   uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}];
@@ -63,7 +63,7 @@ message SocketAddress {
   // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
   // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
   // via :ref:`resolver_name <envoy_api_field_config.core.v3.SocketAddress.resolver_name>`.
-  string address = 2 [(validate.rules).string = {min_bytes: 1}];
+  string address = 2 [(validate.rules).string = {min_len: 1}];
 
   oneof port_specifier {
     option (validate.required) = true;
@@ -152,7 +152,7 @@ message CidrRange {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange";
 
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // Length of prefix, e.g. 0, 32.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];

envoy/config/core/v3/base.proto

@@ -237,7 +237,7 @@ message RuntimeUInt32 {
   uint32 default_value = 2;
 
   // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 3 [(validate.rules).string = {min_len: 1}];
 }
 
 // Runtime derived double with a default when not specified.
@@ -248,7 +248,7 @@ message RuntimeDouble {
   double default_value = 1;
 
   // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Runtime derived bool with a default when not specified.
@@ -262,7 +262,7 @@ message RuntimeFeatureFlag {
   // Runtime key to get value for comparison. This value is used if defined. The boolean value must
   // be represented via its
   // `canonical JSON encoding <https://developers.google.com/protocol-buffers/docs/proto3#json>`_.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Header name/value pair.
@@ -272,7 +272,7 @@ message HeaderValue {
   // Header name.
   string key = 1
       [(validate.rules).string =
-           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
+           {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Header value.
   //
@@ -312,13 +312,13 @@ message DataSource {
     option (validate.required) = true;
 
     // Local filesystem data source.
-    string filename = 1 [(validate.rules).string = {min_bytes: 1}];
+    string filename = 1 [(validate.rules).string = {min_len: 1}];
 
     // Bytes inlined in the configuration.
     bytes inline_bytes = 2 [(validate.rules).bytes = {min_len: 1}];
 
     // String inlined in the configuration.
-    string inline_string = 3 [(validate.rules).string = {min_bytes: 1}];
+    string inline_string = 3 [(validate.rules).string = {min_len: 1}];
   }
 }
 
@@ -345,7 +345,7 @@ message RemoteDataSource {
   HttpUri http_uri = 1 [(validate.rules).message = {required: true}];
 
   // SHA256 string for verifying data.
-  string sha256 = 2 [(validate.rules).string = {min_bytes: 1}];
+  string sha256 = 2 [(validate.rules).string = {min_len: 1}];
 
   // Retry policy for fetching remote data.
   RetryPolicy retry_policy = 3;
@@ -379,7 +379,7 @@ message TransportSocket {
 
   // The name of the transport socket to instantiate. The name must match a supported transport
   // socket implementation.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Implementation specific configuration which depends on the implementation being instantiated.
   // See the supported transport socket implementations for further documentation.

envoy/config/core/v3/grpc_method_list.proto

@@ -22,7 +22,7 @@ message GrpcMethodList {
         "envoy.api.v2.core.GrpcMethodList.Service";
 
     // The name of the gRPC service.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // The names of the gRPC methods in this service.
     repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}];

envoy/config/core/v3/grpc_service.proto

@@ -35,13 +35,13 @@ message GrpcService {
     // The name of the upstream gRPC cluster. SSL credentials will be supplied
     // in the :ref:`Cluster <envoy_api_msg_config.cluster.v3.Cluster>` :ref:`transport_socket
     // <envoy_api_field_config.cluster.v3.Cluster.transport_socket>`.
-    string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
 
     // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.
     // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.
     string authority = 2
         [(validate.rules).string =
-             {min_bytes: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
+             {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
   }
 
   // [#next-free-field: 9]
@@ -160,10 +160,10 @@ message GrpcService {
 
         // The path of subject token, a security token that represents the
         // identity of the party on behalf of whom the request is being made.
-        string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_path = 6 [(validate.rules).string = {min_len: 1}];
 
         // Type of the subject token.
-        string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_type = 7 [(validate.rules).string = {min_len: 1}];
 
         // The path of actor token, a security token that represents the identity
         // of the acting party. The acting party is authorized to use the
@@ -230,7 +230,7 @@ message GrpcService {
     // The target URI when using the `Google C++ gRPC client
     // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in
     // :ref:`channel_credentials <envoy_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials>`.
-    string target_uri = 1 [(validate.rules).string = {min_bytes: 1}];
+    string target_uri = 1 [(validate.rules).string = {min_len: 1}];
 
     ChannelCredentials channel_credentials = 2;
 
@@ -247,7 +247,7 @@ message GrpcService {
     //
     //    streams_total, Counter, Total number of streams opened
     //    streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code>
-    string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}];
+    string stat_prefix = 4 [(validate.rules).string = {min_len: 1}];
 
     // The name of the Google gRPC credentials factory to use. This must have been registered with
     // Envoy. If this is empty, a default credentials factory will be used that sets up channel

envoy/config/core/v3/health_check.proto

@@ -67,7 +67,7 @@ message HealthCheck {
       option (validate.required) = true;
 
       // Hex encoded payload. E.g., "000000FF".
-      string text = 1 [(validate.rules).string = {min_bytes: 1}];
+      string text = 1 [(validate.rules).string = {min_len: 1}];
 
       // [#not-implemented-hide:] Binary payload.
       bytes binary = 2;
@@ -91,9 +91,8 @@ message HealthCheck {
 
     // Specifies the HTTP path that will be requested during health checking. For example
     // */healthcheck*.
-    string path = 2 [
+    string path = 2
-      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
-    ];
 
     // [#not-implemented-hide:] HTTP specific payload.
     Payload send = 3;
@@ -187,7 +186,7 @@ message HealthCheck {
     reserved "config";
 
     // The registered name of the custom health checker.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // A custom health checker specific configuration which depends on the custom health checker
     // being instantiated. See :api:`envoy/config/health_checker` for reference.

envoy/config/core/v3/http_uri.proto

@@ -27,7 +27,7 @@ message HttpUri {
   //
   //    uri: https://www.googleapis.com/oauth2/v1/certs
   //
-  string uri = 1 [(validate.rules).string = {min_bytes: 1}];
+  string uri = 1 [(validate.rules).string = {min_len: 1}];
 
   // Specify how `uri` is to be fetched. Today, this requires an explicit
   // cluster, but in the future we may support dynamic cluster creation or
@@ -45,7 +45,7 @@ message HttpUri {
     //
     //    cluster: jwks_cluster
     //
-    string cluster = 2 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 2 [(validate.rules).string = {min_len: 1}];
   }
 
   // Sets the maximum duration in milliseconds that a response can take to arrive upon request.

envoy/config/core/v3/substitution_format_string.proto

@@ -36,7 +36,7 @@ message SubstitutionFormatString {
     //
     //   upstream connect error:503:path=/foo
     //
-    string text_format = 1 [(validate.rules).string = {min_bytes: 1}];
+    string text_format = 1 [(validate.rules).string = {min_len: 1}];
 
     // Specify a format with command operators to form a JSON string.
     // Its details is described in :ref:`format dictionary<config_access_log_format_dictionaries>`.

envoy/config/core/v4alpha/address.proto

@@ -24,7 +24,7 @@ message Pipe {
   // abstract namespace. The starting '@' is replaced by a null byte by Envoy.
   // Paths starting with '@' will result in an error in environments other than
   // Linux.
-  string path = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path = 1 [(validate.rules).string = {min_len: 1}];
 
   // The mode for the Pipe. Not applicable for abstract sockets.
   uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}];
@@ -66,7 +66,7 @@ message SocketAddress {
   // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
   // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
   // via :ref:`resolver_name <envoy_api_field_config.core.v4alpha.SocketAddress.resolver_name>`.
-  string address = 2 [(validate.rules).string = {min_bytes: 1}];
+  string address = 2 [(validate.rules).string = {min_len: 1}];
 
   oneof port_specifier {
     option (validate.required) = true;
@@ -155,7 +155,7 @@ message CidrRange {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.CidrRange";
 
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // Length of prefix, e.g. 0, 32.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];

envoy/config/core/v4alpha/base.proto

@@ -229,7 +229,7 @@ message RuntimeUInt32 {
   uint32 default_value = 2;
 
   // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 3 [(validate.rules).string = {min_len: 1}];
 }
 
 // Runtime derived double with a default when not specified.
@@ -240,7 +240,7 @@ message RuntimeDouble {
   double default_value = 1;
 
   // Runtime key to get value for comparison. This value is used if defined.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Runtime derived bool with a default when not specified.
@@ -254,7 +254,7 @@ message RuntimeFeatureFlag {
   // Runtime key to get value for comparison. This value is used if defined. The boolean value must
   // be represented via its
   // `canonical JSON encoding <https://developers.google.com/protocol-buffers/docs/proto3#json>`_.
-  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Header name/value pair.
@@ -264,7 +264,7 @@ message HeaderValue {
   // Header name.
   string key = 1
       [(validate.rules).string =
-           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
+           {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Header value.
   //
@@ -304,13 +304,13 @@ message DataSource {
     option (validate.required) = true;
 
     // Local filesystem data source.
-    string filename = 1 [(validate.rules).string = {min_bytes: 1}];
+    string filename = 1 [(validate.rules).string = {min_len: 1}];
 
     // Bytes inlined in the configuration.
     bytes inline_bytes = 2 [(validate.rules).bytes = {min_len: 1}];
 
     // String inlined in the configuration.
-    string inline_string = 3 [(validate.rules).string = {min_bytes: 1}];
+    string inline_string = 3 [(validate.rules).string = {min_len: 1}];
   }
 }
 
@@ -337,7 +337,7 @@ message RemoteDataSource {
   HttpUri http_uri = 1 [(validate.rules).message = {required: true}];
 
   // SHA256 string for verifying data.
-  string sha256 = 2 [(validate.rules).string = {min_bytes: 1}];
+  string sha256 = 2 [(validate.rules).string = {min_len: 1}];
 
   // Retry policy for fetching remote data.
   RetryPolicy retry_policy = 3;
@@ -373,7 +373,7 @@ message TransportSocket {
 
   // The name of the transport socket to instantiate. The name must match a supported transport
   // socket implementation.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Implementation specific configuration which depends on the implementation being instantiated.
   // See the supported transport socket implementations for further documentation.

envoy/config/core/v4alpha/grpc_method_list.proto

@@ -23,7 +23,7 @@ message GrpcMethodList {
         "envoy.config.core.v3.GrpcMethodList.Service";
 
     // The name of the gRPC service.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // The names of the gRPC methods in this service.
     repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}];

envoy/config/core/v4alpha/grpc_service.proto

@@ -35,13 +35,13 @@ message GrpcService {
     // The name of the upstream gRPC cluster. SSL credentials will be supplied
     // in the :ref:`Cluster <envoy_api_msg_config.cluster.v4alpha.Cluster>` :ref:`transport_socket
     // <envoy_api_field_config.cluster.v4alpha.Cluster.transport_socket>`.
-    string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
 
     // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.
     // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.
     string authority = 2
         [(validate.rules).string =
-             {min_bytes: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
+             {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
   }
 
   // [#next-free-field: 9]
@@ -160,10 +160,10 @@ message GrpcService {
 
         // The path of subject token, a security token that represents the
         // identity of the party on behalf of whom the request is being made.
-        string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_path = 6 [(validate.rules).string = {min_len: 1}];
 
         // Type of the subject token.
-        string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
+        string subject_token_type = 7 [(validate.rules).string = {min_len: 1}];
 
         // The path of actor token, a security token that represents the identity
         // of the acting party. The acting party is authorized to use the
@@ -236,7 +236,7 @@ message GrpcService {
     // The target URI when using the `Google C++ gRPC client
     // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in
     // :ref:`channel_credentials <envoy_api_field_config.core.v4alpha.GrpcService.GoogleGrpc.channel_credentials>`.
-    string target_uri = 1 [(validate.rules).string = {min_bytes: 1}];
+    string target_uri = 1 [(validate.rules).string = {min_len: 1}];
 
     ChannelCredentials channel_credentials = 2;
 
@@ -253,7 +253,7 @@ message GrpcService {
     //
     //    streams_total, Counter, Total number of streams opened
     //    streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code>
-    string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}];
+    string stat_prefix = 4 [(validate.rules).string = {min_len: 1}];
 
     // The name of the Google gRPC credentials factory to use. This must have been registered with
     // Envoy. If this is empty, a default credentials factory will be used that sets up channel

envoy/config/core/v4alpha/health_check.proto

@@ -67,7 +67,7 @@ message HealthCheck {
       option (validate.required) = true;
 
       // Hex encoded payload. E.g., "000000FF".
-      string text = 1 [(validate.rules).string = {min_bytes: 1}];
+      string text = 1 [(validate.rules).string = {min_len: 1}];
 
       // [#not-implemented-hide:] Binary payload.
       bytes binary = 2;
@@ -91,9 +91,8 @@ message HealthCheck {
 
     // Specifies the HTTP path that will be requested during health checking. For example
     // */healthcheck*.
-    string path = 2 [
+    string path = 2
-      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
-    ];
 
     // [#not-implemented-hide:] HTTP specific payload.
     Payload send = 3;
@@ -187,7 +186,7 @@ message HealthCheck {
     reserved "config";
 
     // The registered name of the custom health checker.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // A custom health checker specific configuration which depends on the custom health checker
     // being instantiated. See :api:`envoy/config/health_checker` for reference.

envoy/config/core/v4alpha/http_uri.proto

@@ -27,7 +27,7 @@ message HttpUri {
   //
   //    uri: https://www.googleapis.com/oauth2/v1/certs
   //
-  string uri = 1 [(validate.rules).string = {min_bytes: 1}];
+  string uri = 1 [(validate.rules).string = {min_len: 1}];
 
   // Specify how `uri` is to be fetched. Today, this requires an explicit
   // cluster, but in the future we may support dynamic cluster creation or
@@ -45,7 +45,7 @@ message HttpUri {
     //
     //    cluster: jwks_cluster
     //
-    string cluster = 2 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 2 [(validate.rules).string = {min_len: 1}];
   }
 
   // Sets the maximum duration in milliseconds that a response can take to arrive upon request.

envoy/config/core/v4alpha/substitution_format_string.proto

@@ -40,7 +40,7 @@ message SubstitutionFormatString {
     //
     //   upstream connect error:503:path=/foo
     //
-    string text_format = 1 [(validate.rules).string = {min_bytes: 1}];
+    string text_format = 1 [(validate.rules).string = {min_len: 1}];
 
     // Specify a format with command operators to form a JSON string.
     // Its details is described in :ref:`format dictionary<config_access_log_format_dictionaries>`.

envoy/config/endpoint/v3/endpoint.proto

@@ -46,7 +46,7 @@ message ClusterLoadAssignment {
           "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload";
 
       // Identifier for the policy specifying the drop.
-      string category = 1 [(validate.rules).string = {min_bytes: 1}];
+      string category = 1 [(validate.rules).string = {min_len: 1}];
 
       // Percentage of traffic that should be dropped for the category.
       type.v3.FractionalPercent drop_percentage = 2;
@@ -105,7 +105,7 @@ message ClusterLoadAssignment {
   // <envoy_api_field_config.cluster.v3.Cluster.EdsClusterConfig.service_name>` value if specified
   // in the cluster :ref:`EdsClusterConfig
   // <envoy_api_msg_config.cluster.v3.Cluster.EdsClusterConfig>`.
-  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // List of endpoints to load balance to.
   repeated LocalityLbEndpoints endpoints = 2;

envoy/config/endpoint/v3/load_report.proto

@@ -129,14 +129,14 @@ message ClusterStats {
         "envoy.api.v2.endpoint.ClusterStats.DroppedRequests";
 
     // Identifier for the policy specifying the drop.
-    string category = 1 [(validate.rules).string = {min_bytes: 1}];
+    string category = 1 [(validate.rules).string = {min_len: 1}];
 
     // Total number of deliberately dropped requests for the category.
     uint64 dropped_count = 2;
   }
 
   // The name of the cluster.
-  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The eds_cluster_config service_name of the cluster.
   // It's possible that two clusters send the same service_name to EDS,

envoy/config/grpc_credential/v3/aws_iam.proto

@@ -24,7 +24,7 @@ message AwsIamConfig {
   // of the Grpc endpoint.
   //
   // Example: appmesh
-  string service_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string service_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ hosting the Grpc
   // endpoint. If unspecified, the extension will use the value in the ``AWS_REGION`` environment

envoy/config/listener/v3/listener_components.proto

@@ -32,7 +32,7 @@ message Filter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.
@@ -303,7 +303,7 @@ message ListenerFilter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_listener_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being instantiated.
   // See the supported filters for further documentation.

envoy/config/listener/v4alpha/listener_components.proto

@@ -32,7 +32,7 @@ message Filter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_network_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.
@@ -307,7 +307,7 @@ message ListenerFilter {
 
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_listener_filters>`.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being instantiated.
   // See the supported filters for further documentation.

envoy/config/overload/v3/overload.proto

@@ -37,7 +37,7 @@ message ResourceMonitor {
   //   <envoy_api_msg_config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig>`
   // * :ref:`envoy.resource_monitors.injected_resource
   //   <envoy_api_msg_config.resource_monitor.injected_resource.v2alpha.InjectedResourceConfig>`
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Configuration for the resource monitor being instantiated.
   oneof config_type {
@@ -69,7 +69,7 @@ message Trigger {
       "envoy.config.overload.v2alpha.Trigger";
 
   // The name of the resource this is a trigger for.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof trigger_oneof {
     option (validate.required) = true;
@@ -87,7 +87,7 @@ message OverloadAction {
   // The name of the overload action. This is just a well-known string that listeners can
   // use for registering callbacks. Custom overload actions should be named using reverse
   // DNS to ensure uniqueness.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A set of triggers for this action. The state of the action is the maximum
   // state of all triggers, which can be scaling between 0 and 1 or saturated. Listeners

envoy/config/route/v3/route_components.proto

@@ -60,7 +60,7 @@ message VirtualHost {
 
   // The logical name of the virtual host. This is used when emitting certain
   // statistics but is not relevant for routing.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A list of domains (host/authority header) that will be matched to this
   // virtual host. Wildcard hosts are supported in the suffix or prefix form.
@@ -113,7 +113,7 @@ message VirtualHost {
   // Specifies a list of HTTP headers that should be removed from each request
   // handled by this virtual host.
   repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Specifies a list of HTTP headers that should be added to each response
@@ -128,7 +128,7 @@ message VirtualHost {
   // Specifies a list of HTTP headers that should be removed from each response
   // handled by this virtual host.
   repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Indicates that the virtual host has a CORS policy.
@@ -263,7 +263,7 @@ message Route {
   // Specifies a list of HTTP headers that should be removed from each request
   // matching this route.
   repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Specifies a set of headers that will be added to responses to requests
@@ -278,7 +278,7 @@ message Route {
   // Specifies a list of HTTP headers that should be removed from each response
   // to requests matching this route.
   repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Presence of the object defines whether the connection manager's tracing configuration
@@ -311,7 +311,7 @@ message WeightedCluster {
 
     // Name of the upstream cluster. The cluster must exist in the
     // :ref:`cluster manager configuration <config_cluster_manager>`.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // An integer between 0 and :ref:`total_weight
     // <envoy_api_field_config.route.v3.WeightedCluster.total_weight>`. When a request matches the route,
@@ -591,7 +591,7 @@ message RouteAction {
 
     // Specifies the cluster that requests will be mirrored to. The cluster must
     // exist in the cluster manager configuration.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // If not specified, all requests to the target cluster will be mirrored.
     //
@@ -620,9 +620,8 @@ message RouteAction {
 
       // The name of the request header that will be used to obtain the hash
       // key. If the request header is not present, no hash will be produced.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
-      ];
 
       // If specified, the request header value will be rewritten and used
       // to produce the hash key.
@@ -650,7 +649,7 @@ message RouteAction {
       // The name of the cookie that will be used to obtain the hash key. If the
       // cookie is not present and ttl below is not set, no hash will be
       // produced.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
 
       // If specified, a cookie with the TTL will be generated if the cookie is
       // not present. If the TTL is present and zero, the generated cookie will
@@ -677,7 +676,7 @@ message RouteAction {
       // The name of the URL query parameter that will be used to obtain the hash
       // key. If the parameter is not present, no hash will be produced. Query
       // parameter names are case-sensitive.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
     }
 
     message FilterState {
@@ -687,7 +686,7 @@ message RouteAction {
       // The name of the Object in the per-request filterState, which is an
       // Envoy::Http::Hashable object. If there is no data associated with the key,
       // or the stored object is not Envoy::Http::Hashable, no hash will be produced.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
     }
 
     oneof policy_specifier {
@@ -798,7 +797,7 @@ message RouteAction {
 
     // Indicates the upstream cluster to which the request should be routed
     // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // Envoy will determine the cluster to route to by reading the value of the
     // HTTP header named by cluster_header from the request headers. If the
@@ -810,7 +809,7 @@ message RouteAction {
     //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
     //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
     string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -1102,7 +1101,7 @@ message RetryPolicy {
 
     reserved "config";
 
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     oneof config_type {
       google.protobuf.Any typed_config = 3;
@@ -1117,7 +1116,7 @@ message RetryPolicy {
 
     reserved "config";
 
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     oneof config_type {
       google.protobuf.Any typed_config = 3;
@@ -1146,7 +1145,7 @@ message RetryPolicy {
 
   message ResetHeader {
     string name = 1
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}];
   }
@@ -1413,7 +1412,7 @@ message Decorator {
   //   For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden
   //   by the :ref:`x-envoy-decorator-operation
   //   <config_http_filters_router_x-envoy-decorator-operation>` header.
-  string operation = 1 [(validate.rules).string = {min_bytes: 1}];
+  string operation = 1 [(validate.rules).string = {min_len: 1}];
 
   // Whether the decorated details should be propagated to the other party. The default is true.
   google.protobuf.BoolValue propagate = 2;
@@ -1488,7 +1487,7 @@ message VirtualCluster {
   // Specifies the name of the virtual cluster. The virtual cluster name as well
   // as the virtual host name are used when emitting statistics. The statistics are emitted by the
   // router filter and are documented :ref:`here <config_http_filters_router_stats>`.
-  string name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string name = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Global rate limiting :ref:`architecture overview <arch_overview_global_rate_limit>`.
@@ -1546,12 +1545,11 @@ message RateLimit {
       // The header name to be queried from the request headers. The header’s
       // value is used to populate the value of the descriptor entry for the
       // descriptor_key.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
-      ];
 
       // The key to use in the descriptor entry.
-      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
 
       // If set to true, Envoy skips the descriptor while calling rate limiting service
       // when header is not present in the request. By default it skips calling the
@@ -1580,7 +1578,7 @@ message RateLimit {
           "envoy.api.v2.route.RateLimit.Action.GenericKey";
 
       // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
 
       // An optional key to use in the descriptor entry. If not set it defaults
       // to 'generic_key' as the descriptor key.
@@ -1597,7 +1595,7 @@ message RateLimit {
           "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch";
 
       // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
 
       // If set to true, the action will append a descriptor entry when the
       // request matches the headers. If set to false, the action will append a
@@ -1620,7 +1618,7 @@ message RateLimit {
     //   ("<descriptor_key>", "<value_queried_from_metadata>")
     message DynamicMetaData {
       // The key to use in the descriptor entry.
-      string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 1 [(validate.rules).string = {min_len: 1}];
 
       // Metadata struct that defines the key and path to retrieve the string value. A match will
       // only happen if the value in the dynamic metadata is of type string.
@@ -1736,7 +1734,7 @@ message HeaderMatcher {
 
   // Specifies the name of the header in the request.
   string name = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Specifies how the header match will be performed to route the request.
   oneof header_match_specifier {
@@ -1771,7 +1769,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
-    string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}];
+    string prefix_match = 9 [(validate.rules).string = {min_len: 1}];
 
     // If specified, header match will be performed based on the suffix of the header value.
     // Note: empty suffix is not allowed, please use present_match instead.
@@ -1779,7 +1777,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
-    string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}];
+    string suffix_match = 10 [(validate.rules).string = {min_len: 1}];
 
     // If specified, header match will be performed based on whether the header value contains
     // the given value or not.
@@ -1788,7 +1786,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*.
-    string contains_match = 12 [(validate.rules).string = {min_bytes: 1}];
+    string contains_match = 12 [(validate.rules).string = {min_len: 1}];
   }
 
   // If specified, the match result will be inverted before checking. Defaults to false.
@@ -1813,7 +1811,7 @@ message QueryParameterMatcher {
 
   // Specifies the name of a key that must be present in the requested
   // *path*'s query string.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}];
+  string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}];
 
   oneof query_parameter_match_specifier {
     // Specifies whether a query parameter value should match against a string.

envoy/config/route/v3/scoped_route.proto

@@ -108,12 +108,12 @@ message ScopedRouteConfiguration {
   bool on_demand = 4;
 
   // The name assigned to the routing scope.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The resource name to use for a :ref:`envoy_api_msg_service.discovery.v3.DiscoveryRequest` to an
   // RDS server to fetch the :ref:`envoy_api_msg_config.route.v3.RouteConfiguration` associated
   // with this scope.
-  string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}];
 
   // The key to match against.
   Key key = 3 [(validate.rules).message = {required: true}];

envoy/config/route/v4alpha/route_components.proto

@@ -59,7 +59,7 @@ message VirtualHost {
 
   // The logical name of the virtual host. This is used when emitting certain
   // statistics but is not relevant for routing.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A list of domains (host/authority header) that will be matched to this
   // virtual host. Wildcard hosts are supported in the suffix or prefix form.
@@ -112,7 +112,7 @@ message VirtualHost {
   // Specifies a list of HTTP headers that should be removed from each request
   // handled by this virtual host.
   repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Specifies a list of HTTP headers that should be added to each response
@@ -127,7 +127,7 @@ message VirtualHost {
   // Specifies a list of HTTP headers that should be removed from each response
   // handled by this virtual host.
   repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Indicates that the virtual host has a CORS policy.
@@ -262,7 +262,7 @@ message Route {
   // Specifies a list of HTTP headers that should be removed from each request
   // matching this route.
   repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Specifies a set of headers that will be added to responses to requests
@@ -277,7 +277,7 @@ message Route {
   // Specifies a list of HTTP headers that should be removed from each response
   // to requests matching this route.
   repeated string response_headers_to_remove = 11 [(validate.rules).repeated = {
-    items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
+    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
   }];
 
   // Presence of the object defines whether the connection manager's tracing configuration
@@ -311,7 +311,7 @@ message WeightedCluster {
 
     // Name of the upstream cluster. The cluster must exist in the
     // :ref:`cluster manager configuration <config_cluster_manager>`.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // An integer between 0 and :ref:`total_weight
     // <envoy_api_field_config.route.v4alpha.WeightedCluster.total_weight>`. When a request matches the route,
@@ -584,7 +584,7 @@ message RouteAction {
 
     // Specifies the cluster that requests will be mirrored to. The cluster must
     // exist in the cluster manager configuration.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // If not specified, all requests to the target cluster will be mirrored.
     //
@@ -613,9 +613,8 @@ message RouteAction {
 
       // The name of the request header that will be used to obtain the hash
       // key. If the request header is not present, no hash will be produced.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
-      ];
 
       // If specified, the request header value will be rewritten and used
       // to produce the hash key.
@@ -643,7 +642,7 @@ message RouteAction {
       // The name of the cookie that will be used to obtain the hash key. If the
       // cookie is not present and ttl below is not set, no hash will be
       // produced.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
 
       // If specified, a cookie with the TTL will be generated if the cookie is
       // not present. If the TTL is present and zero, the generated cookie will
@@ -670,7 +669,7 @@ message RouteAction {
       // The name of the URL query parameter that will be used to obtain the hash
       // key. If the parameter is not present, no hash will be produced. Query
       // parameter names are case-sensitive.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
     }
 
     message FilterState {
@@ -680,7 +679,7 @@ message RouteAction {
       // The name of the Object in the per-request filterState, which is an
       // Envoy::Http::Hashable object. If there is no data associated with the key,
       // or the stored object is not Envoy::Http::Hashable, no hash will be produced.
-      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string key = 1 [(validate.rules).string = {min_len: 1}];
     }
 
     oneof policy_specifier {
@@ -798,7 +797,7 @@ message RouteAction {
 
     // Indicates the upstream cluster to which the request should be routed
     // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // Envoy will determine the cluster to route to by reading the value of the
     // HTTP header named by cluster_header from the request headers. If the
@@ -810,7 +809,7 @@ message RouteAction {
     //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
     //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
     string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -1076,7 +1075,7 @@ message RetryPolicy {
 
     reserved "config";
 
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     oneof config_type {
       google.protobuf.Any typed_config = 3;
@@ -1091,7 +1090,7 @@ message RetryPolicy {
 
     reserved "config";
 
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     oneof config_type {
       google.protobuf.Any typed_config = 3;
@@ -1123,7 +1122,7 @@ message RetryPolicy {
         "envoy.config.route.v3.RetryPolicy.ResetHeader";
 
     string name = 1
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}];
   }
@@ -1393,7 +1392,7 @@ message Decorator {
   //   For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden
   //   by the :ref:`x-envoy-decorator-operation
   //   <config_http_filters_router_x-envoy-decorator-operation>` header.
-  string operation = 1 [(validate.rules).string = {min_bytes: 1}];
+  string operation = 1 [(validate.rules).string = {min_len: 1}];
 
   // Whether the decorated details should be propagated to the other party. The default is true.
   google.protobuf.BoolValue propagate = 2;
@@ -1469,7 +1468,7 @@ message VirtualCluster {
   // Specifies the name of the virtual cluster. The virtual cluster name as well
   // as the virtual host name are used when emitting statistics. The statistics are emitted by the
   // router filter and are documented :ref:`here <config_http_filters_router_stats>`.
-  string name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string name = 2 [(validate.rules).string = {min_len: 1}];
 }
 
 // Global rate limiting :ref:`architecture overview <arch_overview_global_rate_limit>`.
@@ -1527,12 +1526,11 @@ message RateLimit {
       // The header name to be queried from the request headers. The header’s
       // value is used to populate the value of the descriptor entry for the
       // descriptor_key.
-      string header_name = 1 [
+      string header_name = 1
-        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
-      ];
 
       // The key to use in the descriptor entry.
-      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
 
       // If set to true, Envoy skips the descriptor while calling rate limiting service
       // when header is not present in the request. By default it skips calling the
@@ -1561,7 +1559,7 @@ message RateLimit {
           "envoy.config.route.v3.RateLimit.Action.GenericKey";
 
       // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
 
       // An optional key to use in the descriptor entry. If not set it defaults
       // to 'generic_key' as the descriptor key.
@@ -1578,7 +1576,7 @@ message RateLimit {
           "envoy.config.route.v3.RateLimit.Action.HeaderValueMatch";
 
       // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
 
       // If set to true, the action will append a descriptor entry when the
       // request matches the headers. If set to false, the action will append a
@@ -1604,7 +1602,7 @@ message RateLimit {
           "envoy.config.route.v3.RateLimit.Action.DynamicMetaData";
 
       // The key to use in the descriptor entry.
-      string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
+      string descriptor_key = 1 [(validate.rules).string = {min_len: 1}];
 
       // Metadata struct that defines the key and path to retrieve the string value. A match will
       // only happen if the value in the dynamic metadata is of type string.
@@ -1727,7 +1725,7 @@ message HeaderMatcher {
 
   // Specifies the name of the header in the request.
   string name = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Specifies how the header match will be performed to route the request.
   oneof header_match_specifier {
@@ -1762,7 +1760,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
-    string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}];
+    string prefix_match = 9 [(validate.rules).string = {min_len: 1}];
 
     // If specified, header match will be performed based on the suffix of the header value.
     // Note: empty suffix is not allowed, please use present_match instead.
@@ -1770,7 +1768,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
-    string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}];
+    string suffix_match = 10 [(validate.rules).string = {min_len: 1}];
 
     // If specified, header match will be performed based on whether the header value contains
     // the given value or not.
@@ -1779,7 +1777,7 @@ message HeaderMatcher {
     // Examples:
     //
     // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*.
-    string contains_match = 12 [(validate.rules).string = {min_bytes: 1}];
+    string contains_match = 12 [(validate.rules).string = {min_len: 1}];
   }
 
   // If specified, the match result will be inverted before checking. Defaults to false.
@@ -1804,7 +1802,7 @@ message QueryParameterMatcher {
 
   // Specifies the name of a key that must be present in the requested
   // *path*'s query string.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}];
+  string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}];
 
   oneof query_parameter_match_specifier {
     // Specifies whether a query parameter value should match against a string.

envoy/config/route/v4alpha/scoped_route.proto

@@ -108,12 +108,12 @@ message ScopedRouteConfiguration {
   bool on_demand = 4;
 
   // The name assigned to the routing scope.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The resource name to use for a :ref:`envoy_api_msg_service.discovery.v4alpha.DiscoveryRequest` to an
   // RDS server to fetch the :ref:`envoy_api_msg_config.route.v4alpha.RouteConfiguration` associated
   // with this scope.
-  string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}];
 
   // The key to match against.
   Key key = 3 [(validate.rules).message = {required: true}];

envoy/config/tap/v3/common.proto

@@ -261,7 +261,7 @@ message FilePerTapSink {
   // Path prefix. The output file will be of the form <path_prefix>_<id>.pb, where <id> is an
   // identifier distinguishing the recorded trace for stream instances (the Envoy
   // connection ID, HTTP stream ID, etc.).
-  string path_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path_prefix = 1 [(validate.rules).string = {min_len: 1}];
 }
 
 // [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC

envoy/config/tap/v4alpha/common.proto

@@ -259,7 +259,7 @@ message FilePerTapSink {
   // Path prefix. The output file will be of the form <path_prefix>_<id>.pb, where <id> is an
   // identifier distinguishing the recorded trace for stream instances (the Envoy
   // connection ID, HTTP stream ID, etc.).
-  string path_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path_prefix = 1 [(validate.rules).string = {min_len: 1}];
 }
 
 // [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC

envoy/config/trace/v3/datadog.proto

@@ -22,8 +22,8 @@ message DatadogConfig {
       "envoy.config.trace.v2.DatadogConfig";
 
   // The cluster to use for submitting traces to the Datadog agent.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // The name used for the service when traces are generated by envoy.
-  string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string service_name = 2 [(validate.rules).string = {min_len: 1}];
 }

envoy/config/trace/v3/dynamic_ot.proto

@@ -28,7 +28,7 @@ message DynamicOtConfig {
 
   // Dynamic library implementing the `OpenTracing API
   // <https://github.com/opentracing/opentracing-cpp>`_.
-  string library = 1 [(validate.rules).string = {min_bytes: 1}];
+  string library = 1 [(validate.rules).string = {min_len: 1}];
 
   // The configuration to use when creating a tracer from the given dynamic
   // library.

envoy/config/trace/v3/http_tracer.proto

@@ -52,7 +52,7 @@ message Tracing {
     // - *envoy.tracers.datadog*
     // - *envoy.tracers.opencensus*
     // - *envoy.tracers.xray*
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Trace driver specific configuration which depends on the driver being instantiated.
     // See the trace drivers for examples:

envoy/config/trace/v3/lightstep.proto

@@ -38,11 +38,11 @@ message LightstepConfig {
   }
 
   // The cluster manager cluster that hosts the LightStep collectors.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // File containing the access token to the `LightStep
   // <https://lightstep.com/>`_ API.
-  string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
+  string access_token_file = 2 [(validate.rules).string = {min_len: 1}];
 
   // Propagation modes to use by LightStep's tracer.
   repeated PropagationMode propagation_modes = 3

envoy/config/trace/v3/zipkin.proto

@@ -49,12 +49,12 @@ message ZipkinConfig {
   // The cluster manager cluster that hosts the Zipkin collectors. Note that the
   // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
   // resources <envoy_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters>`.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // The API endpoint of the Zipkin service where the spans will be sent. When
   // using a standard Zipkin installation, the API endpoint is typically
   // /api/v1/spans, which is the default value.
-  string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+  string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}];
 
   // Determines whether a 128bit trace id will be used when creating a new
   // trace instance. The default value is false, which will result in a 64 bit trace id being used.

envoy/config/trace/v4alpha/http_tracer.proto

@@ -52,7 +52,7 @@ message Tracing {
     // - *envoy.tracers.datadog*
     // - *envoy.tracers.opencensus*
     // - *envoy.tracers.xray*
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Trace driver specific configuration which depends on the driver being instantiated.
     // See the trace drivers for examples:

envoy/data/cluster/v3/outlier_detection_event.proto

@@ -88,10 +88,10 @@ message OutlierDetectionEvent {
   google.protobuf.UInt64Value secs_since_last_action = 3;
 
   // The :ref:`cluster <envoy_api_msg_config.cluster.v3.Cluster>` that owns the ejected host.
-  string cluster_name = 4 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 4 [(validate.rules).string = {min_len: 1}];
 
   // The URL of the ejected host. E.g., ``tcp://1.2.3.4:80``.
-  string upstream_url = 5 [(validate.rules).string = {min_bytes: 1}];
+  string upstream_url = 5 [(validate.rules).string = {min_len: 1}];
 
   // The action that took place.
   Action action = 6 [(validate.rules).enum = {defined_only: true}];

envoy/data/core/v3/health_check_event.proto

@@ -40,7 +40,7 @@ message HealthCheckEvent {
 
   config.core.v3.Address host = 2;
 
-  string cluster_name = 3 [(validate.rules).string = {min_bytes: 1}];
+  string cluster_name = 3 [(validate.rules).string = {min_len: 1}];
 
   oneof event {
     option (validate.required) = true;

envoy/extensions/access_loggers/file/v3/file.proto

@@ -27,7 +27,7 @@ message FileAccessLog {
       "envoy.config.accesslog.v2.FileAccessLog";
 
   // A path to a local file to which to write the access log entries.
-  string path = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof access_log_format {
     // Access log :ref:`format string<config_access_log_format_strings>`.

envoy/extensions/access_loggers/file/v4alpha/file.proto

@@ -31,7 +31,7 @@ message FileAccessLog {
   reserved "format", "json_format", "typed_json_format";
 
   // A path to a local file to which to write the access log entries.
-  string path = 1 [(validate.rules).string = {min_bytes: 1}];
+  string path = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof access_log_format {
     // Configuration to form access log data and format.

envoy/extensions/access_loggers/grpc/v3/als.proto

@@ -62,7 +62,7 @@ message CommonGrpcAccessLogConfig {
   // The friendly name of the access log to be returned in :ref:`StreamAccessLogsMessage.Identifier
   // <envoy_api_msg_service.accesslog.v3.StreamAccessLogsMessage.Identifier>`. This allows the
   // access log server to differentiate between different access logs coming from the same Envoy.
-  string log_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string log_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The gRPC service for the access log service.
   config.core.v3.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];

envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -37,7 +37,7 @@ message DnsCacheConfig {
   // configurations with the same name *must* otherwise have the same settings when referenced
   // from different configuration components. Configuration will fail to load if this is not
   // the case.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The DNS lookup family to use during resolution.
   //

envoy/extensions/common/ratelimit/v3/ratelimit.proto

@@ -69,10 +69,10 @@ message RateLimitDescriptor {
         "envoy.api.v2.ratelimit.RateLimitDescriptor.Entry";
 
     // Descriptor key.
-    string key = 1 [(validate.rules).string = {min_bytes: 1}];
+    string key = 1 [(validate.rules).string = {min_len: 1}];
 
     // Descriptor value.
-    string value = 2 [(validate.rules).string = {min_bytes: 1}];
+    string value = 2 [(validate.rules).string = {min_len: 1}];
   }
 
   // Override rate limit to apply to this descriptor instead of the limit

envoy/extensions/common/tap/v3/common.proto

@@ -64,5 +64,5 @@ message AdminConfig {
 
   // Opaque configuration ID. When requests are made to the admin handler, the passed opaque ID is
   // matched to the configured filter opaque ID to determine which filter to configure.
-  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string config_id = 1 [(validate.rules).string = {min_len: 1}];
 }

envoy/extensions/common/tap/v4alpha/common.proto

@@ -65,5 +65,5 @@ message AdminConfig {
 
   // Opaque configuration ID. When requests are made to the admin handler, the passed opaque ID is
   // matched to the configured filter opaque ID to determine which filter to configure.
-  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string config_id = 1 [(validate.rules).string = {min_len: 1}];
 }

envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -25,13 +25,13 @@ message AwsRequestSigning {
   // of the HTTP endpoint.
   //
   // Example: s3
-  string service_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string service_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ hosting the HTTP
   // endpoint.
   //
   // Example: us-west-2
-  string region = 2 [(validate.rules).string = {min_bytes: 1}];
+  string region = 2 [(validate.rules).string = {min_len: 1}];
 
   // Indicates that before signing headers, the host header will be swapped with
   // this value. If not set or empty, the original host header value

envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto

@@ -23,7 +23,7 @@ message FilterConfig {
 
   // The content-type to pass to the upstream when the gRPC bridge filter is applied.
   // The filter will also validate that the upstream responds with the same content type.
-  string content_type = 1 [(validate.rules).string = {min_bytes: 1}];
+  string content_type = 1 [(validate.rules).string = {min_len: 1}];
 
   // If true, Envoy will assume that the upstream doesn't understand gRPC frames and
   // strip the gRPC frame from the request, and add it back in to the response. This will

envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto

@@ -56,7 +56,7 @@ message Config {
     string metadata_namespace = 1;
 
     // The key to use within the namespace.
-    string key = 2 [(validate.rules).string = {min_bytes: 1}];
+    string key = 2 [(validate.rules).string = {min_len: 1}];
 
     // The value to pair with the given key.
     //

envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto

@@ -55,7 +55,7 @@ message Config {
     string metadata_namespace = 1;
 
     // The key to use within the namespace.
-    string key = 2 [(validate.rules).string = {min_bytes: 1}];
+    string key = 2 [(validate.rules).string = {min_len: 1}];
 
     oneof value_type {
       // The value to pair with the given key.

envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -62,7 +62,7 @@ message JwtProvider {
   // Example: https://securetoken.google.com
   // Example: 1234567-compute@developer.gserviceaccount.com
   //
-  string issuer = 1 [(validate.rules).string = {min_bytes: 1}];
+  string issuer = 1 [(validate.rules).string = {min_len: 1}];
 
   // The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
   // allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
@@ -220,7 +220,7 @@ message JwtHeader {
 
   // The HTTP header name.
   string name = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // The value prefix. The value format is "value_prefix<token>"
   // For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
@@ -414,7 +414,7 @@ message FilterStateRule {
       "envoy.config.filter.http.jwt_authn.v2alpha.FilterStateRule";
 
   // The filter state name to retrieve the `Router::StringAccessor` object.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A map of string keys to requirements. The string key is the string value
   // in the FilterState with the name specified in the *name* field above.

envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto

@@ -62,7 +62,7 @@ message JwtProvider {
   // Example: https://securetoken.google.com
   // Example: 1234567-compute@developer.gserviceaccount.com
   //
-  string issuer = 1 [(validate.rules).string = {min_bytes: 1}];
+  string issuer = 1 [(validate.rules).string = {min_len: 1}];
 
   // The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
   // allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
@@ -220,7 +220,7 @@ message JwtHeader {
 
   // The HTTP header name.
   string name = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // The value prefix. The value format is "value_prefix<token>"
   // For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
@@ -414,7 +414,7 @@ message FilterStateRule {
       "envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule";
 
   // The filter state name to retrieve the `Router::StringAccessor` object.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A map of string keys to requirements. The string key is the string value
   // in the FilterState with the name specified in the *name* field above.

envoy/extensions/filters/http/lua/v3/lua.proto

@@ -25,7 +25,7 @@ message Lua {
   // further loads code from disk if desired. Note that if JSON configuration is used, the code must
   // be properly escaped. YAML configuration may be easier to read since YAML supports multi-line
   // strings so complex scripts can be easily expressed inline in the configuration.
-  string inline_code = 1 [(validate.rules).string = {min_bytes: 1}];
+  string inline_code = 1 [(validate.rules).string = {min_len: 1}];
 
   // Map of named Lua source codes that can be referenced in :ref:`LuaPerRoute
   // <envoy_v3_api_msg_extensions.filters.http.lua.v3.LuaPerRoute>`. The Lua source codes can be

envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto

@@ -26,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 message OAuth2Credentials {
   // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.
-  string client_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string client_id = 1 [(validate.rules).string = {min_len: 1}];
 
   // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.
   transport_sockets.tls.v3.SdsSecretConfig token_secret = 2
@@ -50,7 +50,7 @@ message OAuth2Config {
   config.core.v3.HttpUri token_endpoint = 1;
 
   // The endpoint redirect to for authorization in response to unauthorized requests.
-  string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+  string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}];
 
   // Credentials used for OAuth.
   OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];
@@ -60,7 +60,7 @@ message OAuth2Config {
   // documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
   //
   // This URI should not contain any query parameters.
-  string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}];
+  string redirect_uri = 4 [(validate.rules).string = {min_len: 1}];
 
   // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
   type.matcher.v3.PathMatcher redirect_path_matcher = 5

envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto

@@ -29,7 +29,7 @@ message OAuth2Credentials {
       "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Credentials";
 
   // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.
-  string client_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string client_id = 1 [(validate.rules).string = {min_len: 1}];
 
   // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.
   transport_sockets.tls.v4alpha.SdsSecretConfig token_secret = 2
@@ -56,7 +56,7 @@ message OAuth2Config {
   config.core.v4alpha.HttpUri token_endpoint = 1;
 
   // The endpoint redirect to for authorization in response to unauthorized requests.
-  string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+  string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}];
 
   // Credentials used for OAuth.
   OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];
@@ -66,7 +66,7 @@ message OAuth2Config {
   // documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
   //
   // This URI should not contain any query parameters.
-  string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}];
+  string redirect_uri = 4 [(validate.rules).string = {min_len: 1}];
 
   // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
   type.matcher.v4alpha.PathMatcher redirect_path_matcher = 5

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto

@@ -34,7 +34,7 @@ message RateLimit {
   }
 
   // The rate limit domain to use when calling the rate limit service.
-  string domain = 1 [(validate.rules).string = {min_bytes: 1}];
+  string domain = 1 [(validate.rules).string = {min_len: 1}];
 
   // Specifies the rate limit configurations to be applied with the same
   // stage number. If not set, the default stage number is 0.

envoy/extensions/filters/http/squash/v3/squash.proto

@@ -24,7 +24,7 @@ message Squash {
       "envoy.config.filter.http.squash.v2.Squash";
 
   // The name of the cluster that hosts the Squash server.
-  string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // When the filter requests the Squash server to create a DebugAttachment, it will use this
   // structure as template for the body of the request. It can contain reference to environment

envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto

@@ -24,7 +24,7 @@ message ProxyProtocol {
     string metadata_namespace = 1;
 
     // The key to use within the namespace.
-    string key = 2 [(validate.rules).string = {min_bytes: 1}];
+    string key = 2 [(validate.rules).string = {min_len: 1}];
   }
 
   // A Rule defines what metadata to apply when a header is present or missing.

envoy/extensions/filters/network/client_ssl_auth/v3/client_ssl_auth.proto

@@ -30,11 +30,11 @@ message ClientSSLAuth {
   // of principals. The service must support the expected :ref:`REST API
   // <config_network_filters_client_ssl_auth_rest_api>`.
   string auth_api_cluster = 1
-      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
+      [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
   // The prefix to use when emitting :ref:`statistics
   // <config_network_filters_client_ssl_auth_stats>`.
-  string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
 
   // Time in milliseconds between principal refreshes from the
   // authentication service. Default is 60000 (60s). The actual fetch time

envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto

@@ -37,7 +37,7 @@ message DubboProxy {
       "envoy.config.filter.network.dubbo_proxy.v2alpha1.DubboProxy";
 
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // Configure the protocol used.
   ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}];
@@ -62,7 +62,7 @@ message DubboFilter {
 
   // The name of the filter to instantiate. The name must match a supported
   // filter.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.

envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto

@@ -37,7 +37,7 @@ message DubboProxy {
       "envoy.extensions.filters.network.dubbo_proxy.v3.DubboProxy";
 
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // Configure the protocol used.
   ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}];
@@ -62,7 +62,7 @@ message DubboFilter {
 
   // The name of the filter to instantiate. The name must match a supported
   // filter.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.

envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto

@@ -29,7 +29,7 @@ message ExtAuthz {
       "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
 
   // The prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The external authorization gRPC service configuration.
   // The default timeout is set to 200ms by this filter.

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -252,7 +252,7 @@ message HttpConnectionManager {
   // The human readable prefix to use when emitting statistics for the
   // connection manager. See the :ref:`statistics documentation <config_http_conn_man_stats>` for
   // more information.
-  string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
 
   oneof route_specifier {
     option (validate.required) = true;
@@ -718,14 +718,14 @@ message ScopedRoutes {
           // If an element contains no separator, the whole element is parsed as key and the
           // fragment value is an empty string.
           // If there are multiple values for a matched key, the first value is returned.
-          string separator = 1 [(validate.rules).string = {min_bytes: 1}];
+          string separator = 1 [(validate.rules).string = {min_len: 1}];
 
           // The key to match on.
-          string key = 2 [(validate.rules).string = {min_bytes: 1}];
+          string key = 2 [(validate.rules).string = {min_len: 1}];
         }
 
         // The name of the header field to extract the value from.
-        string name = 1 [(validate.rules).string = {min_bytes: 1}];
+        string name = 1 [(validate.rules).string = {min_len: 1}];
 
         // The element separator (e.g., ';' separates 'a;b;c;d').
         // Default: empty string. This causes the entirety of the header field to be extracted.
@@ -759,7 +759,7 @@ message ScopedRoutes {
   }
 
   // The name assigned to the scoped routing configuration.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The algorithm to use for constructing a scope key for each request.
   ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}];
@@ -809,7 +809,7 @@ message HttpFilter {
   // The name of the filter configuration. The name is used as a fallback to
   // select an extension if the type of the configuration proto is not
   // sufficient. It also serves as a resource name in ExtensionConfigDS.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof config_type {
     // Filter specific configuration which depends on the filter being instantiated. See the supported

envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto

@@ -251,7 +251,7 @@ message HttpConnectionManager {
   // The human readable prefix to use when emitting statistics for the
   // connection manager. See the :ref:`statistics documentation <config_http_conn_man_stats>` for
   // more information.
-  string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
 
   oneof route_specifier {
     option (validate.required) = true;
@@ -723,14 +723,14 @@ message ScopedRoutes {
           // If an element contains no separator, the whole element is parsed as key and the
           // fragment value is an empty string.
           // If there are multiple values for a matched key, the first value is returned.
-          string separator = 1 [(validate.rules).string = {min_bytes: 1}];
+          string separator = 1 [(validate.rules).string = {min_len: 1}];
 
           // The key to match on.
-          string key = 2 [(validate.rules).string = {min_bytes: 1}];
+          string key = 2 [(validate.rules).string = {min_len: 1}];
         }
 
         // The name of the header field to extract the value from.
-        string name = 1 [(validate.rules).string = {min_bytes: 1}];
+        string name = 1 [(validate.rules).string = {min_len: 1}];
 
         // The element separator (e.g., ';' separates 'a;b;c;d').
         // Default: empty string. This causes the entirety of the header field to be extracted.
@@ -764,7 +764,7 @@ message ScopedRoutes {
   }
 
   // The name assigned to the scoped routing configuration.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The algorithm to use for constructing a scope key for each request.
   ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}];
@@ -815,7 +815,7 @@ message HttpFilter {
   // The name of the filter configuration. The name is used as a fallback to
   // select an extension if the type of the configuration proto is not
   // sufficient. It also serves as a resource name in ExtensionConfigDS.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof config_type {
     // Filter specific configuration which depends on the filter being instantiated. See the supported

envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto

@@ -20,5 +20,5 @@ message KafkaBroker {
       "envoy.config.filter.network.kafka_broker.v2alpha1.KafkaBroker";
 
   // The prefix to use when emitting :ref:`statistics <config_network_filters_kafka_broker_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 }

envoy/extensions/filters/network/local_ratelimit/v3/local_rate_limit.proto

@@ -24,7 +24,7 @@ message LocalRateLimit {
 
   // The prefix to use when emitting :ref:`statistics
   // <config_network_filters_local_rate_limit_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The token bucket configuration to use for rate limiting connections that are processed by the
   // filter's filter chain. Each incoming connection processed by the filter consumes a single

envoy/extensions/filters/network/mongo_proxy/v3/mongo_proxy.proto

@@ -23,7 +23,7 @@ message MongoProxy {
 
   // The human readable prefix to use when emitting :ref:`statistics
   // <config_network_filters_mongo_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The optional path to use for writing Mongo access logs. If not access log
   // path is specified no access logs will be written. Note that access log is

envoy/extensions/filters/network/mysql_proxy/v3/mysql_proxy.proto

@@ -21,7 +21,7 @@ message MySQLProxy {
 
   // The human readable prefix to use when emitting :ref:`statistics
   // <config_network_filters_mysql_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // [#not-implemented-hide:] The optional path to use for writing MySQL access logs.
   // If the access log field is empty, access logs will not be written.

envoy/extensions/filters/network/ratelimit/v3/rate_limit.proto

@@ -26,10 +26,10 @@ message RateLimit {
       "envoy.config.filter.network.rate_limit.v2.RateLimit";
 
   // The prefix to use when emitting :ref:`statistics <config_network_filters_rate_limit_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The rate limit domain to use in the rate limit service request.
-  string domain = 2 [(validate.rules).string = {min_bytes: 1}];
+  string domain = 2 [(validate.rules).string = {min_len: 1}];
 
   // The rate limit descriptor list to use in the rate limit service request.
   repeated common.ratelimit.v3.RateLimitDescriptor descriptors = 3

envoy/extensions/filters/network/rbac/v3/rbac.proto

@@ -46,7 +46,7 @@ message RBAC {
   config.rbac.v3.RBAC shadow_rules = 2;
 
   // The prefix to use when emitting statistics.
-  string stat_prefix = 3 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 3 [(validate.rules).string = {min_len: 1}];
 
   // RBAC enforcement strategy. By default RBAC will be enforced only once
   // when the first byte of data arrives from the downstream. When used in

envoy/extensions/filters/network/rbac/v4alpha/rbac.proto

@@ -46,7 +46,7 @@ message RBAC {
   config.rbac.v4alpha.RBAC shadow_rules = 2;
 
   // The prefix to use when emitting statistics.
-  string stat_prefix = 3 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 3 [(validate.rules).string = {min_len: 1}];
 
   // RBAC enforcement strategy. By default RBAC will be enforced only once
   // when the first byte of data arrives from the downstream. When used in

envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto

@@ -140,7 +140,7 @@ message RedisProxy {
 
         // Specifies the cluster that requests will be mirrored to. The cluster must
         // exist in the cluster manager configuration.
-        string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+        string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
         // If not specified or the runtime key is not present, all requests to the target cluster
         // will be mirrored.
@@ -162,7 +162,7 @@ message RedisProxy {
       bool remove_prefix = 2;
 
       // Upstream cluster to forward the command to.
-      string cluster = 3 [(validate.rules).string = {min_bytes: 1}];
+      string cluster = 3 [(validate.rules).string = {min_len: 1}];
 
       // Indicates that the route has a request mirroring policy.
       repeated RequestMirrorPolicy request_mirror_policy = 4;
@@ -213,7 +213,7 @@ message RedisProxy {
   reserved "cluster";
 
   // The prefix to use when emitting :ref:`statistics <config_network_filters_redis_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // Network settings for the connection pool to the upstream clusters.
   ConnPoolSettings settings = 3 [(validate.rules).message = {required: true}];

envoy/extensions/filters/network/rocketmq_proxy/v3/rocketmq_proxy.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 message RocketmqProxy {
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The route table for the connection manager is specified in this property.
   RouteConfiguration route_config = 2;

envoy/extensions/filters/network/rocketmq_proxy/v3/route.proto

@@ -48,7 +48,7 @@ message RouteMatch {
 
 message RouteAction {
   // Indicates the upstream cluster to which the request should be routed.
-  string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // Optional endpoint metadata match criteria used by the subset load balancer.
   config.core.v3.Metadata metadata_match = 2;

envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto

@@ -25,7 +25,7 @@ message RocketmqProxy {
       "envoy.extensions.filters.network.rocketmq_proxy.v3.RocketmqProxy";
 
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The route table for the connection manager is specified in this property.
   RouteConfiguration route_config = 2;

envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto

@@ -60,7 +60,7 @@ message RouteAction {
       "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteAction";
 
   // Indicates the upstream cluster to which the request should be routed.
-  string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // Optional endpoint metadata match criteria used by the subset load balancer.
   config.core.v4alpha.Metadata metadata_match = 2;

envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto

@@ -39,7 +39,7 @@ message TcpProxy {
           "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster.ClusterWeight";
 
       // Name of the upstream cluster.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
 
       // When a request matches the route, the choice of an upstream cluster is
       // determined by its weight. The sum of weights across all entries in the
@@ -67,7 +67,7 @@ message TcpProxy {
         "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.TunnelingConfig";
 
     // The hostname to send in the synthesized CONNECT headers to the upstream proxy.
-    string hostname = 1 [(validate.rules).string = {min_bytes: 1}];
+    string hostname = 1 [(validate.rules).string = {min_len: 1}];
   }
 
   reserved 6;
@@ -76,7 +76,7 @@ message TcpProxy {
 
   // The prefix to use when emitting :ref:`statistics
   // <config_network_filters_tcp_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof cluster_specifier {
     option (validate.required) = true;

envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto

@@ -39,7 +39,7 @@ message TcpProxy {
           "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight";
 
       // Name of the upstream cluster.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+      string name = 1 [(validate.rules).string = {min_len: 1}];
 
       // When a request matches the route, the choice of an upstream cluster is
       // determined by its weight. The sum of weights across all entries in the
@@ -67,7 +67,7 @@ message TcpProxy {
         "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig";
 
     // The hostname to send in the synthesized CONNECT headers to the upstream proxy.
-    string hostname = 1 [(validate.rules).string = {min_bytes: 1}];
+    string hostname = 1 [(validate.rules).string = {min_len: 1}];
   }
 
   reserved 6;
@@ -76,7 +76,7 @@ message TcpProxy {
 
   // The prefix to use when emitting :ref:`statistics
   // <config_network_filters_tcp_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof cluster_specifier {
     option (validate.required) = true;

envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3/rate_limit.proto

@@ -25,7 +25,7 @@ message RateLimit {
       "envoy.config.filter.thrift.rate_limit.v2alpha1.RateLimit";
 
   // The rate limit domain to use in the rate limit service request.
-  string domain = 1 [(validate.rules).string = {min_bytes: 1}];
+  string domain = 1 [(validate.rules).string = {min_len: 1}];
 
   // Specifies the rate limit configuration stage. Each configured rate limit filter performs a
   // rate limit check using descriptors configured in the

envoy/extensions/filters/network/thrift_proxy/v3/route.proto

@@ -91,7 +91,7 @@ message RouteAction {
 
     // Indicates a single upstream cluster to which the request should be routed
     // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -103,9 +103,8 @@ message RouteAction {
     // header is not found or the referenced cluster does not exist Envoy will
     // respond with an unknown method exception or an internal error exception,
     // respectively.
-    string cluster_header = 6 [
+    string cluster_header = 6
-      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
-    ];
   }
 
   // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in
@@ -138,7 +137,7 @@ message WeightedCluster {
         "envoy.config.filter.network.thrift_proxy.v2alpha1.WeightedCluster.ClusterWeight";
 
     // Name of the upstream cluster.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // When a request matches the route, the choice of an upstream cluster is determined by its
     // weight. The sum of weights across all entries in the clusters array determines the total

envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto

@@ -72,7 +72,7 @@ message ThriftProxy {
   ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}];
 
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The route table for the connection manager is static and is specified in this property.
   RouteConfiguration route_config = 4;
@@ -99,7 +99,7 @@ message ThriftFilter {
   // [#comment:TODO(zuercher): Auto generate the following list]
   // * :ref:`envoy.filters.thrift.router <config_thrift_filters_router>`
   // * :ref:`envoy.filters.thrift.rate_limit <config_thrift_filters_rate_limit>`
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being instantiated. See the supported
   // filters for further documentation.

envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto

@@ -91,7 +91,7 @@ message RouteAction {
 
     // Indicates a single upstream cluster to which the request should be routed
     // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 1 [(validate.rules).string = {min_len: 1}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -103,9 +103,8 @@ message RouteAction {
     // header is not found or the referenced cluster does not exist Envoy will
     // respond with an unknown method exception or an internal error exception,
     // respectively.
-    string cluster_header = 6 [
+    string cluster_header = 6
-      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
-    ];
   }
 
   // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in
@@ -138,7 +137,7 @@ message WeightedCluster {
         "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster.ClusterWeight";
 
     // Name of the upstream cluster.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // When a request matches the route, the choice of an upstream cluster is determined by its
     // weight. The sum of weights across all entries in the clusters array determines the total

envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto

@@ -72,7 +72,7 @@ message ThriftProxy {
   ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}];
 
   // The human readable prefix to use when emitting statistics.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The route table for the connection manager is static and is specified in this property.
   RouteConfiguration route_config = 4;
@@ -99,7 +99,7 @@ message ThriftFilter {
   // [#comment:TODO(zuercher): Auto generate the following list]
   // * :ref:`envoy.filters.thrift.router <config_thrift_filters_router>`
   // * :ref:`envoy.filters.thrift.rate_limit <config_thrift_filters_rate_limit>`
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being instantiated. See the supported
   // filters for further documentation.

envoy/extensions/filters/network/zookeeper_proxy/v3/zookeeper_proxy.proto

@@ -23,7 +23,7 @@ message ZooKeeperProxy {
 
   // The human readable prefix to use when emitting :ref:`statistics
   // <config_network_filters_zookeeper_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // [#not-implemented-hide:] The optional path to use for writing ZooKeeper access logs.
   // If the access log field is empty, access logs will not be written.

envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto

@@ -35,13 +35,13 @@ message UdpProxyConfig {
   }
 
   // The stat prefix used when emitting UDP proxy filter stats.
-  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof route_specifier {
     option (validate.required) = true;
 
     // The upstream cluster to connect to.
-    string cluster = 2 [(validate.rules).string = {min_bytes: 1}];
+    string cluster = 2 [(validate.rules).string = {min_len: 1}];
   }
 
   // The idle timeout for sessions. Idle is defined as no datagrams between received or sent by

envoy/extensions/tracers/datadog/v4alpha/datadog.proto

@@ -20,8 +20,8 @@ message DatadogConfig {
       "envoy.config.trace.v3.DatadogConfig";
 
   // The cluster to use for submitting traces to the Datadog agent.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // The name used for the service when traces are generated by envoy.
-  string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
+  string service_name = 2 [(validate.rules).string = {min_len: 1}];
 }

envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto

@@ -25,7 +25,7 @@ message DynamicOtConfig {
 
   // Dynamic library implementing the `OpenTracing API
   // <https://github.com/opentracing/opentracing-cpp>`_.
-  string library = 1 [(validate.rules).string = {min_bytes: 1}];
+  string library = 1 [(validate.rules).string = {min_len: 1}];
 
   // The configuration to use when creating a tracer from the given dynamic
   // library.

envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto

@@ -35,11 +35,11 @@ message LightstepConfig {
   }
 
   // The cluster manager cluster that hosts the LightStep collectors.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // File containing the access token to the `LightStep
   // <https://lightstep.com/>`_ API.
-  string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
+  string access_token_file = 2 [(validate.rules).string = {min_len: 1}];
 
   // Propagation modes to use by LightStep's tracer.
   repeated PropagationMode propagation_modes = 3

envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto

@@ -47,12 +47,12 @@ message ZipkinConfig {
   // The cluster manager cluster that hosts the Zipkin collectors. Note that the
   // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
   // resources <envoy_api_field_config.bootstrap.v4alpha.Bootstrap.StaticResources.clusters>`.
-  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+  string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // The API endpoint of the Zipkin service where the spans will be sent. When
   // using a standard Zipkin installation, the API endpoint is typically
   // /api/v1/spans, which is the default value.
-  string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+  string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}];
 
   // Determines whether a 128bit trace id will be used when creating a new
   // trace instance. The default value is false, which will result in a 64 bit trace id being used.

envoy/extensions/transport_sockets/alts/v3/alts.proto

@@ -22,7 +22,7 @@ message Alts {
 
   // The location of a handshaker service, this is usually 169.254.169.254:8080
   // on GCE.
-  string handshaker_service = 1 [(validate.rules).string = {min_bytes: 1}];
+  string handshaker_service = 1 [(validate.rules).string = {min_len: 1}];
 
   // The acceptable service accounts from peer, peers not in the list will be rejected in the
   // handshake validation step. If empty, no validation will be performed.

envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -120,7 +120,7 @@ message PrivateKeyProvider {
 
   // Private key method provider name. The name must match a
   // supported private key method provider type.
-  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string provider_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Private key method provider specific configuration.
   oneof config_type {
@@ -266,7 +266,7 @@ message CertificateValidationContext {
   //   because SPKI is tied to a private key, so it doesn't change when the certificate
   //   is renewed using the same private key.
   repeated string verify_certificate_spki = 3
-      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
+      [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}];
 
   // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
   // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
@@ -295,7 +295,7 @@ message CertificateValidationContext {
   // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
   // a hash matching value from either of the lists will result in the certificate being accepted.
   repeated string verify_certificate_hash = 2
-      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
+      [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}];
 
   // An optional list of Subject Alternative name matchers. Envoy will verify that the
   // Subject Alternative Name of the presented certificate matches one of the specified matches.

envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -135,7 +135,7 @@ message CommonTlsContext {
   message CertificateProvider {
     // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
     // a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Provider specific config.
     // Note: an implementation is expected to dedup multiple instances of the same config

envoy/extensions/transport_sockets/tls/v4alpha/common.proto

@@ -121,7 +121,7 @@ message PrivateKeyProvider {
 
   // Private key method provider name. The name must match a
   // supported private key method provider type.
-  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
+  string provider_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Private key method provider specific configuration.
   oneof config_type {
@@ -268,7 +268,7 @@ message CertificateValidationContext {
   //   because SPKI is tied to a private key, so it doesn't change when the certificate
   //   is renewed using the same private key.
   repeated string verify_certificate_spki = 3
-      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
+      [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}];
 
   // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
   // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
@@ -297,7 +297,7 @@ message CertificateValidationContext {
   // <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
   // a hash matching value from either of the lists will result in the certificate being accepted.
   repeated string verify_certificate_hash = 2
-      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
+      [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}];
 
   // An optional list of Subject Alternative name matchers. Envoy will verify that the
   // Subject Alternative Name of the presented certificate matches one of the specified matches.

envoy/extensions/transport_sockets/tls/v4alpha/tls.proto

@@ -138,7 +138,7 @@ message CommonTlsContext {
 
     // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
     // a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Provider specific config.
     // Note: an implementation is expected to dedup multiple instances of the same config

envoy/extensions/wasm/v3/wasm.proto

@@ -29,7 +29,7 @@ message VmConfig {
   string vm_id = 1;
 
   // The Wasm runtime type (either "v8" or "null" for code compiled into Envoy).
-  string runtime = 2 [(validate.rules).string = {min_bytes: 1}];
+  string runtime = 2 [(validate.rules).string = {min_len: 1}];
 
   // The Wasm code that Envoy will execute.
   config.core.v3.AsyncDataSource code = 3;