diff --git a/envoy/COMMIT b/envoy/COMMIT
index 8ec0abf3e3..e7b5d20aa0 100644
--- a/envoy/COMMIT
+++ b/envoy/COMMIT
@@ -1 +1 @@
-da6cea482a5914fe8283a77b631ba58aa195676b
+8d2df82f081bc9e33f6022a41893c37b3c0928d3
diff --git a/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.go b/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.go
index a01e212e30..1d08e71ef2 100755
--- a/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.go
+++ b/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.go
@@ -95,6 +95,56 @@ func (x *BasicAuth) GetForwardUsernameHeader() string {
 	return ""
 }
 
+// Extra settings that may be added to per-route configuration for
+// a virtual host or a cluster.
+type BasicAuthPerRoute struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Username-password pairs for this route.
+	Users *v3.DataSource `protobuf:"bytes,1,opt,name=users,proto3" json:"users,omitempty"`
+}
+
+func (x *BasicAuthPerRoute) Reset() {
+	*x = BasicAuthPerRoute{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *BasicAuthPerRoute) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*BasicAuthPerRoute) ProtoMessage() {}
+
+func (x *BasicAuthPerRoute) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use BasicAuthPerRoute.ProtoReflect.Descriptor instead.
+func (*BasicAuthPerRoute) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *BasicAuthPerRoute) GetUsers() *v3.DataSource {
+	if x != nil {
+		return x.Users
+	}
+	return nil
+}
+
 var File_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto protoreflect.FileDescriptor
 
 var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDesc = []byte{
@@ -121,19 +171,25 @@ var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDesc =
 	0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
 	0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0b, 0xfa, 0x42, 0x08, 0x72, 0x06, 0xc8, 0x01, 0x00, 0xc0,
 	0x01, 0x01, 0x52, 0x15, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x55, 0x73, 0x65, 0x72, 0x6e,
-	0x61, 0x6d, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0xb6, 0x01, 0xba, 0x80, 0xc8, 0xd1,
-	0x06, 0x02, 0x10, 0x02, 0x0a, 0x39, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72,
-	0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x68, 0x74, 0x74,
-	0x70, 0x2e, 0x62, 0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x42,
-	0x0e, 0x42, 0x61, 0x73, 0x69, 0x63, 0x41, 0x75, 0x74, 0x68, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
-	0x01, 0x5a, 0x5f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e,
-	0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74,
-	0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x73, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x62, 0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2f, 0x76, 0x33, 0x3b, 0x62, 0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75, 0x74, 0x68,
-	0x76, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x61, 0x6d, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0x5b, 0x0a, 0x11, 0x42, 0x61, 0x73,
+	0x69, 0x63, 0x41, 0x75, 0x74, 0x68, 0x50, 0x65, 0x72, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x46,
+	0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e,
+	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72,
+	0x65, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42,
+	0x0e, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0xb8, 0xb7, 0x8b, 0xa4, 0x02, 0x01, 0x52,
+	0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x42, 0xb6, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10,
+	0x02, 0x0a, 0x39, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79,
+	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x62,
+	0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x42, 0x0e, 0x42, 0x61,
+	0x73, 0x69, 0x63, 0x41, 0x75, 0x74, 0x68, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x5f,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79,
+	0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c,
+	0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2f,
+	0x68, 0x74, 0x74, 0x70, 0x2f, 0x62, 0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2f,
+	0x76, 0x33, 0x3b, 0x62, 0x61, 0x73, 0x69, 0x63, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x76, 0x33, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -148,18 +204,20 @@ func file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDescGZ
 	return file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDescData
 }
 
-var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_goTypes = []interface{}{
-	(*BasicAuth)(nil),     // 0: envoy.extensions.filters.http.basic_auth.v3.BasicAuth
-	(*v3.DataSource)(nil), // 1: envoy.config.core.v3.DataSource
+	(*BasicAuth)(nil),         // 0: envoy.extensions.filters.http.basic_auth.v3.BasicAuth
+	(*BasicAuthPerRoute)(nil), // 1: envoy.extensions.filters.http.basic_auth.v3.BasicAuthPerRoute
+	(*v3.DataSource)(nil),     // 2: envoy.config.core.v3.DataSource
 }
 var file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_depIdxs = []int32{
-	1, // 0: envoy.extensions.filters.http.basic_auth.v3.BasicAuth.users:type_name -> envoy.config.core.v3.DataSource
-	1, // [1:1] is the sub-list for method output_type
-	1, // [1:1] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
+	2, // 0: envoy.extensions.filters.http.basic_auth.v3.BasicAuth.users:type_name -> envoy.config.core.v3.DataSource
+	2, // 1: envoy.extensions.filters.http.basic_auth.v3.BasicAuthPerRoute.users:type_name -> envoy.config.core.v3.DataSource
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
 }
 
 func init() { file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_init() }
@@ -180,6 +238,18 @@ func file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_init() {
 				return nil
 			}
 		}
+		file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*BasicAuthPerRoute); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -187,7 +257,7 @@ func file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_envoy_extensions_filters_http_basic_auth_v3_basic_auth_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   1,
+			NumMessages:   2,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.validate.go b/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.validate.go
index 481c54f7b9..8ca99b1c64 100755
--- a/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.validate.go
+++ b/envoy/extensions/filters/http/basic_auth/v3/basic_auth.pb.validate.go
@@ -176,3 +176,145 @@ var _ interface {
 } = BasicAuthValidationError{}
 
 var _BasicAuth_ForwardUsernameHeader_Pattern = regexp.MustCompile("^[^\x00\n\r]*$")
+
+// Validate checks the field values on BasicAuthPerRoute with the rules defined
+// in the proto definition for this message. If any rules are violated, the
+// first error encountered is returned, or nil if there are no violations.
+func (m *BasicAuthPerRoute) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on BasicAuthPerRoute with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// BasicAuthPerRouteMultiError, or nil if none found.
+func (m *BasicAuthPerRoute) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *BasicAuthPerRoute) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	if m.GetUsers() == nil {
+		err := BasicAuthPerRouteValidationError{
+			field:  "Users",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if all {
+		switch v := interface{}(m.GetUsers()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, BasicAuthPerRouteValidationError{
+					field:  "Users",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, BasicAuthPerRouteValidationError{
+					field:  "Users",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetUsers()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return BasicAuthPerRouteValidationError{
+				field:  "Users",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	if len(errors) > 0 {
+		return BasicAuthPerRouteMultiError(errors)
+	}
+
+	return nil
+}
+
+// BasicAuthPerRouteMultiError is an error wrapping multiple validation errors
+// returned by BasicAuthPerRoute.ValidateAll() if the designated constraints
+// aren't met.
+type BasicAuthPerRouteMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m BasicAuthPerRouteMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m BasicAuthPerRouteMultiError) AllErrors() []error { return m }
+
+// BasicAuthPerRouteValidationError is the validation error returned by
+// BasicAuthPerRoute.Validate if the designated constraints aren't met.
+type BasicAuthPerRouteValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e BasicAuthPerRouteValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e BasicAuthPerRouteValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e BasicAuthPerRouteValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e BasicAuthPerRouteValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e BasicAuthPerRouteValidationError) ErrorName() string {
+	return "BasicAuthPerRouteValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e BasicAuthPerRouteValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sBasicAuthPerRoute.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = BasicAuthPerRouteValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = BasicAuthPerRouteValidationError{}
diff --git a/envoy/extensions/filters/http/basic_auth/v3/basic_auth_vtproto.pb.go b/envoy/extensions/filters/http/basic_auth/v3/basic_auth_vtproto.pb.go
index c96db85e89..69f676a601 100755
--- a/envoy/extensions/filters/http/basic_auth/v3/basic_auth_vtproto.pb.go
+++ b/envoy/extensions/filters/http/basic_auth/v3/basic_auth_vtproto.pb.go
@@ -81,6 +81,61 @@ func (m *BasicAuth) MarshalToSizedBufferVTStrict(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *BasicAuthPerRoute) MarshalVTStrict() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVTStrict(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BasicAuthPerRoute) MarshalToVTStrict(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVTStrict(dAtA[:size])
+}
+
+func (m *BasicAuthPerRoute) MarshalToSizedBufferVTStrict(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if m.Users != nil {
+		if vtmsg, ok := interface{}(m.Users).(interface {
+			MarshalToSizedBufferVTStrict([]byte) (int, error)
+		}); ok {
+			size, err := vtmsg.MarshalToSizedBufferVTStrict(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+		} else {
+			encoded, err := proto.Marshal(m.Users)
+			if err != nil {
+				return 0, err
+			}
+			i -= len(encoded)
+			copy(dAtA[i:], encoded)
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(len(encoded)))
+		}
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *BasicAuth) SizeVT() (n int) {
 	if m == nil {
 		return 0
@@ -104,3 +159,23 @@ func (m *BasicAuth) SizeVT() (n int) {
 	n += len(m.unknownFields)
 	return n
 }
+
+func (m *BasicAuthPerRoute) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.Users != nil {
+		if size, ok := interface{}(m.Users).(interface {
+			SizeVT() int
+		}); ok {
+			l = size.SizeVT()
+		} else {
+			l = proto.Size(m.Users)
+		}
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	n += len(m.unknownFields)
+	return n
+}