reverse_tunnel: add access logging support for initiator bootstrap extension

[roll-no-21]

Commit Message: add access logging support for the reverse tunnel initiator bootstrap extension

Additional Description:

Problem:

The reverse tunnel initiator (downstream side) has no access logging support. Operators have no
structured visibility into when reverse tunnel connections are established, when handshakes fail,
or when connections are closed. The only observability available is stats counters and debug-level
ENVOY_LOG traces, which are not suitable for production monitoring or auditing.

Solution:

Add a configurable access_log field to the DownstreamReverseConnectionSocketInterface bootstrap
extension proto. Access loggers are instantiated from config in ReverseTunnelInitiatorExtension and
invoked at three lifecycle points in ReverseConnectionIOHandle:

• handshake_success — reverse tunnel handshake completed successfully
• handshake_failure — reverse tunnel handshake failed (with error details)
• connection_closed — an established reverse tunnel connection was torn down

Each log entry carries reverse tunnel metadata as dynamic metadata under the
envoy.reverse_tunnel.initiator namespace, accessible via standard %DYNAMIC_METADATA(...)%
format strings:

Field	Description
event	Lifecycle event: handshake_success, handshake_failure, connection_closed
node_id	The src_node_id of this initiator Envoy instance
cluster_id	The src_cluster_id of this initiator Envoy instance
tenant_id	The src_tenant_id of this initiator Envoy instance
upstream_cluster	Name of the upstream cluster this tunnel connects to
host_address	Resolved address of the specific upstream host
connection_key	Unique identifier for this connection (correlates handshake and close events)
error	Failure reason (only present on handshake_failure events)

Any access log type supported by Envoy (file, stdout, gRPC, etc.) can be used. The implementation
follows the same pattern as TCP proxy access logging — creating an ephemeral StreamInfoImpl per
log entry and populating dynamic metadata before calling each configured logger.

Risk Level: Low
Testing: Existing unit tests pass. Access log creation and lifecycle callsites are additive.
Docs Changes: Added access logging section to docs/root/configuration/other_features/reverse_tunnel.rst
Release Notes: N/A
Platform Specific Features: N/A

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #44326 was opened by roll-no-21.

see: more, trace.