Skip to content

reverse_tunnel: add access logging support for initiator bootstrap extension #44326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
roll-no-21 wants to merge 2 commits into
base: main
Choose a base branch
from

fix: address CI format checks and coverage threshold for access loggi…

b7946c8
Select commit
Loading
Failed to load commit list.
Open

reverse_tunnel: add access logging support for initiator bootstrap extension #44326

fix: address CI format checks and coverage threshold for access loggi…
b7946c8
Select commit
Loading
Failed to load commit list.
CI (Envoy) / Mobile/Perf skipped Apr 9, 2026 in 0s

Check was skipped

This check was not triggered in this CI run

Details

Request (pr/44326/main@b7946c8)

roll-no-21 @roll-no-21 b7946c8 #44326 merge main@d4fd8e3

reverse_tunnel: add access logging support for initiator bootstrap extension

Commit Message: add access logging support for the reverse tunnel initiator bootstrap extension

Additional Description:

Problem:

The reverse tunnel initiator (downstream side) has no access logging support. Operators have no
structured visibility into when reverse tunnel connections are established, when handshakes fail,
or when connections are closed. The only observability available is stats counters and debug-level
ENVOY_LOG traces, which are not suitable for production monitoring or auditing.

Solution:

Add a configurable access_log field to the DownstreamReverseConnectionSocketInterface bootstrap
extension proto. Access loggers are instantiated from config in ReverseTunnelInitiatorExtension and
invoked at three lifecycle points in ReverseConnectionIOHandle:

  • handshake_success — reverse tunnel handshake completed successfully
  • handshake_failure — reverse tunnel handshake failed (with error details)
  • connection_closed — an established reverse tunnel connection was torn down

Each log entry carries reverse tunnel metadata as dynamic metadata under the
envoy.reverse_tunnel.initiator namespace, accessible via standard %DYNAMIC_METADATA(...)%
format strings:

Field Description
event Lifecycle event: handshake_success, handshake_failure, connection_closed
node_id The src_node_id of this initiator Envoy instance
cluster_id The src_cluster_id of this initiator Envoy instance
tenant_id The src_tenant_id of this initiator Envoy instance
upstream_cluster Name of the upstream cluster this tunnel connects to
host_address Resolved address of the specific upstream host
connection_key Unique identifier for this connection (correlates handshake and close events)
error Failure reason (only present on handshake_failure events)

Any access log type supported by Envoy (file, stdout, gRPC, etc.) can be used. The implementation
follows the same pattern as TCP proxy access logging — creating an ephemeral StreamInfoImpl per
log entry and populating dynamic metadata before calling each configured logger.

Risk Level: Low
Testing: Existing unit tests pass. Access log creation and lifecycle callsites are additive.
Docs Changes: Added access logging section to docs/root/configuration/other_features/reverse_tunnel.rst
Release Notes: N/A
Platform Specific Features: N/A

Environment

Request variables

Key Value
ref 22602ff
sha b7946c8
pr 44326
base-sha d4fd8e3
actor roll-no-21 @roll-no-21
message reverse_tunnel: add access logging support for initiator bootstrap extension...
started 1775753375.989046
target-branch main
trusted false
Build image

Container image/s (as used in this CI run)

Key Value
default docker.io/envoyproxy/envoy-build:86873047235e9b8232df989a5999b9bebf9db69c
mobile docker.io/envoyproxy/envoy-build:mobile-86873047235e9b8232df989a5999b9bebf9db69c
Version

Envoy version (as used in this CI run)

Key Value
major 1
minor 38
patch 0
dev true
View more details on CI (Envoy)