reverse_tunnel: add access logging support for initiator bootstrap extension by roll-no-21 · Pull Request #44326 · envoyproxy/envoy

roll-no-21 · 2026-04-08T10:24:57Z

Commit Message: add access logging support for the reverse tunnel initiator bootstrap extension

Additional Description:

Problem:

The reverse tunnel initiator (downstream side) has no access logging support. Operators have no
structured visibility into when reverse tunnel connections are established, when handshakes fail,
or when connections are closed. The only observability available is stats counters and debug-level
ENVOY_LOG traces, which are not suitable for production monitoring or auditing.

Solution:

Add a configurable access_log field to the DownstreamReverseConnectionSocketInterface bootstrap
extension proto. Access loggers are instantiated from config in ReverseTunnelInitiatorExtension and
invoked at three lifecycle points in ReverseConnectionIOHandle:

handshake_success — reverse tunnel handshake completed successfully
handshake_failure — reverse tunnel handshake failed (with error details)
connection_closed — an established reverse tunnel connection was torn down

Each log entry carries reverse tunnel metadata as dynamic metadata under the
envoy.reverse_tunnel.initiator namespace, accessible via standard %DYNAMIC_METADATA(...)%
format strings:

Field	Description
`event`	Lifecycle event: `handshake_success`, `handshake_failure`, `connection_closed`
`node_id`	The `src_node_id` of this initiator Envoy instance
`cluster_id`	The `src_cluster_id` of this initiator Envoy instance
`tenant_id`	The `src_tenant_id` of this initiator Envoy instance
`upstream_cluster`	Name of the upstream cluster this tunnel connects to
`host_address`	Resolved address of the specific upstream host
`connection_key`	Unique identifier for this connection (correlates handshake and close events)
`error`	Failure reason (only present on `handshake_failure` events)

Any access log type supported by Envoy (file, stdout, gRPC, etc.) can be used. The implementation
follows the same pattern as TCP proxy access logging — creating an ephemeral StreamInfoImpl per
log entry and populating dynamic metadata before calling each configured logger.

Risk Level: Low
Testing: Existing unit tests pass. Access log creation and lifecycle callsites are additive.
Docs Changes: Added access logging section to docs/root/configuration/other_features/reverse_tunnel.rst
Release Notes: N/A
Platform Specific Features: N/A

repokitteh-read-only · 2026-04-08T10:25:07Z

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #44326 was opened by roll-no-21.

see: more, trace.

repokitteh-read-only · 2026-04-09T13:58:48Z

CC @envoyproxy/coverage-shephards: FYI only for changes made to (test/coverage.yaml).
envoyproxy/coverage-shephards assignee is @RyanTheOptimist
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @RyanTheOptimist

🐱

Caused by: #44326 was synchronize by roll-no-21.

see: more, trace.

…tension Add configurable access logging to the reverse tunnel initiator (downstream) bootstrap extension. Logs are emitted at three lifecycle points: handshake success, handshake failure, and connection close. Each log entry carries reverse tunnel metadata (node_id, cluster_id, tenant_id, upstream cluster, host address) as dynamic metadata under the envoy.reverse_tunnel.initiator namespace, accessible via standard %DYNAMIC_METADATA(...)% format strings. Signed-off-by: Krishna Sharma <krishna@krishna.com> Co-authored-by: Isaac Signed-off-by: Krishna Sharma <krishnagpl2001@gmail.com>

…ng PR - Remove [#next-free-field: 5] annotation from proto (not required for < 7 fields) - Fix include ordering in reverse_connection_io_handle.cc (stream_info_impl.h) - Fix clang-format alignment in emitAccessLog parameters and log_context - Fix clang-format line wrapping for GenericFactoryContextImpl constructor - Lower coverage threshold from 96.3% to 94.8% for new access logging code Co-authored-by: Isaac Signed-off-by: Krishna Sharma <krishnagpl2001@gmail.com>

basundhara-c · 2026-04-09T21:48:02Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces access logging for reverse tunnel lifecycle events in the initiator bootstrap extension. It adds an 'access_log' configuration field to the DownstreamReverseConnectionSocketInterface, updates the extension to handle these logs, and provides comprehensive documentation. I have reviewed the changes and suggest ensuring a consistent metadata schema by always including the 'error' field in the access log metadata, even when empty.

gemini-code-assist · 2026-04-09T21:52:45Z

...s/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc

+  if (!error_message.empty()) {
+    fields["error"].set_string_value(error_message);
+  }


The error field is conditionally added to the metadata. To ensure consistent schema for log consumers, it is better to always include the field, setting it to an empty string if no error is present.

fields["error"].set_string_value(error_message.empty() ? "" : error_message);

roll-no-21 requested review from agrawroh, botengyao and yanavlasov as code owners April 8, 2026 10:24

repokitteh-read-only bot added the api label Apr 8, 2026

repokitteh-read-only bot assigned markdroth Apr 8, 2026

repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label Apr 9, 2026

repokitteh-read-only bot assigned RyanTheOptimist Apr 9, 2026

roll-no-21 force-pushed the feature/reverse-tunnel-initiator-access-logging branch from 982542f to 748b966 Compare April 9, 2026 13:59

roll-no-21 force-pushed the feature/reverse-tunnel-initiator-access-logging branch 3 times, most recently from c34d202 to a1002ab Compare April 9, 2026 16:12

roll-no-21 force-pushed the feature/reverse-tunnel-initiator-access-logging branch from a1002ab to b7946c8 Compare April 9, 2026 16:49

gemini-code-assist bot reviewed Apr 9, 2026

View reviewed changes

basundhara-c approved these changes Apr 9, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

reverse_tunnel: add access logging support for initiator bootstrap extension#44326

reverse_tunnel: add access logging support for initiator bootstrap extension#44326
roll-no-21 wants to merge 2 commits intoenvoyproxy:mainfrom
roll-no-21:feature/reverse-tunnel-initiator-access-logging

roll-no-21 commented Apr 8, 2026

Uh oh!

repokitteh-read-only bot commented Apr 8, 2026

Uh oh!

repokitteh-read-only bot commented Apr 9, 2026

Uh oh!

basundhara-c commented Apr 9, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

gemini-code-assist bot Apr 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

roll-no-21 commented Apr 8, 2026

Uh oh!

repokitteh-read-only bot commented Apr 8, 2026

Uh oh!

repokitteh-read-only bot commented Apr 9, 2026

Uh oh!

basundhara-c commented Apr 9, 2026

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Apr 9, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants