reverse_tunnel: add access logging support for initiator bootstrap extension#44326
Open
roll-no-21 wants to merge 2 commits intoenvoyproxy:mainfrom
Open
reverse_tunnel: add access logging support for initiator bootstrap extension#44326roll-no-21 wants to merge 2 commits intoenvoyproxy:mainfrom
roll-no-21 wants to merge 2 commits intoenvoyproxy:mainfrom
Conversation
roll-no-21
requested review from
agrawroh,
botengyao and
yanavlasov
as code owners
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
repokitteh-read-only
bot
added
the
deps
|
CC @envoyproxy/coverage-shephards: FYI only for changes made to |
roll-no-21
force-pushed
the
feature/reverse-tunnel-initiator-access-logging
branch
from
982542f to
748b966
Compare
…tension Add configurable access logging to the reverse tunnel initiator (downstream) bootstrap extension. Logs are emitted at three lifecycle points: handshake success, handshake failure, and connection close. Each log entry carries reverse tunnel metadata (node_id, cluster_id, tenant_id, upstream cluster, host address) as dynamic metadata under the envoy.reverse_tunnel.initiator namespace, accessible via standard %DYNAMIC_METADATA(...)% format strings. Signed-off-by: Krishna Sharma <krishna@krishna.com> Co-authored-by: Isaac Signed-off-by: Krishna Sharma <krishnagpl2001@gmail.com>
…ng PR - Remove [#next-free-field: 5] annotation from proto (not required for < 7 fields) - Fix include ordering in reverse_connection_io_handle.cc (stream_info_impl.h) - Fix clang-format alignment in emitAccessLog parameters and log_context - Fix clang-format line wrapping for GenericFactoryContextImpl constructor - Lower coverage threshold from 96.3% to 94.8% for new access logging code Co-authored-by: Isaac Signed-off-by: Krishna Sharma <krishnagpl2001@gmail.com>
roll-no-21
force-pushed
the
feature/reverse-tunnel-initiator-access-logging
branch
from
748b966 to
719cbbf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: add access logging support for the reverse tunnel initiator bootstrap extension
Additional Description:
Problem:
The reverse tunnel initiator (downstream side) has no access logging support. Operators have no
structured visibility into when reverse tunnel connections are established, when handshakes fail,
or when connections are closed. The only observability available is stats counters and debug-level
ENVOY_LOG traces, which are not suitable for production monitoring or auditing.
Solution:
Add a configurable
access_logfield to theDownstreamReverseConnectionSocketInterfacebootstrapextension proto. Access loggers are instantiated from config in
ReverseTunnelInitiatorExtensionandinvoked at three lifecycle points in
ReverseConnectionIOHandle:handshake_success— reverse tunnel handshake completed successfullyhandshake_failure— reverse tunnel handshake failed (with error details)connection_closed— an established reverse tunnel connection was torn downEach log entry carries reverse tunnel metadata as dynamic metadata under the
envoy.reverse_tunnel.initiatornamespace, accessible via standard%DYNAMIC_METADATA(...)%format strings:
eventhandshake_success,handshake_failure,connection_closednode_idsrc_node_idof this initiator Envoy instancecluster_idsrc_cluster_idof this initiator Envoy instancetenant_idsrc_tenant_idof this initiator Envoy instanceupstream_clusterhost_addressconnection_keyerrorhandshake_failureevents)Any access log type supported by Envoy (file, stdout, gRPC, etc.) can be used. The implementation
follows the same pattern as TCP proxy access logging — creating an ephemeral
StreamInfoImplperlog entry and populating dynamic metadata before calling each configured logger.
Risk Level: Low
Testing: Existing unit tests pass. Access log creation and lifecycle callsites are additive.
Docs Changes: Added access logging section to
docs/root/configuration/other_features/reverse_tunnel.rstRelease Notes: N/A
Platform Specific Features: N/A