Package io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3

Class Validation.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>
io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3.Validation.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, ValidationOrBuilder, Cloneable
Enclosing class:
Validation
public static final class Validation.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder> implements ValidationOrBuilder
 Validation configuration for reverse tunnel identifiers.
 Validates the node ID and cluster ID extracted from reverse tunnel handshake headers
 against expected values specified using format strings.
Protobuf type envoy.extensions.filters.network.reverse_tunnel.v3.Validation

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • clear

      public Validation.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • getDefaultInstanceForType

      public Validation getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public Validation build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public Validation buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public Validation.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • setField

      public Validation.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • clearField

      public Validation.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • clearOneof

      public Validation.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • setRepeatedField

      public Validation.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • addRepeatedField

      public Validation.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • mergeFrom

      public Validation.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<Validation.Builder>

    • mergeFrom

      public Validation.Builder mergeFrom(Validation other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • mergeFrom

      public Validation.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<Validation.Builder>
      Throws:
      IOException

    • getNodeIdFormat

      public String getNodeIdFormat()
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Specified by:
      getNodeIdFormat in interface ValidationOrBuilder
      Returns:
      The nodeIdFormat.

    • getNodeIdFormatBytes

      public com.google.protobuf.ByteString getNodeIdFormatBytes()
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Specified by:
      getNodeIdFormatBytes in interface ValidationOrBuilder
      Returns:
      The bytes for nodeIdFormat.

    • setNodeIdFormat

      public Validation.Builder setNodeIdFormat(String value)
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Parameters:
      value - The nodeIdFormat to set.
      Returns:
      This builder for chaining.

    • clearNodeIdFormat

      public Validation.Builder clearNodeIdFormat()
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • setNodeIdFormatBytes

      public Validation.Builder setNodeIdFormatBytes(com.google.protobuf.ByteString value)
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes for nodeIdFormat to set.
      Returns:
      This builder for chaining.

    • getClusterIdFormat

      public String getClusterIdFormat()
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Specified by:
      getClusterIdFormat in interface ValidationOrBuilder
      Returns:
      The clusterIdFormat.

    • getClusterIdFormatBytes

      public com.google.protobuf.ByteString getClusterIdFormatBytes()
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Specified by:
      getClusterIdFormatBytes in interface ValidationOrBuilder
      Returns:
      The bytes for clusterIdFormat.

    • setClusterIdFormat

      public Validation.Builder setClusterIdFormat(String value)
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Parameters:
      value - The clusterIdFormat to set.
      Returns:
      This builder for chaining.

    • clearClusterIdFormat

      public Validation.Builder clearClusterIdFormat()
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • setClusterIdFormatBytes

      public Validation.Builder setClusterIdFormatBytes(com.google.protobuf.ByteString value)
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes for clusterIdFormat to set.
      Returns:
      This builder for chaining.

    • getEmitDynamicMetadata

      public boolean getEmitDynamicMetadata()
       Whether to emit validation results as dynamic metadata.
 When enabled, the filter emits metadata under the namespace specified by
 ``dynamic_metadata_namespace`` containing:

 * ``node_id``: The actual node ID from the handshake request.
 * ``cluster_id``: The actual cluster ID from the handshake request.
 * ``validation_result``: Either ``allowed`` or ``denied``.

 This metadata can be used by subsequent filters or for access logging.
 Defaults to ``false``.
      bool emit_dynamic_metadata = 3;
      Specified by:
      getEmitDynamicMetadata in interface ValidationOrBuilder
      Returns:
      The emitDynamicMetadata.

    • setEmitDynamicMetadata

      public Validation.Builder setEmitDynamicMetadata(boolean value)
       Whether to emit validation results as dynamic metadata.
 When enabled, the filter emits metadata under the namespace specified by
 ``dynamic_metadata_namespace`` containing:

 * ``node_id``: The actual node ID from the handshake request.
 * ``cluster_id``: The actual cluster ID from the handshake request.
 * ``validation_result``: Either ``allowed`` or ``denied``.

 This metadata can be used by subsequent filters or for access logging.
 Defaults to ``false``.
      bool emit_dynamic_metadata = 3;
      Parameters:
      value - The emitDynamicMetadata to set.
      Returns:
      This builder for chaining.

    • clearEmitDynamicMetadata

      public Validation.Builder clearEmitDynamicMetadata()
       Whether to emit validation results as dynamic metadata.
 When enabled, the filter emits metadata under the namespace specified by
 ``dynamic_metadata_namespace`` containing:

 * ``node_id``: The actual node ID from the handshake request.
 * ``cluster_id``: The actual cluster ID from the handshake request.
 * ``validation_result``: Either ``allowed`` or ``denied``.

 This metadata can be used by subsequent filters or for access logging.
 Defaults to ``false``.
      bool emit_dynamic_metadata = 3;
      Returns:
      This builder for chaining.

    • getDynamicMetadataNamespace

      public String getDynamicMetadataNamespace()
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Specified by:
      getDynamicMetadataNamespace in interface ValidationOrBuilder
      Returns:
      The dynamicMetadataNamespace.

    • getDynamicMetadataNamespaceBytes

      public com.google.protobuf.ByteString getDynamicMetadataNamespaceBytes()
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Specified by:
      getDynamicMetadataNamespaceBytes in interface ValidationOrBuilder
      Returns:
      The bytes for dynamicMetadataNamespace.

    • setDynamicMetadataNamespace

      public Validation.Builder setDynamicMetadataNamespace(String value)
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Parameters:
      value - The dynamicMetadataNamespace to set.
      Returns:
      This builder for chaining.

    • clearDynamicMetadataNamespace

      public Validation.Builder clearDynamicMetadataNamespace()
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • setDynamicMetadataNamespaceBytes

      public Validation.Builder setDynamicMetadataNamespaceBytes(com.google.protobuf.ByteString value)
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes for dynamicMetadataNamespace to set.
      Returns:
      This builder for chaining.

    • setUnknownFields

      public final Validation.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>

    • mergeUnknownFields

      public final Validation.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<Validation.Builder>