Interface ValidationOrBuilder
- All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder,com.google.protobuf.MessageOrBuilder
- All Known Implementing Classes:
Validation,Validation.Builder
public interface ValidationOrBuilder
extends com.google.protobuf.MessageOrBuilder
-
Method Summary
Modifier and TypeMethodDescriptionFormat string to extract the expected cluster identifier for validation.com.google.protobuf.ByteStringFormat string to extract the expected cluster identifier for validation.Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.com.google.protobuf.ByteStringNamespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.booleanWhether to emit validation results as dynamic metadata.Format string to extract the expected node identifier for validation.com.google.protobuf.ByteStringFormat string to extract the expected node identifier for validation.Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder
isInitializedMethods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Method Details
-
getNodeIdFormat
String getNodeIdFormat()Format string to extract the expected node identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports Envoy's :ref:`command operators <config_access_log_command_operators>`: * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata. * ``%FILTER_STATE(key)%``: Extract expected value from filter state. * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address. * Plain strings: Use a static expected value. If empty, node ID validation is skipped. Example using dynamic metadata allowlist: .. code-block:: yaml node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"string node_id_format = 1 [(.validate.rules) = { ... }- Returns:
- The nodeIdFormat.
-
getNodeIdFormatBytes
com.google.protobuf.ByteString getNodeIdFormatBytes()Format string to extract the expected node identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports Envoy's :ref:`command operators <config_access_log_command_operators>`: * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata. * ``%FILTER_STATE(key)%``: Extract expected value from filter state. * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address. * Plain strings: Use a static expected value. If empty, node ID validation is skipped. Example using dynamic metadata allowlist: .. code-block:: yaml node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"string node_id_format = 1 [(.validate.rules) = { ... }- Returns:
- The bytes for nodeIdFormat.
-
getClusterIdFormat
String getClusterIdFormat()Format string to extract the expected cluster identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports the same :ref:`command operators <config_access_log_command_operators>` as ``node_id_format``. If empty, cluster ID validation is skipped. Example using filter state: .. code-block:: yaml cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"string cluster_id_format = 2 [(.validate.rules) = { ... }- Returns:
- The clusterIdFormat.
-
getClusterIdFormatBytes
com.google.protobuf.ByteString getClusterIdFormatBytes()Format string to extract the expected cluster identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports the same :ref:`command operators <config_access_log_command_operators>` as ``node_id_format``. If empty, cluster ID validation is skipped. Example using filter state: .. code-block:: yaml cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"string cluster_id_format = 2 [(.validate.rules) = { ... }- Returns:
- The bytes for clusterIdFormat.
-
getEmitDynamicMetadata
boolean getEmitDynamicMetadata()Whether to emit validation results as dynamic metadata. When enabled, the filter emits metadata under the namespace specified by ``dynamic_metadata_namespace`` containing: * ``node_id``: The actual node ID from the handshake request. * ``cluster_id``: The actual cluster ID from the handshake request. * ``validation_result``: Either ``allowed`` or ``denied``. This metadata can be used by subsequent filters or for access logging. Defaults to ``false``.
bool emit_dynamic_metadata = 3;- Returns:
- The emitDynamicMetadata.
-
getDynamicMetadataNamespace
String getDynamicMetadataNamespace()Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``. If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }- Returns:
- The dynamicMetadataNamespace.
-
getDynamicMetadataNamespaceBytes
com.google.protobuf.ByteString getDynamicMetadataNamespaceBytes()Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``. If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }- Returns:
- The bytes for dynamicMetadataNamespace.
-