reverse_tunnels: add validation in the network filter

[agrawroh]

Description

This PR adds a validation to the Reverse Tunnel filter which could be used to do validations on the incoming Node ID and Cluster ID values in the reverse connection handshake. It's possible to use Filter State, SNI, Certificate SAN, etc. to do these validations by configuring the formatter. It's also possible to do validations on all or some of the inputs.

---

Commit Message: reverse_tunnels: add validation in the network filter
Additional Description: Adds validation to perform validations on the incoming Node ID and Cluster ID from reverse connection handshake.
Risk Level: Low
Testing: Added Unit + Integration Tests
Docs Changes: N/A
Release Notes: N/A

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #41271 was opened by agrawroh.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @abeyad
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #41271 was opened by agrawroh.

see: more, trace.

[Copilot]

Pull Request Overview

This PR adds validation capabilities to the Reverse Tunnel network filter to validate incoming Node ID and Cluster ID values during reverse connection handshake. The implementation uses configurable format strings that can leverage Envoy's command operators (like Filter State, SNI, Certificate SAN, etc.) for flexible validation rules.

• Adds Validation message to the proto config with node_id_format and cluster_id_format fields
• Implements validation logic in the filter that compares extracted headers against expected values
• Adds optional dynamic metadata emission for validation results and debugging

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto	Defines new Validation message with format strings for node/cluster ID validation
source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h	Adds validation methods and formatter storage to config class
source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc	Implements validation logic using formatters and metadata emission
source/extensions/filters/network/reverse_tunnel/config.cc	Updates factory to use new config creation method with error handling
source/extensions/filters/network/reverse_tunnel/BUILD	Adds formatter library dependencies
test/extensions/filters/network/reverse_tunnel/integration_test.cc	Comprehensive integration tests for validation scenarios
test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc	Updates unit tests to use new config creation pattern
test/extensions/filters/network/reverse_tunnel/config_test.cc	Tests configuration parsing for validation scenarios

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[basundhara-c]

@agrawroh could we add a test where we validate with values set using the filter state:
`%FILTER_STATE(key)%'
Since that would be the primary used case of this validator. We won't have a case where the exact node_id_format and cluster_id_format will be set in the filter, because there will be only one instance of the filter running on upstream envoy, accepting reverse tunnels from multiple downstream nodes. There isn't a way for the filter to perform an exact match, but it can validate using values from the filter state or using regex.

[abeyad]

/lgtm api

[abeyad]

Out of curiosity, why do we need a max len of 255 here?

[abeyad]

thanks for the great comments!