diff --git a/cilium/network_policy.cc b/cilium/network_policy.cc index 2387b4876..12e395354 100644 --- a/cilium/network_policy.cc +++ b/cilium/network_policy.cc @@ -47,6 +47,7 @@ class HeaderMatch : public Logger::Loggable { HeaderMatch(const NetworkPolicyMap& parent, const cilium::HeaderMatch& config) : name_(config.name()), value_(config.value()), match_action_(config.match_action()), mismatch_action_(config.mismatch_action()) { + ASSERT_IS_MAIN_OR_TEST_THREAD(); if (config.value_sds_secret().length() > 0) secret_ = std::make_unique(parent, config.value_sds_secret()); } @@ -606,6 +607,17 @@ class PortNetworkPolicyRules : public Logger::Loggable { } } + ~PortNetworkPolicyRules() { + if (!Thread::MainThread::isMainThread()) { + ENVOY_LOG_TO_LOGGER(Envoy::Logger::Registry::getLog(Envoy::Logger::Id::envoy_bug), error, + "envoy bug failure: !Thread::MainThread::isMainThread()"); + Envoy::Assert::EnvoyBugStackTrace st; + st.capture(); + st.logStackTrace(); + ::abort(); + } + } + bool allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry, bool& denied) const { // Empty set matches any payload from anyone diff --git a/cilium/network_policy.h b/cilium/network_policy.h index c6b231d8b..584697864 100644 --- a/cilium/network_policy.h +++ b/cilium/network_policy.h @@ -109,7 +109,9 @@ class IPAddressPair { class PolicyInstance { public: - virtual ~PolicyInstance() = default; + virtual ~PolicyInstance() { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + }; virtual bool allowed(bool ingress, uint32_t remote_id, uint16_t port, Envoy::Http::RequestHeaderMap& headers, diff --git a/cilium/secret_watcher.cc b/cilium/secret_watcher.cc index 475899853..953f357f6 100644 --- a/cilium/secret_watcher.cc +++ b/cilium/secret_watcher.cc @@ -32,9 +32,14 @@ void resetSDSConfigFunc() { getSDSConfig = &getCiliumSDSConfig; } SecretWatcher::SecretWatcher(const NetworkPolicyMap& parent, const std::string& sds_name) : parent_(parent), name_(sds_name), secret_provider_(secretProvider(parent.transportFactoryContext(), sds_name)), - update_secret_(readAndWatchSecret()) {} + update_secret_(readAndWatchSecret()) { + ASSERT_IS_MAIN_OR_TEST_THREAD(); +} -SecretWatcher::~SecretWatcher() { delete load(); } +SecretWatcher::~SecretWatcher() { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + delete load(); +} Envoy::Common::CallbackHandlePtr SecretWatcher::readAndWatchSecret() { THROW_IF_NOT_OK(store()); diff --git a/go.mod b/go.mod index 7eb21016b..b2776b507 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cilium/proxy -go 1.23 +go 1.23.0 require ( github.com/census-instrumentation/opencensus-proto v0.4.1