debug: Assert policy destruction happens in the main thread

Add a runtime assert that the policy destruction happens from the main or
test thread. The "test thread" case also covers the destruction from the
initial thread, which happens for the static members of
'AllowAllEgressPolicyInstanceImpl' when running `cilium-envoy version',
for example.

Signed-off-by: Jarno Rajahalme <[email protected]>

cilium/network_policy.cc

@@ -606,6 +606,17 @@ class PortNetworkPolicyRules : public Logger::Loggable<Logger::Id::config> {
     }
   }
 
+  ~PortNetworkPolicyRules() {
+    if (!Thread::MainThread::isMainOrTestThread()) {
+      ENVOY_LOG_TO_LOGGER(Envoy::Logger::Registry::getLog(Envoy::Logger::Id::envoy_bug), error,
+                          "envoy bug failure: !Thread::MainThread::isMainOrTestThread()");
+      Envoy::Assert::EnvoyBugStackTrace st;
+      st.capture();
+      st.logStackTrace();
+      ::abort();
+    }
+  }
+
   bool allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers,
                Cilium::AccessLog::Entry& log_entry, bool& denied) const {
     // Empty set matches any payload from anyone

cilium/network_policy.h

@@ -109,7 +109,7 @@ class IPAddressPair {
 
 class PolicyInstance {
 public:
-  virtual ~PolicyInstance() = default;
+  virtual ~PolicyInstance() { ASSERT_IS_MAIN_OR_TEST_THREAD(); };
 
   virtual bool allowed(bool ingress, uint32_t remote_id, uint16_t port,
                        Envoy::Http::RequestHeaderMap& headers,

cilium/secret_watcher.cc

@@ -34,7 +34,10 @@ SecretWatcher::SecretWatcher(const NetworkPolicyMap& parent, const std::string&
       secret_provider_(secretProvider(parent.transportFactoryContext(), sds_name)),
       update_secret_(readAndWatchSecret()) {}
 
-SecretWatcher::~SecretWatcher() { delete load(); }
+SecretWatcher::~SecretWatcher() {
+  ASSERT_IS_MAIN_OR_TEST_THREAD();
+  delete load();
+}
 
 Envoy::Common::CallbackHandlePtr SecretWatcher::readAndWatchSecret() {
   THROW_IF_NOT_OK(store());