tls_wrapper: Rename policy_socket_option as policy_ref

We do not have a policy socket options any more, but a CiliumPolicyFilterState that contains a weak reference to the policy map. Rename 'policy_socket_option' as 'policy_ref' to make this a bit clearer. Signed-off-by: Jarno Rajahalme <[email protected]>
cilium · Jan 31, 2025 · c89f50b · c89f50b
1 parent 8aa3169
commit c89f50b
Showing 1 changed file with 14 additions and 15 deletions.
diff --git a/cilium/tls_wrapper.cc b/cilium/tls_wrapper.cc
@@ -87,32 +87,32 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggable<Logge
     // configuration.
     // Cilium socket option is only created if the (initial) policy for the local pod exists.
     // If the policy requires TLS then a TLS socket is used, but if the policy does not require
-    // TLS a raw socket is used instead,
+    // TLS a raw socket is used instead.
     auto& conn = callbacks_->connection();
 
     ENVOY_CONN_LOG(trace, "retrieving policy filter state", conn);
-    auto policy_socket_option =
+    auto policy_ref =
         conn.streamInfo().filterState()->getDataReadOnly<Cilium::CiliumPolicyFilterState>(
             Cilium::CiliumPolicyFilterState::key());
 
-    if (policy_socket_option) {
-      const auto& policy = policy_socket_option->getPolicy();
+    if (policy_ref) {
+      const auto& policy = policy_ref->getPolicy();
 
       // Resolve the destination security ID and port
       uint32_t destination_identity = 0;
-      uint32_t destination_port = policy_socket_option->port_;
+      uint32_t destination_port = policy_ref->port_;
       const Network::Address::Ip* dip = nullptr;
       bool is_client = state_ == Extensions::TransportSockets::Tls::InitialState::Client;
 
-      if (!policy_socket_option->ingress_) {
+      if (!policy_ref->ingress_) {
         Network::Address::InstanceConstSharedPtr dst_address =
             is_client ? callbacks_->connection().connectionInfoProvider().remoteAddress()
                       : callbacks_->connection().connectionInfoProvider().localAddress();
         if (dst_address) {
           dip = dst_address->ip();
           if (dip) {
             destination_port = dip->port();
-            destination_identity = policy_socket_option->resolvePolicyId(dip);
+            destination_identity = policy_ref->resolvePolicyId(dip);
           } else {
             ENVOY_CONN_LOG(warn, "cilium.tls_wrapper: Non-IP destination address: {}", conn,
                            dst_address->asString());
@@ -123,11 +123,10 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggable<Logge
       }
 
       // get the requested server name from the connection, if any
-      const auto& sni = policy_socket_option->sni_;
+      const auto& sni = policy_ref->sni_;
 
-      auto remote_id = policy_socket_option->ingress_ ? policy_socket_option->source_identity_
-                                                      : destination_identity;
-      auto port_policy = policy.findPortPolicy(policy_socket_option->ingress_, destination_port);
+      auto remote_id = policy_ref->ingress_ ? policy_ref->source_identity_ : destination_identity;
+      auto port_policy = policy.findPortPolicy(policy_ref->ingress_, destination_port);
       const Envoy::Ssl::ContextConfig* config = nullptr;
       bool raw_socket_allowed = false;
       Envoy::Ssl::ContextSharedPtr ctx =
@@ -157,7 +156,7 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggable<Logge
         policy.tlsWrapperMissingPolicyInc();
 
         std::string ipStr("<none>");
-        if (policy_socket_option->ingress_) {
+        if (policy_ref->ingress_) {
           Network::Address::InstanceConstSharedPtr src_address =
               is_client ? callbacks_->connection().connectionInfoProvider().localAddress()
                         : callbacks_->connection().connectionInfoProvider().remoteAddress();
@@ -176,9 +175,9 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggable<Logge
             warn,
             "cilium.tls_wrapper: Could not get {} TLS context for pod {} on {} IP {} (id {}) port "
             "{} sni \"{}\" and raw socket is not allowed",
-            conn, is_client ? "client" : "server", policy_socket_option->pod_ip_,
-            policy_socket_option->ingress_ ? "source" : "destination", ipStr, remote_id,
-            destination_port, sni);
+            conn, is_client ? "client" : "server", policy_ref->pod_ip_,
+            policy_ref->ingress_ ? "source" : "destination", ipStr, remote_id, destination_port,
+            sni);
       }
     } else {
       ENVOY_CONN_LOG(warn,