From f886ba65ea878c97789027053409c0beb17cea12 Mon Sep 17 00:00:00 2001
From: Tam Mach <tam.mach@cilium.io>
Date: Thu, 17 Apr 2025 12:19:26 +1000
Subject: [PATCH] proxy: Use source identity from L7 policy name

This commit is to use the source identity from L7 policy name if
available, instead of the global source identity.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
---
 cilium/bpf_metadata.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc
index 273f60ec3..df859c9d0 100644
--- a/cilium/bpf_metadata.cc
+++ b/cilium/bpf_metadata.cc
@@ -472,6 +472,10 @@ Config::extractSocketMetadata(Network::ConnectionSocket& socket) {
 
     // Resolve source identity for the Ingress address
     source_identity = resolvePolicyId(ingress_ip);
+    if (!l7lb_policy_name_.empty()) {
+      const auto* named_policy = &getPolicy(l7lb_policy_name_);
+      source_identity = named_policy->getEndpointID();
+    }
     if (source_identity == Cilium::ID::WORLD) {
       // No security ID available for the configured source IP
       ENVOY_LOG(warn,