[ upstream commit 3a4c57f ]

[ Backporter's notes: switch default to false - so not enabled by
default. Switch from testing package to checkmate in unit tests. Flags
use Vp instead of vp. Minor conflicts with netlink.XfrmState* calls.
Switched from pkg/time to time. Switch from checkmate to check.v1 ]

Reduces GC CPU usage and memory allocations coming from XfrmStateList.
To ensure we have up-to-date cache, wrap all XfrmState related
functions inside cache, which is invalidated whenever XfrmState changes.

This is follow-up to #32577
While that PR averages out CPU usage over time, in large cluster 100+
nodes amount of allocations coming from netlink.XfrmStateList() is high
due to backgroundSync where we usually don't change any Xfrm states.
This becomes more and more expensive as number of nodes increases.

Added CI test to make sure that we accidentally don't add calls that
modify XFRMState without going through cache.

Also, added hidden option that allows to turn of caching.

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>