[ upstream commit ca9c056deb31f6e0747c951be24b25d67ea99d6d ]

As explained in the previous commit, we need to switch our IPsec
logic from one implementation to another. This implementation requires
some synchronized work between bpf_lxc and bpf_host. To enable this
switch without causing drops, the previous commit made bpf_host support
both implementations.

This is quite enough though. For this to work, we need to ensure that
bpf_host is always reloaded before any bpf_lxc is loaded. That is, we
need to load the bpf_host program that supports both implementations
before we actually start the switch from one implementation to the
second.

This commit makes that change in the order of BPF program reloads.
Instead of regenerating the bpf_host program (i.e., the host endpoint's
datapath) in a goroutine like other BPF programs, we will regenerate it
first, as a blocking operation.

Regenerating the host endpoint's datapath separately like this will
delay the agent startup. This regeneration was measured to take around 1
second on an EKS cluster (though it can probably grow to a few seconds
depending on the node type and current load). That should stay fairly
small compared to the overall duration of the agent startup (around 30
seconds). Nevertheless, this separate regeneration is only performed
when we actually need: for IPsec with EKS or AKS IPAM mode.

Fixes: 4c7cce1bf ("bpf: Remove IP_POOLS IPsec code")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>