init.sh: move socket-lb creation to Go package

[ti-mo]

This is a standalone feature that can be moved out of init.sh.

We could potentially create a datapath subpackage for this functionality so it can have a standalone test suite.

@brb Do you have any input on how to design/structure this?

[ti-mo]

Something discovered while @rgo3 was doing the initial implementation: link.AttachCgroup() opportunistically uses bpf_link for attaching to cgroups on kernels that support it, which means we need to create a dir layout in /sys/fs/bpf, ideally outside of /sys/fs/bpf/tc/globals. The new socket-lb loader code needs to attempt to pin cgroup links, to open them and manage their lifecycle when there are existing pins when the agent starts up.

Also, the preceding release(s) will need compatibility code in init.sh to handle pinned cgroup links on downgrade.

@borkmann suggested mounting a bpffs just for Cilium, but we'd need to get the host to mount it so it's not bound to the lifecycle of the agent pod.

I'd suggest something like /sys/fs/bpf/cilium/links/cgroup/*.

[ti-mo]

I looked into removing TestDummyProg(). It seems like it's mostly called from probeKubeProxyReplacementOptions() to detect if certain prog/attachtype combos are supported, as well as calling BPF_PROG_ATTACH as an oracle for CONFIG_CGROUP_BPF. (see abf5366)

Since ebpf-go only falls back to PROG_ATTACH when bpf_link is not available, only probing PROG_ATTACH loses a bit of its value. By moving the socket-lb logic out of init.sh, we can simply try to set up parts of the socklb and bail out when parts of them fail to attach, flipping flags in option.Config on the way out, as is currently done in probeKubeProxyReplacementOptions().