#43237 reverted the last commit of #42992 due to a new unit test flake.

This PR reapplies the reverted commit as-is (1st commit) and adds two unit test fixes:

1. policy: Terminate incremental notification handlers in tests

Return a closer function from test infra returning new SelectorCache instances, so that the test can call closer() to terminate the incremental update notification handler goroutine, if one was started for the SelectorCache instance. This eliminates leaked goroutines which take both resources and complicate go test output in error situations such as test timeouts.

2. policy: Defer test validations of selector notifications till commit

The commit changes the test tooling for the mock cachedSelectionUser, no Test code is changed otherwise. The rationale for the change is that the mock was accessing the current version of the selected identities via selector.GetSelections(), while it really should postpone this access until IdentitySelectionCommit() is called (as that is the time the user gets a handle to the version where the changes were applied) and use that version explicitly (selector.GetSelectionsAt(...)).

Production implementation (in pkg/policy/mapstate.go) is already doing the right thing.

Previously the selection updates were always done prior IdentitySelectionUpdated() was called, but with the change in the policy: Replace versioned with part.Map commit the publication of the changes is done later, but always prior to the IdentitySelectionCommit() call. This results in a race, where sometimes the update on the selector selections is not yet available when the IdentitySelectionUpdated() callback executes (in a different goroutine). If the execution of the notifications was synchronous then the associated tests would always fail without this fix.

This test can be used to validate the fix:

$ go test -v -run "TestTransactionalUpdate" -count=10000 -timeout=10s ./pkg/policy/.

• When run on main (with the already merged revert) this test should pass
• When run with the 1st commit applied, this fails with console full of goroutines with

github.com/cilium/cilium/pkg/policy.(*SelectorCache).handleUserNotifications

• When run with the 2nd commit also applied the actual error is visible:

selectorcache_test.go:204:
        Error Trace:    /Volumes/dev/cilium/cilium/pkg/policy/selectorcache_test.go:204
                                  /Volumes/dev/cilium/cilium/pkg/policy/selectorcache.go:384
                                  /usr/local/go/src/runtime/asm_arm64.s:1268
        Error:          Should be false
        Test:           TestTransactionalUpdate

• when run with all commits applied it succeeds again:

$ go test -run "TestTransactionalUpdate" -count=10000 -timeout=10s ./pkg/policy/.
ok      github.com/cilium/cilium/pkg/policy     0.708s

Fixes: #42992
Fixes: #43237