Libcalico-go: Prevent segfault when network/ip is not valid

[bartekzurawski]

Description

When a GlobalNetworkPolicy is created using the internal API group crd.projectcalico.org/v1, invalid CIDRs/IPs are not rejected. The conversion logic in libcalico-go then produces a nil *net.IPNet. Later, when Typha (or Felix) dereferences this pointer (e.g. in model.Rule.String()), a segfault occurs.

This PR changes:

• Add nil check to avoid segfault
• Make sure that processor code doesn't produce nil *net.IPNet

Normally users should not create objects via crd.projectcalico.org/v1, the supported API is projectcalico.org/v3, which performs proper validation. This change just makes the system more robust against unexpected nils.

Related issues/PRs

fixes #7697

Todos

• Tests
• Documentation
• Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[mazdakn]

@bartekzurawski thanks for providing the fix. Can you also include a unit test for it?

[bartekzurawski]

@mazdakn I've put some test for that change. Can you check?

[github-actions]

This PR is stale because it has been open for 60 days with no activity.

[caseydavenport]

/sem-approve