Run control-plane container as non-root

[gciavarrini]

The monolith image still ran as root because the runtime Containerfile never set a USER.
That came from the old catalog/placement/SP images, not from anything control-plane actually needs.
policy-manager already used USER 1001.
Since all manager logic now lives in one binary, this PR standardises on that approach.

Why

Control-plane only listens on :8080 and talks to Postgres/NATS over the network. It does not need root. This is mainly packaging consistency for the monolith, with a small security benefit and better alignment with restricted Kubernetes/OpenShift policies.

Changes

• Run the control-plane image as UID 1001
• Adjust /app permissions for OpenShift-style arbitrary UIDs in group 0
• Add non-root securityContext to the Helm chart

Fixes

FLPATH-4382

--
Assisted-By: Claude (Anthropic)
Signed off-by: Gloria Ciavarrini gciavarrini@redhat.com

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →