shared-ingress: move HAProxy image to pinned UBI micro runtime

[tuxerrante]

Summary

The shared-ingress HAProxy image currently uses the full UBI 10 base image even though the runtime payload is only HAProxy plus its required libraries.

That larger base image pulls in many packages that are not used by the shared-ingress deployment path, which increases image size and vulnerability scanner noise for an ARO HCP-specific, Red Hat-owned artifact.

Problem

We want to reduce the shared-ingress image footprint and trim unused packages while keeping the implementation aligned with HyperShift and ARO HCP productization constraints:

• stay on Red Hat-owned, pinned images
• keep hermetic RPM inputs
• preserve the existing HAProxy runtime contract
• verify that HAProxy still starts correctly with the controller's mounted config and runtime socket paths

Proposed direction

• move the final runtime from full UBI to pinned UBI micro
• keep a pinned UBI builder stage for RPM installation
• remove the unused socat package from the image inputs
• add a startup smoke test that exercises the same HAProxy command, mounts, and read-only root filesystem used by the controller

Expected benefit

A local comparison of the baseline and proposed images shows a substantial reduction in size and scanner findings:

• baseline image size: 254682256 bytes
• proposed image size: 107109829 bytes
• baseline vulnerabilities: High 28, Medium 186, Low 139
• proposed vulnerabilities: High 1, Medium 46, Low 22

Notes

This issue is being opened to document the approach for a >200 line change before submitting the corresponding PR, per the contributing guidance.