Ship static busybox shell in gpu-operator image

[rajathagasthya]

Part of NVIDIA/cloud-native-team#299.

NVIDIA STIG policy is dropping -dev distroless tags as approved
parent images. To move the gpu-operator image onto a non--dev base
without rewriting validator/operand manifests or hack/must-gather.sh,
we ship a static busybox shell inside the image.

Approach

Add a debian:trixie-slim shell-builder stage to docker/Dockerfile
that apt-installs busybox-static. Copy /bin/busybox into the final
stage and run busybox --install -s /bin to populate /bin/sh,
/bin/rm, /bin/ln, etc. Flip the final base from
nvcr.io/nvidia/distroless/cc:<ver>-dev to the matching non--dev
variant.

FROM debian:trixie-slim AS shell-builder
RUN apt-get update \
 && apt-get install --no-install-recommends -y busybox-static \
 && rm -rf /var/lib/apt/lists/*

FROM nvcr.io/nvidia/distroless/cc:<version>
COPY --from=shell-builder /bin/busybox /bin/busybox
RUN ["/bin/busybox", "--install", "-s", "/bin"]

Validator-pod manifests, operand-asset sh -c wrappers,
hack/must-gather.sh (mounted at /usr/bin/gather), and the
rmglob preStop helper all remain untouched. Mechanical Dockerfile
change.

Precedent:
kubernetes-sigs/dra-driver-nvidia-gpu
uses the same pattern with bash-static.

Tracking

Tracked in PR #2434, being repurposed from the
earlier Go-absorption approach.

Acceptance

• Dockerfile no longer references a -dev distroless tag
• /bin/sh and friends are present at runtime via static busybox
• Image builds successfully on amd64 and arm64
• Validator pods, operand-asset init containers, and the
  gather plugin all run as before