Switch MinIO test image from minio/minio to chainguard/minio

[Slach]

Goal

Replace minio/minio:latest with chainguard/minio:latest in test/integration/ and test/testflows/ to reduce CVE surface and image size.

Current usage

• test/integration/containers.go:538 — pulls and runs MinIO container
• test/integration/main_test.go:105 — pre-pulls the image
• test/testflows/helpers/cluster.py:1095 — testflows MinIO container

Why a direct swap will not work

The chainguard image is distroless and runs as a non-root user. The current integration setup relies on several things absent from chainguard/minio:

1. Shell entrypoint (containers.go:539): Entrypoint: []string{"/bin/bash"} with Cmd: \"mkdir -p /minio/data/clickhouse && minio server /minio/data\". There is no /bin/bash and no standalone mkdir in chainguard images.
2. Healthcheck (containers.go:547): ls -lah /minio/data/clickhouse/ && curl -skL https://localhost:9000/. Neither ls nor curl exists in the chainguard image.
3. TLS cert mounts (containers.go:555-558): bind mounts under /root/.minio/certs/... and /root/.mc/certs/.... Chainguard MinIO runs as nonroot (uid 65532) and does not read /root/.... HTTPS endpoint used by tests will break.
4. testflows path (cluster.py:1095) is simpler — likely only needs the image tag change plus a command adjustment.

Proposed work

• Drop the bash wrapper; pass minio server /minio/data (and any mc/init step) directly as Cmd, or pre-create the clickhouse bucket via the MinIO API after startup instead of mkdir at boot.
• Replace the shell healthcheck with a non-shell probe (e.g. Docker HEALTHCHECK against the /minio/health/live endpoint via the container's built-in HTTP, or a TCP probe from the test harness side).
• Relocate cert bind mounts to a path the nonroot user can read (chainguard MinIO config home), and verify file ownership/permissions.
• Update MINIO_VERSION default handling and the docker.io/minio/minio path to the chainguard registry (cgr.dev/chainguard/minio or chainguard/minio on Docker Hub — pick the source that's pinnable).
• Mirror changes in test/testflows/helpers/cluster.py.
• Run full integration + testflows suites locally to confirm parity (S3-compatible backup/restore, TLS, nodelete policy via minio_nodelete.sh — note this script is currently bind-mounted as /bin/minio_nodelete.sh and used by tests; behavior under distroless must be verified).

Acceptance criteria

• Both test suites pass with the chainguard image.
• No minio/minio references remain under test/.
• Documented version pin (avoid :latest drift) in the env default.