Switch operator back to distroless base image

[HadrienPatte]

When we migrated all cilium images to a FIPS base in #600 we had to use a full ubuntu base image everywhere because we didn't have a FIPS distroless base image. This means that the operator and clustermesh images moved from a distroless base to an ubuntu base in order to have a FIPS base.
Now that we have FIPS distroless images, we can move the operator and clustermesh images back to a distroless base without loosing any FIPSiness.

Additional goodies:

• We have a root variant of the distroless fips image, meaning we can drop a USER root modification from the operator Dockerfile (see bfee99c)
• Similarly, we can set the TARGET argument of the cilium-runtime image build job to drop a a datadog patch from that dockerfile
• The last manual Dockerfile modification from bfee99c is the USER root line in the runtime image dockerfile, we can get rid of it when we have a root variant of the ubuntu FIPS GBI image (asked about it here)

I tested that the cilium-runtime built with target rootfs properly preserves the labels of its underlying base image:

$ docker inspect registry.ddbuild.io/cilium-runtime:1.16.7-dd2-fips-3 | jq '.[].Config.Labels'
{
  "CILIUM_VERSION": "1.16.7",
  "CI_JOB_ID": "XXX",
  "CI_PIPELINE_ID": "XXX",
  "base_image_target": "prod",
  "baseimage.arch": "arm64",
  "baseimage.aws_uses_fips_endpoint_override": "yes",
  "baseimage.buildstamp": "2025-03-04T15:53:04Z",
  "baseimage.is_fedramp_high_compliant": "yes",
  "baseimage.isgbi": "yes",
  "baseimage.name": "images/base/gbi-ubuntu_2204-fips",
  "baseimage.os": "ubuntu jammy LTS FIPS",
  "org.opencontainers.image.ref.name": "ubuntu",
  "org.opencontainers.image.version": "22.04",
  "target": "prod"
}

[HadrienPatte]

Revert of bfee99c#diff-e05830e1064c11185b763312fc9c003085c0e995780b7f94fe37caced924a307L63-L65

[HadrienPatte]

Revert of bfee99c#diff-813adbccd0953cba31e00b24ad62ffdbcddd7969fa497c7fae1a6f5cd17affffR61