Upgrade Varnish to 9.0.3 and document custom container images

[cin]

Summary

Moves operator-managed Varnish pod images from Debian trixie packages (Varnish 7.7) to Varnish 9.0.3 via packages.varnish-software.com, aligns pod security context with the official image UID layout (1000), and adds documentation for overriding workload images on VarnishCluster.

Changes

Images & packaging

• Add docker/install-varnish-9.sh (pinned 9.0.3-1~trixie, Varnish Software apt repo).
• Update Dockerfile.varnishd, Dockerfile.controller, Dockerfile.exporter to use the install script (minimal vs tools).
• Makefile: VARNISH_VERSION_NUMBER build-arg (default 9.0.3-1) for all three workload image builds.
• Sidecars still ship varnishadm / varnishstat + matching libvarnishapi; exporter still built from otto-de v1.8.3.

Operator

• VarnishRunAsUID / VarnishRunAsGID 997 → 1000 (Varnish Software package users).

Documentation

• New docs/custom-images.md: how to set spec.varnish.image / sidecars, coupled defaults from operator image, compatibility checklist, build instructions.
• Clarify that image tags follow operator releases, not Varnish semver.
• Update README, architecture, development, operator/VarnishCluster config, samples, SUMMARY.md.

Test plan

• make e2e-tests
• go test ./pkg/varnishcluster/controller/... ./pkg/varnishcontroller/varnishadm/...

Notes for reviewers

• Rebuild and release all three workload images together (varnish, varnish-controller, varnish-metrics-exporter) with the same operator release tag.
• Upgrading from 7.x changes pod UID 997 → 1000; expect cold cache on rollout (emptyDir workdir).
• Addresses GH issue request to document specifying custom images (capability already existed in the API). Resolves Fork README leftovers #7