Update docker image to run as non-root

[zalegrala]

What this PR does:

BREAKING CHANGE

Here we make the image adjustment necessary to run Tempo as non-root in the
Docker container, as well as include some util jsonnet to allow statefulsets to
chown their data directories to match the new permissions.

With this new chown init contianer, both the ingester and metrics-generator
statefulsets start and function.

❯ docker run -it --entrypoint sh zalegrala/tempo:tempoNonRootImage-eefae10f9
/ $ whoami
tempo
/ $ id
uid=10001(tempo) gid=10001(tempo) groups=10001(tempo)
/ $ ls -ld /var/tempo
drwxr-xr-x    2 tempo    tempo         4096 Apr  2 19:40 /var/tempo

Note that the securityContext.fsGroup(10001) may be required for environments
that mount additional volumes which do not have read/write permissions for the
tempo user. Users may also wish to recursively chown the /var/tempo
directory for the new ownership. This will need to be done only once.

Which issue(s) this PR fixes:
Fixes #334

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[zalegrala]

Needs a mention of the breaking change and an entry in the changelog.

[kvrhdn]

This looks good to me, nice work cleaning up some secuirty debt.

I'm fine with merging but I think @mdisibio was going to leave a comment too.

[zalegrala]

Thanks for the review folks.

@mdisibio I pushed a commit for your feedback on the jsonnet. Feel free to call out anything else you'd like to see addressed here.

[zalegrala]

I caught up with mdisibio earlier and we're good on the changes here.