feat(server): serve health endpoints on separate unauthenticated port

[sjenning]

Summary

Move /health, /healthz, and /readyz to a dedicated plaintext HTTP port (default 8081) so Kubernetes probes work without mTLS client certificates. Also fixes the Docker cluster healthcheck to avoid sending plaintext bytes into the TLS listener.

Related Issue

Fixes #897

Changes

• Add health_bind_address to Config with --health-port CLI arg (default 8081, env OPENSHELL_HEALTH_PORT)
• Spawn standalone axum::serve for health_router on the health port (plain HTTP, no TLS)
• Remove health routes from the main multiplexed HTTP router
• Add port-collision validation (--port vs --health-port)
• Update Helm statefulset: add health container port, switch all probes from tcpSocket to httpGet on health port
• Fix cluster-healthcheck.sh to open/close TCP without sending data, avoiding InvalidContentType TLS errors

Testing

• cargo check -p openshell-core -p openshell-server passes
• cargo test -p openshell-core -p openshell-server --lib passes (223 tests)
• Verified health server listens on 8081 in running cluster
• Verified Kubernetes probes correctly target health port
• Identified and fixed cluster-healthcheck.sh as source of remaining TLS errors
• E2E tests (mise run e2e)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[TaylorMutch]

Couple of optional nits

[TaylorMutch]

recheck

[TaylorMutch]

Tested locally and confirmed this all works - Thanks!