Fix the nested-spire example in macOS

[jacobstr]

Various small changes to make the nested-spire example work on a macOS host running Docker for Mac.

---

On my system, the first run of scripts/set-env.sh yields:

2025-03-13T02:46:39Z] bootstrapping root-agent.
Error: connection error: desc = "transport: error while dialing: dial unix
/tmp/spire-server/private/api.sock: connect: no such file or directory"

The naive thing to do is to merely re-run the script.

If you re-run set-env.sh after the above failure, new certs are generated but
the server appears to continue running and using the old ca. So lets
just make it work the first time by waiting for the server.

The other issues relate to Docker for Mac and it's hackish socket
handling. The /var/run/docker.sock is apparently special cased somehow
so we specify that single file in the volume mounts rather than the entire
/var/run folder.

---

The other error I saw had to do with sharing that sharedSocket folder:

 "Agent crashed" error="unable to change UDS permissions: chmod /opt/spire/sockets/workload_api.sock: invalid argument"

This originates here https://github.com/spiffe/spire/blob/v1.5.1/pkg/agent/endpoints/endpoints_posix.go#L32

Again, docker for mac "breaks" sockets created in this shared
volume when it's on the host filesystem because in practice it's some
rube-goldberg contraption with a lightweight VM under the hood.

So we just create a container-scoped volume instead, and bypass the
macOS host filesystem entirely. This might make it a bit funky to
interact with spire binaries running on our host - perhaps, but we could
always just add some bastion container to the docker-compose.yml file if
we want some tooling container for experimentation.

[mlenkeit]

👍 for the PR. I've struggled quite a bit to run the sample from main on macOS until I found this PR. Works like a charm, with the following modifications:

• docker-compose -> docker compose
• remove version: 3 from docker-compose.yaml