Add postgres pod securityContext setting.

[marinafrank]

Previously, it was not possible to set the pod-level securityContext, which makes it impossible to solve a persistent volume permissions issue on a kubernetes cluster with enforced nonRoot containers.

Fixes #1770 and similar postgres "Permission denied" issues.

SUMMARY

By default, persistent volume is create with root:root 0755 permissions.
In order to run postgres in the non-root container, the filesystem ownership must be changed.

The existing workaroud is to run a chown command in an init container.

Unfortunately, this is not possible to run a root init container on security-hardened kubernetes clusters, such as those which prohibit root containers with the help of a ValidatingAdmissionPolicy.

The kubernetes native solution to this problem is the fsGroup setting. When enabled, it enforces recursive group-write permission before the container startup.

By default, Kubernetes recursively changes ownership and permissions for the contents of each volume to match the fsGroup specified in a Pod's securityContext

kind: Pod
spec:
  securityContext:
    fsGroup: 26
    fsGroupChangePolicy: Always

The awxs CRD claims that the postgres_security_context_settings configures the pod-level securityContext, when in fact it configures the container-level one.

This PR introduces the pod spec securityContext setting and fixes the relevant documentation.

ISSUE TYPE

• New or Enhanced Feature

ADDITIONAL INFORMATION

This PR can be tested with the following settings:

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
    postgres_pod_security_context_settings:
      fsGroup: 26
      fsGroupChangePolicy: Always
    postgres_security_context_settings:
      runAsUser: 26
      runAsGroup: 26