Document extraServiceAccountAnnotations field with AWS IRSA example

[ivanauth]

Summary

• Documents the spec.config.extraServiceAccountAnnotations field that was previously undocumented
• Adds comprehensive examples for AWS IRSA, GCP Workload Identity, and Azure Workload Identity
• Provides a complete AWS IRSA integration guide with working examples

Changes

• README.md: Added "Configuration Options" section documenting:

  • extraServiceAccountAnnotations with cloud provider examples
  • serviceAccountName field usage
  • extraPodLabels and extraPodAnnotations (bonus documentation)

• examples/aws-iam-service-account/: New example directory containing:

  • Comprehensive README with IRSA setup guide
  • Working YAML manifests demonstrating various use cases
  • RDS IAM authentication configuration
  • Troubleshooting section

Key Technical Correction

Fixed incorrect documentation that suggested using authtype=iam in connection strings. The correct approach for RDS IAM authentication requires setting datastoreCredentialsProviderName: "aws-iam" in the SpiceDB config.

Testing

• YAML manifests validated with kubectl apply --dry-run
• Unit tests pass (go test ./pkg/config)
• Reviewed by Codex with high reasoning mode (no objections)

Fixes #337