feat: add pod_sysctls operator config option

[csy1204]

Motivation

compareStatefulSetWith in pkg/cluster/cluster.go compares the pod template's
securityContext via reflect.DeepEqual. The operator only ever populates
RunAsUser, RunAsGroup, and FSGroup on that struct (in
generatePodTemplate), so any other field that an external actor — typically a
cluster-wide mutating admission webhook — injects into the StatefulSet pod
template produces a permanent diff.

This shows up most painfully with sysctls. Many internal Kubernetes platforms
inject TCP-keepalive sysctls (e.g. net.ipv4.tcp_keepalive_time,
net.ipv4.tcp_keepalive_intvl, net.ipv4.tcp_keepalive_probes) so that idle
TCP connections through an L4 load balancer don't go stale silently. Postgres
clusters are an especially valuable target for such webhooks (pgbouncer pools
hold many long-idle connections that would otherwise meet RST on next send).

Once that webhook lands, every resync_period tick the operator sees the
"pod template security context in spec does not match the current one" diff,
issues a rolling update, and performs a Patroni switchover. The cluster never
converges.

There is no operator-side way out of this today: configKubernetes exposes
spilo_runasuser / spilo_runasgroup / spilo_fsgroup and
additional_pod_capabilities, but no way to populate sysctls on the desired
template.

Change

Adds a new pod_sysctls option to KubernetesMetaConfiguration (mirroring the
shape of additional_pod_capabilities):

# OperatorConfiguration CRD
configuration:
  kubernetes:
    pod_sysctls:
    - name: net.ipv4.tcp_keepalive_time
      value: "600"
    - name: net.ipv4.tcp_keepalive_intvl
      value: "20"
    - name: net.ipv4.tcp_keepalive_probes
      value: "3"

When set, generatePodTemplate populates pod.spec.securityContext.Sysctls
verbatim. The desired template then matches whatever a webhook would inject
(assuming the webhook is idempotent on a value already present), and the
StatefulSet comparator no longer flags a diff.

The list is applied verbatim — order and values must match the external
mutator. Empty (default) leaves Sysctls unset, preserving today's behavior.

Files

• pkg/util/config/config.go — PodSysctls []v1.Sysctl in Resources
• pkg/apis/acid.zalan.do/v1/operator_configuration_type.go — matching CRD type
• pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go — DeepCopy for the slice
• pkg/apis/acid.zalan.do/v1/crds.go,
  manifests/operatorconfiguration.crd.yaml,
  charts/postgres-operator/crds/operatorconfigurations.yaml — CRD openAPI schema
• pkg/controller/operator_config.go — CRD → internal config mapping
• pkg/cluster/k8sres.go — apply to securityContext.Sysctls
• pkg/cluster/k8sres_test.go — TestPodSysctls (configured + empty cases)
• manifests/postgresql-operator-default-configuration.yaml,
  charts/postgres-operator/values.yaml,
  docs/reference/operator_parameters.md — examples and reference docs

Test

go build ./...
go vet ./...
go test ./pkg/cluster/ -run TestPodSysctls -v -count=1
=== RUN   TestPodSysctls
=== RUN   TestPodSysctls/sysctls_applied_to_pod_securityContext_when_configured
=== RUN   TestPodSysctls/sysctls_omitted_when_not_configured
--- PASS: TestPodSysctls (0.00s)
PASS
ok  	github.com/zalando/postgres-operator/pkg/cluster

Full ./pkg/cluster/, ./pkg/util/config/, ./pkg/controller/,
./pkg/apis/... test suites pass.

Scope

Available in OperatorConfiguration CRD mode only, matching the existing pattern
for complex-typed config (e.g. sidecars which is also CRD-mode only).

DCO signed off.