Updating documentation on how to setup IRSA on AWS

I tried configuring my Argo-Server to use s3 as an artifact repository, and then archive all logs automatically, and it worked fine. But then when I wanted to load those logs in the Argo-Server UI using the link `https://<arg_server_host>/artifacts/argo/<workflow_name>/<pod_name>/main-logs` I got the following error:

```
failed to create new S3 client: WebIdentityErr: failed fetching WebIdentity token:
caused by: WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied
```

Reading through similar issues here: kubernetes-sigs/external-dns#1185 I found out that IRSA requires this setting on the Deployment:
`spec.template.spec.securityContext.fsGroup: 65534` to fix the above issue.

I thought it would be helpful to others to find information how to deal with it here, rather than search for the answers if they hit this problem.

Signed-off-by: Dominik Deren <dominik.deren@live.com>

docs/workflow-controller-configmap.yaml

@@ -115,6 +115,9 @@ data:
         key: secretKey
       # If this is set to true, argo workflows will use AWS SDK default credentials provider chain. This will allow things like
       # IRSA and any of the authentication methods that the golang SDK uses in it's default chain.
+      # If you are using IRSA on AWS, and set this option to true, you will also need to modify Argo-Server Deployment with
+      # `spec.template.spec.securityContext.fsGroup: 65534` configuration. This is required for IRSA to be able to access 
+      # `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` file, and authenticate with AWS.
       useSDKCreds: false
 
   # Specifies the container runtime interface to use (default: docker)