feat: support Azure ClientSecretCredential authentication

[tylerkrop]

Pyroscope currently supports Client Secret authentication by way of implicit Thanos objstore behavior. If storage.azure.account-name & storage.azure.container-name are set alongside the AZURE_TENANT_ID, AZURE_CLIENT_ID, & AZURE_CLIENT_SECRET environment variables, then Thanos will fallback to the default Azure credential pattern. This usage pattern is undocumented in the Pyroscope documentation. An example snippet that works with this flow in the base-url example is the following:

...
    command:
      - -api.base-url
      - /pyroscope
      - -storage.backend
      - azure
      - -storage.azure.account-name
      - <account name>
      - -storage.azure.container-name
      - <container name>
    environment:
      - AZURE_TENANT_ID=<Azure tenant ID>
      - AZURE_CLIENT_ID=<client ID>
      - AZURE_CLIENT_SECRET=<client secret>
...

These changes plumb the configuration for the Thanos-supported explicit Client Secret authentication. Since Thanos already supports this flow, the changes are simple. This allows the following structure to be used via the CLI or configuration file specification:

storage:
  backend: azure
  azure:
    account_name: <account name>
    container_name: <container name>
    az_tenant_id: <Azure tenant ID>
    client_id: <client ID>
    client_secret: <client secret>

Validations

I built the image with make GOOS=linux GOARCH=amd64 docker-image/pyroscope/build as per the contributing documentation.

I tested this with my own storage account values using the following snippet in the base-url example:

...
    image: grafana/pyroscope:feat-azure-client-secret-credential-6e6864f93
    command:
      - -api.base-url
      - /pyroscope
      - -storage.backend
      - azure
      - -storage.azure.account-name
      - <account name>
      - -storage.azure.container-name
      -<container name>
      - -storage.azure.az-tenant-id
      - <tenant ID>
      - -storage.azure.client-id
      - <client ID>
      - -storage.azure.client-secret
      - <client secret>
...

I was able to validate that this successfully connected to my storage account, created the container, and used it as the storage backend.

I was not able to find tests for the Azure storage backend nor does Azurite support client secret credentials as an authentication pattern. I would appreciate if someone else could test this against their storage account too.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[tylerkrop]

I fixed the make go/test failures. Apologies.

Edit: Looking at https://github.com/grafana/pyroscope/actions/runs/18284584410/job/52148509286 right now as well to see if this was caused by a different root cause.

Edit2: Fixed the ordering of the Azure storage backend options and ensured make generate check/unstaged-changes passed.

[simonswine]

Thanks contribution and quickly fixing CI problems

LGTM