feat(azure): support Azure workload identity via projected service account token

[rkthtrifork]

Summary

This PR adds Azure workload identity support for plugin-managed CNPG sidecars by projecting a service account token with the Azure audience into the sidecar pod when azureCredentials.useDefaultAzureCredentials: true is configured.

This keeps the existing AKS managed identity flow unchanged:

• inheritFromAzureAD: true still uses the managed identity / IMDS path
• useDefaultAzureCredentials: true now supports workload identity by exposing AZURE_FEDERATED_TOKEN_FILE and the projected token to DefaultAzureCredential

Changes

• detect whether any referenced ObjectStore uses useDefaultAzureCredentials
• inject a projected service account token volume into the plugin sidecar pod
• set AZURE_FEDERATED_TOKEN_FILE for the sidecar
• preserve existing user/webhook-provided Azure env vars
• add unit tests for:
  • workload identity detection
  • sidecar token volume/env injection
  • preserving an existing AZURE_FEDERATED_TOKEN_FILE
• update Azure object store docs to describe the workload identity path

Behavior

With this change:

• useDefaultAzureCredentials: true
  the plugin sidecar gets:

  • a projected token with audience api://AzureADTokenExchange
  • AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token

• inheritFromAzureAD: true
  behavior is unchanged and no federated token volume is injected

This means clusters using the older implicit AKS managed identity flow remain supported, while clusters using Azure workload identity can now work without relying on an external injector to provide the token file.