support keyless auth for rr blob storage

[JatinNanda]

what

adds keyless auth support for rr blob storage so deployments can authenticate as the pod's own cloud identity instead of a static credential. pairs with tryretool/retool_development#80111, which makes the backend accept keyless auth.

• azure: new rr.blobStorage.azure.accountUrl. when set with no connection string, the chart renders RR_DEFAULT_AZURE_ACCOUNT_URL and the backend authenticates via DefaultAzureCredential (managed identity / azure workload identity). connection string still wins when both are set.
• s3 / gcs: already worked at the template level (credentials are only rendered when set). this just documents the keyless flow and the serviceAccount wiring.

to use keyless auth, omit the static credential and set serviceAccount.annotations so the pod carries the right identity:

• s3: eks.amazonaws.com/role-arn (irsa), or an instance/ecs role
• gcs: iam.gke.io/gcp-service-account (workload identity)
• azure: azure.workload.identity/client-id + the azure.workload.identity/use: "true" pod label

test

• helm template with azure: { container, accountUrl } renders RR_DEFAULT_AZURE_ACCOUNT_URL and no connection string env.
• with both accountUrl and connectionString set, only RR_DEFAULT_AZURE_CONNECTION_STRING is rendered (precedence matches backend).
• helm lint passes.

chart version bumped 6.11.5 -> 6.11.6.

[greptile-apps]

Greptile Summary

This PR adds Azure keyless blob storage support for RR git storage. The main changes are:

• Adds RR_DEFAULT_AZURE_ACCOUNT_URL rendering when Azure accountUrl is set without a connection string.
• Keeps Azure connection string configuration ahead of account URL when both are provided.
• Documents keyless auth setup for S3, GCS, and Azure workload identities.
• Bumps the chart version to 6.11.6.

Confidence Score: 5/5

The chart changes are narrow and align with the documented Azure keyless authentication behavior while preserving existing connection-string precedence.

The updated values and helpers only add account URL rendering for the no-connection-string case and leave the existing credential path intact.

T-Rex Logs

What T-Rex did

• T-Rex ran the code-execution workflow and produced logs that include the command, working directory, commit, exit code, filtered environment variables, and full Helm debug output.
• The run showed that the base (keyless) renders the azure provider/container without an account URL, while the head (keyless) renders RR_DEFAULT_AZURE_ACCOUNT_URL.
• The run also showed that both base and head render RR_DEFAULT_AZURE_CONNECTION_STRING, confirming that the head value takes precedence for the connection string.

_{Ran code and verified through T-Rex}

_{Reviews (1): Last reviewed commit: "support keyless auth for rr blob storage" | Re-trigger Greptile}