feat(pyroscope): arbitrary ingest headers via --pyroscope-header

Add a repeatable --pyroscope-header "Name: value" flag (env PYROSCOPE_HEADER,
newline-separated for several) for gateway auth schemes the built-in
--pyroscope-auth-token / --pyroscope-tenant-id don't cover (Basic, X-API-Key,
proxy headers). Applied after the built-in auth headers so it can override
them. Verified e2e: pfp pushes successfully to Pyroscope with custom headers set.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: loks0n

CHANGELOG.md

@@ -12,7 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   run continuously and push a gzipped pprof profile to a Grafana Pyroscope
   server every `--push-interval-secs` (default 10) instead of writing a file.
   Configurable via `--pyroscope-app`, repeatable `--pyroscope-label`, and auth
-  via `--pyroscope-auth-token` / `--pyroscope-tenant-id`. Push failures are
+  via `--pyroscope-auth-token` / `--pyroscope-tenant-id`, plus arbitrary
+  ingest headers via repeatable `--pyroscope-header "Name: value"`. Push failures are
   logged and never interrupt sampling. Pulls in a small synchronous HTTP
   client behind the default-on `pyroscope` feature.
 - Distroless multi-arch (amd64/arm64) container image, published to

README.md

@@ -111,6 +111,10 @@ spec:
 
 Grafana Cloud and multi-tenant servers are supported via
 `--pyroscope-auth-token` (or `PYROSCOPE_AUTH_TOKEN`) and `--pyroscope-tenant-id`.
+For any other gateway auth scheme, set arbitrary headers with repeatable
+`--pyroscope-header "Name: value"` (e.g. `--pyroscope-header "X-API-Key: …"`),
+or via the `PYROSCOPE_HEADER` env var (one header, or several separated by
+newlines) to inject a secret without putting it on the command line.
 
 ### CLI flags
 
@@ -132,6 +136,7 @@ Grafana Cloud and multi-tenant servers are supported via
 | `--push-interval-secs <N>` | Push cadence in sidecar mode (default 10) |
 | `--pyroscope-auth-token <T>` | Bearer token (Grafana Cloud); env `PYROSCOPE_AUTH_TOKEN` |
 | `--pyroscope-tenant-id <ID>` | Tenant id, sent as `X-Scope-OrgID` |
+| `--pyroscope-header <N: V>` | Extra ingest header, e.g. `X-API-Key: …` (repeatable); env `PYROSCOPE_HEADER` |
 | `--request-info` | Capture `$_SERVER` URI/method per sample |
 | `--php-version <V>` | Force version (e.g. `8.4`) on stripped binaries |
 | `--executor-globals <ADDR>` | Override EG address on stripped binaries |

src/cli.rs

@@ -90,6 +90,17 @@ pub struct Args {
     #[arg(long, env = "PYROSCOPE_TENANT_ID")]
     pub pyroscope_tenant_id: Option<String>,
 
+    /// Extra HTTP header on each ingest request, `Name: value`. Applied after
+    /// the built-in auth headers, so it can override them. Repeat the flag for
+    /// several headers, or pass newline-separated headers via the env var.
+    #[arg(
+        long = "pyroscope-header",
+        value_name = "NAME: VALUE",
+        env = "PYROSCOPE_HEADER",
+        value_delimiter = '\n'
+    )]
+    pub pyroscope_header: Vec<String>,
+
     /// Capture request info ($_SERVER URI/method/etc.).
     #[arg(long)]
     pub request_info: bool,

src/output/mod.rs

@@ -61,6 +61,17 @@ fn pyroscope_config(args: &Args) -> pyroscope_sink::PyroscopeConfig {
         name,
         auth_token: args.pyroscope_auth_token.clone(),
         tenant_id: args.pyroscope_tenant_id.clone(),
+        headers: args
+            .pyroscope_header
+            .iter()
+            .filter_map(|h| match h.split_once(':') {
+                Some((k, v)) => Some((k.trim().to_string(), v.trim().to_string())),
+                None => {
+                    tracing::warn!("ignoring malformed --pyroscope-header (no ':'): {h}");
+                    None
+                }
+            })
+            .collect(),
         push_interval: std::time::Duration::from_secs(args.push_interval_secs.max(1)),
     }
 }

src/output/pyroscope_sink.rs

@@ -13,6 +13,8 @@ pub struct PyroscopeConfig {
     pub name: String,
     pub auth_token: Option<String>,
     pub tenant_id: Option<String>,
+    /// Extra request headers, applied after the built-in auth headers.
+    pub headers: Vec<(String, String)>,
     pub push_interval: Duration,
 }
 
@@ -79,6 +81,10 @@ impl PyroscopeSink {
         if let Some(tenant) = &self.cfg.tenant_id {
             req = req.set("X-Scope-OrgID", tenant);
         }
+        // Applied last so an explicit --pyroscope-header can override the above.
+        for (name, value) in &self.cfg.headers {
+            req = req.set(name, value);
+        }
 
         req.send_bytes(&body)
             .context("POST /ingest")