feat(loki): add support for sts endpoint when using s3 buckets

[tiagoposse]

What this PR does / why we need it:

This PR introduces the ability to override the sts endpoint used to authenticate with the AWS sdk / thanos s3 provider. It also provides a path to use STS authentication with minio operator.

As a note for those who try the minio operator STS auth: the AWS SDK adds a trailing slash when calling STS endpoint, which will cause the auth call to fail with 404. An nginx proxy can fix this the following config:

    location /sts/platform/ {
      resolver kube-dns.kube-system.svc.cluster.local;

      # Forward the request to the upstream server
      proxy_pass https://<ACTUAL ADDRESS OF THE STS SERVICE FOR MINIO OPERATOR>;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # Preserve the original request method
      proxy_method $request_method;
    }

Which issue(s) this PR fixes:
Fixes #10751

Special notes for your reviewer:

Checklist

• Reviewed the [CONTRIBUTING.md]
  (https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required)
• Documentation added
• Tests updated
• Title matches the required conventional commits format, see here
  • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
• Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
• For Helm chart changes bump the Helm chart version in production/helm/loki/Chart.yaml and update production/helm/loki/CHANGELOG.md and production/helm/loki/README.md. Example PR
• If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ tiagoposse
❌ Tiago Posse

---

Tiago Posse seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[periklis]

@tiagoposse Have you considered already incoming work like this that might fit your purpose:

• feat(storage): AWS backend using thanos.io/objstore  #11221

In general @JoaoBraveCoding is contributing the full switch for all clients to use thanos-objstore, e.g. GCP, Azure, Swift. This is a general course we follow on among the maintainers team.

[tiagoposse]

@periklis the linked PR indeed overwrites the changes I introduce here and it's definitely the correct way to go. My problem is that this PR is open for a considerable time and is quite a high impact change, so it will likely take a while to get merged.
This PR would provide this feature as a small change while his work is being reviewed.

[periklis]

@periklis the linked PR indeed overwrites the changes I introduce here and it's definitely the correct way to go. My problem is that this PR is open for a considerable time and is quite a high impact change, so it will likely take a while to get merged. This PR would provide this feature as a small change while his work is being reviewed.

The PR has been quite long open because we postponed it after 3.x. However we are here at good path to this merged soon, @kavirajk and @JoaoBraveCoding work in that regard closely.