The current style of S3 configuration for LokiStack when using Amazon AWS S3 can be confusing to users, because we ask for an "endpoint", but do not actually use virtual-host style access as suggested by the AWS documentation.

Because the AWS S3 URLs are well-formed, we could introduce a small additional validation into the secret handling in the Loki Operator that would detect this issue and produce a validation error.

Currently, when a user configures the endpoint as suggested by the AWS documentation:

https://bucket-name.s3.us-west-2.amazonaws.com/ 

and also configures "bucketnames" as "bucket-name", this leads to Loki treating this as the "subdirectory bucket-name inside the bucket called bucket-name" which causes errors in some components.

Loki does not need the "bucket-name" as part of the endpoint (not even in virtual-host mode), because it constructs the hostname internally. So we could just validate that the URL is of the pattern "https://s3.REGION.amazonaws.com" when Amazon AWS S3 is used.

Implementation notes

The validation could look something like this:

• If the storage is configured as S3
  • Check if the provided "endpoint" is a parseable URL and has "http" or "https" as scheme
  • If the endpoint points to ".amazonaws.com"
    • Check that it is of the form "https://s3.REGION.amazonaws.com" where REGION needs to match the configured "region"