The console dynamic plugin API provide an authorize feature to get a bearer token from a user:
https://github.com/openshift/enhancements/blob/master/enhancements/console/dynamic-plugins.md

We can use this token to authenticate the user to loki instead of relying on a static token.

After discussion in the pull request, the task will introduce a small breaking change in the flowcollector CRD.
The bool loki.SendAuthToken will become an enum called AuthToken:

• DISABLED is equivalent to when SendAuthToken was set to false
• HOST is equivalent to when SenDAuthToken was set to true
• FORWARD is the new mode forwarding the user auth token

Instead of granting the console-plugin service account access to loki, now you need to grant each user access to loki.

The loki service account does not need access anymore to loki. Note that the kubeadmin user already has access to it.