Add Optional VirtualService to expose Loki to external grafana

In a Hub and Spoke architecture with an external Grafana querying Loki, a virtual service needs to be added to expose the query pods.

We need to understand how auth is performed into loki so we can give the hub cluster the credentials for getting to the loki query pods. The upstream scalable chart has an nginx proxy in front of loki that provides basic auth (username/password) per https://grafana.com/docs/loki/latest/operations/authentication/

https://github.com/grafana/helm-charts/blob/main/charts/loki-simple-scalable/values.yaml#L427

Can we do something with Istio instead and enforce a token with the request?