Support specifying self-signed certificate to trust for object storage

[chancez]

Is your feature request related to a problem? Please describe.
I'd like to use Tempo with a self-hosted S3 compatible object storage solution that's configured with TLS, without having to resort to insecureSkipVerify.

Describe the solution you'd like
I need to be able to configure tempo to use a specific CA bundle file with the list of certificates it should use when verifying the certificate for the S3 endpoint.

Describe alternatives you've considered
insecureSkipVerify

Additional context

Relevant code:

tempo/tempodb/backend/s3/s3.go

Lines 365 to 399 in e921891

	customTransport, err := minio.DefaultTransport(!cfg.Insecure)
	if err != nil {
	return nil, errors.Wrap(err, "create minio.DefaultTransport")
	}
	if cfg.InsecureSkipVerify {
	customTransport.TLSClientConfig.InsecureSkipVerify = true
	}
	// add instrumentation
	transport := instrumentation.NewTransport(customTransport)
	var stats *hedgedhttp.Stats
	if hedge && cfg.HedgeRequestsAt != 0 {
	transport, stats, err = hedgedhttp.NewRoundTripperAndStats(cfg.HedgeRequestsAt, cfg.HedgeRequestsUpTo, transport)
	if err != nil {
	return nil, err
	}
	instrumentation.PublishHedgedMetrics(stats)
	}
	opts := &minio.Options{
	Region: cfg.Region,
	Secure: !cfg.Insecure,
	Creds: creds,
	Transport: transport,
	}
	if cfg.ForcePathStyle {
	opts.BucketLookup = minio.BucketLookupPath
	} else {
	opts.BucketLookup = minio.BucketLookupType(cfg.BucketLookupType)
	}
	return minio.NewCore(cfg.Endpoint, opts)

[joe-elliott]

This is likely just wiring up some config to the minio transport. We would be glad to accept this PR is someone has time to work on it.