Switch data APIs to use Grafana auth tokens (#1611)

This MR contains several breaking/behavioral changes in one go. There are separate MRs to come next for tweaks to the implementation that shouldn't affect compatibility.

• The CLI/installer no longer creates or manages per-tenant auth tokens. Instead the user can go to https://[tenant].[cluster]/grafana/org/apikeys and manage tokens directly.
• The associated cluster config flags for the old token generation has been removed. While making changes there, I also added a trace_retention_days flag to the config schema which had been a TODO for a while. The data_api_authentication_enabled flag meanwhile was removed (now always enabled), with the thinking that it's no longer worth supporting that mode in the new system.
• The API endpoints (config, cortex, dd, tracing) are now authenticating these tokens at the ingress via ingress annotations, querying the tenant Grafana directly. The next PR will switch the annotation to query gatekeeper instead, which will allow caching and sharing the api pods across tenants. But the current system works as-is for now.
• As a stopgap, the config-api service is turned into a per-tenant pod rather than a cluster-wide pod, since it can no longer autodetect the tenant that a given token belongs to on its own. The plan is to switch this back to a cluster-wide pod in the next MR.
• CI tests have all been updated to automatically fetch data auth tokens from the cluster via a port-forward to the tenant Grafana - they no longer need to be provided with files on disk anymore.
• Affected docs in the repo have been updated to describe the new steps as well.