Fix SSE-C signed URLs

[lukasgabriel]

Related Issues

• Partial fix for Download Links for S3 Bucket content are broken when using SSE-C encryption velero#8668
• Supersedes Fix SSE-C support for pre-signed URLs #274

Problem

When SSE-C encryption is configured (customerKeyEncryptionFile or customerKeyEncryptionSecret), the CreateSignedURL method does not include SSE-C headers in the presigned URL request. This causes S3-compatible backends to reject read operations with:

Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm.

Testing

Tested against Hetzner Object Storage (Ceph) with SSE-C enabled. After this fix, the error changes from InvalidArgument (missing algorithm) to SignatureDoesNotMatch, confirming the headers are now correctly included in the signature.

The BackupStorageLocation used for testing:

- name: default
  provider: aws
  default: true
  bucket: redacted
  config:
    region: fsn1
    s3ForcePathStyle: true
    s3Url: https://fsn1.your-objectstorage.com
    customerKeyEncryptionSecret: velero-sse-key/customer-key

Remaining Issues

This PR fixes the plugin side only. A complete fix requires additional work in the Velero CLI, which currently performs plain HTTP GET requests to presigned URLs without sending the required SSE-C headers. This is tracked in vmware-tanzu/velero#8668. I think the necessary changes would need to be done in https://github.com/vmware-tanzu/velero/blob/main/pkg/cmd/util/downloadrequest/downloadrequest.go.

[kaovilai]

Thanks for your PR!

[Minding000]

@reasonerjt @ywk253100 @blackpiglet
Another review is needed here
As someone facing the issue I'd greatly appreciate it :)

[Minding000]

@kaovilai Is there anything still needed for this to be merged that I can help with?

[kaovilai]

Not from me, maybe after kubecon EU they'll review.