Download Links for S3 Bucket content are broken when using SSE-C encryption

[networkhell]

What steps did you take and what happened:
All operations that need to fetch files from s3 storage fail with the following error message:

velero backup logs velero-custom-backup-job-20250207030034
An error occurred: request failed: <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm.</Message><BucketName>velero-mgmt-dev</BucketName><RequestId>tx000005e7cae309d2ed4ae-0067a5c2a9-49c8d71-default</RequestId><HostId>49c8d71-default-default</HostId></Error>

Backup and restore operations itself are working without any issues. It seems that the download link generation ist broken when SSE-C encryption is enabled via BSL configuration.

What did you expect to happen:
I expect that velero / velero-plugin-for-aws is able to generate valid download link with SSE-C encryption enabled.

The following information will help us better understand what's going on:

Debug Bundle is attached
bundle-2025-02-07-09-46-47.tar.gz

Anything else you would like to add:
Download Request with invalid generated link. Output from velero backup logs velero-custom-backup-job-20250207030034 -v10

I0207 09:49:49.954693   11402 request.go:1212] Response Body: {"apiVersion":"velero.io/v1","kind":"DownloadRequest","metadata":{"creationTimestamp":"2025-02-07T08:49:49Z","generation":2,"managedFields":[{"apiVersion":"velero.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{".":{},"f:target":{".":{},"f:kind":{},"f:name":{}}},"f:status":{}},"manager":"velero","operation":"Update","time":"2025-02-07T08:49:49Z"},{"apiVersion":"velero.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:downloadURL":{},"f:expiration":{},"f:phase":{}}},"manager":"velero-server","operation":"Update","time":"2025-02-07T08:49:49Z"}],"name":"velero-custom-backup-job-20250207030034-f94cf3a0-79f2-42e0-9572-dde846249b62","namespace":"velero","resourceVersion":"724537","uid":"a9583ff9-7586-4200-aed8-681dc3e2b8eb"},"spec":{"target":{"kind":"BackupLog","name":"velero-custom-backup-job-20250207030034"}},"status":{"downloadURL":"https://rgw.****.de/velero-mgmt-dev/backups/velero-custom-backup-job-20250207030034/velero-custom-backup-job-20250207030034-logs.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=***%2F20250207%2F%2Fs3%2Faws4_request\u0026X-Amz-Date=20250207T084949Z\u0026X-Amz-Expires=600\u0026X-Amz-SignedHeaders=host\u0026x-id=GetObject\u0026X-Amz-Signature=546b8648c5a62f5e4889854d7a0cfe2e9f5d1c51af792104d975c17f663c4e2a","expiration":"2025-02-07T08:59:49Z","phase":"Processed"}}

BSL config:

configuration:
  backupStorageLocation:
  - name: s3-muc5
    default: true
    provider: aws
    accessMode: ReadWrite
    bucket: velero-backup
    config:
      serverSideEncryption: AES256
      customerKeyEncryptionFile: "/var/run/secrets/velero-ec2-ssec-key"
      checksumAlgorithm: ""
      s3ForcePathStyle: true
      s3Url: https://rgw.***.de

Environment:

• Velero version (use velero version):

Client:
        Version: v1.15.2
        Git commit: -
Server:
        Version: v1.15.2

• Velero features (use velero client config get features): features: <NOT SET>
• Kubernetes version (use kubectl version): Server Version: v1.31.3
• Kubernetes installer & version: cluster-api 1.9.3
• Cloud provider or hardware configuration: openstack / Ceph RGW for S3 compatible storage
• OS (e.g. from /etc/os-release): flatcar container linux 4081.2.1

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

• 👍 for "I would like to see this bug fixed as soon as possible"
• 👎 for "There are more important bugs to focus on right now"