Align S3 ObjectStore with Velero's credential parsing and BSL config handling

[shubham-pampattiwar]

Summary

The kubevirt-datamover-controller's S3ObjectStore implementation uses a custom INI parser for AWS credentials and does not pass through all BSL config keys to the S3 client. This causes failures with quoted credential values and prevents use with S3-compatible storage providers (MinIO, NooBaa, Ceph).

Velero's own AWS plugin delegates credential parsing to the AWS SDK (config.WithSharedCredentialsFiles) and supports the full set of BSL config keys (s3Url, s3ForcePathStyle, caCert, profile, etc.). We should align with Velero's approach for compatibility and correctness.

Tracked Issues

• Fix: Replace custom AWS credential parser with SDK's built-in parser #22 - Fix: Replace custom AWS credential parser with SDK's built-in parser
• Feat: Support S3-compatible storage providers (s3Url, s3ForcePathStyle, caCert) #23 - Feat: Support S3-compatible storage providers (s3Url, s3ForcePathStyle, caCert)
• Feat: Support web identity token authentication (IRSA/EKS pod identity) #24 - Feat: Support web identity token authentication (IRSA/EKS pod identity)

Context

Investigation started from a PartiallyFailed backup where the datamover uploader pod failed with:

api error InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.

Root cause: the cloud-credentials secret contained quoted values (aws_access_key_id="AKIA...") which our custom ParseAWSCredentials() did not strip, sending literal quote characters to AWS. Velero's BSL validation passed because Velero uses the AWS SDK's built-in parser which handles quotes correctly.

Reference

• Velero's credential handling: velero/pkg/repository/config/aws.go — uses config.WithSharedCredentialsFiles() and config.WithSharedConfigFiles()
• Our implementation: pkg/uploader/objectstore.go — custom ParseAWSCredentials()