[RemoteStore]: Add support for repository with Server side encryption enabled and client side encryption as well based on a flag.

[pranikum]

Description

We will be adding support of having S3 repository to support both client side and server side encryption enabled blobs. Currently BlobStoreRepository only supports Single BlobStore created Lazily and once created the repository is tied to that BlobStore.

With this change we will be moving away from that design. We will be adding BlobStoreProvider which will be responsible for creating client side encrypted and server side encrypted BlobStore. Any Repository which needs this support can leverage by overriding appropriate builder methods.

Related Issues

[Resolves #19235]

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

✅ Gradle check result for 7b1273c: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 69.93865% with 49 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.15%. Comparing base (cb9c30b) to head (95bdef6).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
...arch/repositories/blobstore/BlobStoreProvider.java	76.19%	6 Missing and 4 partials ⚠️
...ch/repositories/blobstore/BlobStoreRepository.java	77.27%	4 Missing and 6 partials ⚠️
...java/org/opensearch/index/shard/StoreRecovery.java	0.00%	5 Missing ⚠️
...e/metadata/TransportRemoteStoreMetadataAction.java	0.00%	4 Missing ⚠️
...in/java/org/opensearch/index/shard/IndexShard.java	20.00%	4 Missing ⚠️
...h/cluster/metadata/MetadataCreateIndexService.java	85.00%	1 Missing and 2 partials ⚠️
...ndex/remote/RemoteStoreCustomMetadataResolver.java	72.72%	0 Missing and 3 partials ⚠️
...ndex/store/RemoteSegmentStoreDirectoryFactory.java	72.72%	2 Missing and 1 partial ⚠️
...va/org/opensearch/repositories/s3/S3BlobStore.java	0.00%	0 Missing and 2 partials ⚠️
...c/main/java/org/opensearch/index/IndexService.java	0.00%	2 Missing ⚠️
... and 2 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #19630      +/-   ##
============================================
+ Coverage     73.12%   73.15%   +0.02%     
- Complexity    70973    70974       +1     
============================================
  Files          5737     5738       +1     
  Lines        324767   324878     +111     
  Branches      46982    47001      +19     
============================================
+ Hits         237483   237649     +166     
+ Misses        68151    68091      -60     
- Partials      19133    19138       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

❕ Gradle check result for 3560a0a: UNSTABLE

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[github-actions]

❌ Gradle check result for cca7474: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 65e2eac: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 845b16a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[pranikum]

Testing details

curl -XGET "http://localhost:9200/_cluster/state/metadata/idx-1-5?pretty"             
{
  "cluster_name" : "os-sse-blob-repo",
  "cluster_uuid" : "7S7iPsumSdqgVntwxo-rDg",
  "metadata" : {
    "cluster_uuid" : "7S7iPsumSdqgVntwxo-rDg",
    "cluster_uuid_committed" : false,
    "cluster_coordination" : {
      "term" : 9,
      "last_committed_config" : [
        "pIeu24TKSBS3bekP9kLSfQ"
      ],
      "last_accepted_config" : [
        "pIeu24TKSBS3bekP9kLSfQ"
      ],
      "voting_config_exclusions" : [ ]
    },
    "templates" : { },
    "indices" : {
      "idx-1-5" : {
        "version" : 19,
        "mapping_version" : 1,
        "settings_version" : 1,
        "aliases_version" : 1,
        "routing_num_shards" : 1024,
        "state" : "open",
        "settings" : {
          "index" : {
            "replication" : {
              "type" : "SEGMENT"
            },
            "number_of_shards" : "2",
            "remote_store" : {
              "translog" : {
                "repository" : "seg"
              },
              "enabled" : "true",
              "segment" : {
                "repository" : "seg"
              }
            },
            "provided_name" : "idx-1-5",
            "creation_date" : "1760775577089",
            "number_of_replicas" : "1",
            "uuid" : "f7OeOh7uQDW7WsRk39ayjA",
            "version" : {
              "created" : "137257827"
            }
          }
        },
        "mappings" : { },
        "remote_store" : {
          "translog_metadata" : "true",
          "path_type" : "HASHED_PREFIX",
          "sse_enabled_index" : "true",
          "path_hash_algorithm" : "FNV_1A_COMPOSITE_1"
        },
        "aliases" : [ ],
        "primary_terms" : {
          "0" : 5,
          "1" : 5
        },
        .............
  }
}

aws s3api head-object --region ap-south-1 --bucket pranikum-sse-blob-repo --key 911010000111111/sse-s3-data/9LIg2BAJRwO5j7XQ1PSlPg/1/segments/metadata/metadata__9223372036854775806__9223372036854775804__9223372036854775804__9223372036854775805__-1167976220__9223370275536391223__2
{
    "AcceptRanges": "bytes",
    "LastModified": "2025-10-24T15:06:25+00:00",
    "ContentLength": 433,
    "ETag": "\"a88bb50c7c6dce020402d8820227d295\"",
    "ContentType": "application/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "----",
    "BucketKeyEnabled": true
}

[github-actions]

❌ Gradle check result for 24c87db: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 24c87db: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 95bdef6: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 95bdef6: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 95bdef6: SUCCESS