DigitalOcean: don't try to set SSE

We lost the p.sse check in a bad merge; restoring it here.

Fix #5519

util/pkg/vfs/s3fs.go

@@ -127,17 +127,17 @@ func (p *S3Path) WriteFile(data io.ReadSeeker, aclObj ACL) error {
 
 	glog.V(4).Infof("Writing file %q", p)
 
-	// We always use server-side-encryption; it doesn't really cost us anything
-	sse := "AES256"
-
 	request := &s3.PutObjectInput{}
 	request.Body = data
 	request.Bucket = aws.String(p.bucket)
 	request.Key = aws.String(p.key)
 
-	// only support SSE if a custom endpoint is not provided
-	if !p.bucketDetails.defaultEncryption {
-		request.ServerSideEncryption = aws.String(sse)
+	// If we are on an S3 implementation that supports SSE, we use
+	// server-side-encryption, it doesn't really cost us anything.  But
+	// if the bucket has a defaultEncryption policy instead, we honor
+	// that - it is likely to be a higher encryption standard.
+	if p.sse && !p.bucketDetails.defaultEncryption {
+		request.ServerSideEncryption = aws.String("AES256")
 	}
 
 	acl := os.Getenv("KOPS_STATE_S3_ACL")