add support for SSE-S3 bulk ETag decryption (#14627)

This commit adds support for bulk ETag
decryption for SSE-S3 encrypted objects.

If KES supports a bulk decryption API, then
MinIO will check whether its policy grants
access to this API. If so, MinIO will use
a bulk API call instead of sending encrypted
ETags serially to KES.

Note that MinIO will not use the KES bulk API
if its client certificate is an admin identity.

MinIO will process object listings in batches.
A batch has a configurable size that can be set
via `MINIO_KMS_KES_BULK_API_BATCH_SIZE=N`.
It defaults to `500`.

This env. variable is experimental and may be
renamed / removed in the future.

Signed-off-by: Andreas Auernhammer <hi@aead.dev>

docs/kms/kes-config.toml

@@ -1,33 +0,0 @@
-# The address:port of the kes server - i.e. on the local machine.
-address = "127.0.0.1:7373"
-
-[tls]
-key  = "./kes-tls.key"
-cert = "./kes-tls.crt" 
-
-[policy.minio]
-paths = [
-          "/v1/key/create/minio-*",
-          "/v1/key/generate/minio-*",
-          "/v1/key/decrypt/minio-*"
-        ]
-identities = [ "dd46485bedc9ad2909d2e8f9017216eec4413bc5c64b236d992f7ec19c843c5f" ]
-
-[cache.expiry]
-all    = "5m" 
-unused = "20s" 
-
-[keystore.vault]
-address   = "https://127.0.0.1:8200"  # The Vault endpoint - i.e. https://127.0.0.1:8200
-name      = "minio"                   # The domain resp. prefix at Vault's K/V backend 
-
-[keystore.vault.approle]
-id     = ""    # Your AppRole Role ID 
-secret = ""    # Your AppRole Secret ID
-retry  = "15s" # Duration until the server tries to re-authenticate after connection loss.
-
-[keystore.vault.tls]
-ca = "./vault-tls.crt" # Since we use self-signed certificates
-
-[keystore.vault.status]
-ping = "10s"