sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

feat(hckms): Add HuaweiCloud KMS support

Open enbiyagoral opened this issue 1 month ago • 0 comments

Add HuaweiCloud KMS Support

Closes #2000

Summary

This PR adds support for encrypting and decrypting SOPS files using HuaweiCloud KMS, similar to existing AWS KMS, GCP KMS, and Azure Key Vault integrations.

Changes

Core Implementation

  • Added hckms package implementing MasterKey interface for HuaweiCloud KMS
  • Integrated HuaweiCloud SDK for Go V3 (v0.1.176)
  • Support for encryption/decryption operations via HuaweiCloud KMS API

CLI Integration

  • Added --hckms flag for encrypt and edit commands
  • Added --add-hckms and --rm-hckms flags for rotate command
  • Support for SOPS_HUAWEICLOUD_KMS_IDS environment variable

Configuration Support

  • Added HuaweiCloud KMS key support in .sops.yaml configuration files
  • Key format: region:key-uuid (e.g., cn-north-1:12345678-1234-1234-1234-123456789abc)

gRPC Keyservice Integration

  • Added HckmsKey message to protobuf definitions
  • Implemented encryption/decryption handlers in keyservice server

Storage Format

  • Added hckms key serialization in stores package
  • Support for round-trip conversion (internal ↔ storage format)

Usage

# Set credentials
export HUAWEICLOUD_SDK_AK="your-access-key"
export HUAWEICLOUD_SDK_SK="your-secret-key"

# Encrypt a file
sops encrypt --hckms "tr-west-1:key-uuid" secrets.yaml > secrets.enc.yaml

# Edit encrypted file
sops edit secrets.enc.yaml

# Rotate keys
sops rotate --add-hckms "tr-west-1:new-key-uuid" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: secrets/.*
    hckms: "tr-west-1:key-uuid-1"

Authentication

HuaweiCloud credentials can be provided via:

  • Environment variables: HUAWEICLOUD_SDK_AK, HUAWEICLOUD_SDK_SK, HUAWEICLOUD_SDK_PROJECT_ID
  • Credentials file: ~/.huaweicloud/credentials
  • Default credential provider chain (env → profile → metadata)

Testing

  • ✅ Manual testing completed with HuaweiCloud KMS
  • ✅ Manual testing completed
  • ✅ Unit tests added (68.1% coverage)
  • ✅ All existing tests pass

Implementation Notes

  • Follows the same patterns as AWS KMS, GCP KMS, and Azure Key Vault integrations for consistency
  • Uses HuaweiCloud SDK for Go V3 v0.1.176
  • Key format: region:key-uuid where region is the HuaweiCloud region identifier

enbiyagoral avatar Nov 19 '25 13:11 enbiyagoral