feat(hckms): Add HuaweiCloud KMS support

[enbiyagoral]

Add HuaweiCloud KMS Support

Closes #2000

Summary

This PR adds support for encrypting and decrypting SOPS files using HuaweiCloud KMS, similar to existing AWS KMS, GCP KMS, and Azure Key Vault integrations.

Changes

Core Implementation

• Added hckms package implementing MasterKey interface for HuaweiCloud KMS
• Integrated HuaweiCloud SDK for Go V3 (v0.1.176)
• Support for encryption/decryption operations via HuaweiCloud KMS API

CLI Integration

• Added --hckms flag for encrypt and edit commands
• Added --add-hckms and --rm-hckms flags for rotate command
• Support for SOPS_HUAWEICLOUD_KMS_IDS environment variable

Configuration Support

• Added HuaweiCloud KMS key support in .sops.yaml configuration files
• Key format: region:key-uuid (e.g., cn-north-1:12345678-1234-1234-1234-123456789abc)

gRPC Keyservice Integration

• Added HckmsKey message to protobuf definitions
• Implemented encryption/decryption handlers in keyservice server

Storage Format

• Added hckms key serialization in stores package
• Support for round-trip conversion (internal ↔ storage format)

Usage

# Set credentials
export HUAWEICLOUD_SDK_AK="your-access-key"
export HUAWEICLOUD_SDK_SK="your-secret-key"

# Encrypt a file
sops encrypt --hckms "tr-west-1:key-uuid" secrets.yaml > secrets.enc.yaml

# Edit encrypted file
sops edit secrets.enc.yaml

# Rotate keys
sops rotate --add-hckms "tr-west-1:new-key-uuid" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: secrets/.*
    hckms: "tr-west-1:key-uuid-1"

Authentication

HuaweiCloud credentials can be provided via:

• Environment variables: HUAWEICLOUD_SDK_AK, HUAWEICLOUD_SDK_SK, HUAWEICLOUD_SDK_PROJECT_ID
• Credentials file: ~/.huaweicloud/credentials
• Default credential provider chain (env → profile → metadata)

Testing

• ✅ Manual testing completed with HuaweiCloud KMS
• ✅ Manual testing completed
• ✅ Unit tests added (68.1% coverage)
• ✅ All existing tests pass

Implementation Notes

• Follows the same patterns as AWS KMS, GCP KMS, and Azure Key Vault integrations for consistency
• Uses HuaweiCloud SDK for Go V3 v0.1.176
• Key format: region:key-uuid where region is the HuaweiCloud region identifier

[sabre1041]

This looks really good. Would you be able to address the conflicted files?

[enbiyagoral]

This looks really good. Would you be able to address the conflicted files?

Yes, I’ve gone ahead and resolved the conflicted files @sabre1041

[sabre1041]

LGTM

Thanks for the contribution!

[enbiyagoral]

LGTM

Thanks for the contribution!

Thanks a lot for the review and approval @sabre1041

[felixfontein]

Please note that the tests are failing. You should also update the documentation (README.rst) accordingly.

[enbiyagoral]

Please note that the tests are failing. You should also update the documentation (README.rst) accordingly.

Thanks! I’ve added the HuaweiCloud KMS documentation to the README.rst file. The CI failures are happening because these changes haven’t been committed yet (the “clean working tree” check is failing). @felixfontein