Skip to content

feat(hckms): Add HuaweiCloud KMS support #2001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(hckms): Add HuaweiCloud KMS support #2001

wants to merge 3 commits into from

Conversation

@enbiyagoral
Copy link

@enbiyagoral enbiyagoral commented Nov 19, 2025
edited
Loading

Add HuaweiCloud KMS Support

Closes #2000

Summary

This PR adds support for encrypting and decrypting SOPS files using HuaweiCloud KMS, similar to existing AWS KMS, GCP KMS, and Azure Key Vault integrations.

Changes

Core Implementation

  • Added hckms package implementing MasterKey interface for HuaweiCloud KMS
  • Integrated HuaweiCloud SDK for Go V3 (v0.1.176)
  • Support for encryption/decryption operations via HuaweiCloud KMS API

CLI Integration

  • Added --hckms flag for encrypt and edit commands
  • Added --add-hckms and --rm-hckms flags for rotate command
  • Support for SOPS_HUAWEICLOUD_KMS_IDS environment variable

Configuration Support

  • Added HuaweiCloud KMS key support in .sops.yaml configuration files
  • Key format: region:key-uuid (e.g., cn-north-1:12345678-1234-1234-1234-123456789abc)

gRPC Keyservice Integration

  • Added HckmsKey message to protobuf definitions
  • Implemented encryption/decryption handlers in keyservice server

Storage Format

  • Added hckms key serialization in stores package
  • Support for round-trip conversion (internal ↔ storage format)

Usage

# Set credentials
export HUAWEICLOUD_SDK_AK="your-access-key"
export HUAWEICLOUD_SDK_SK="your-secret-key"

# Encrypt a file
sops encrypt --hckms "tr-west-1:key-uuid" secrets.yaml > secrets.enc.yaml

# Edit encrypted file
sops edit secrets.enc.yaml

# Rotate keys
sops rotate --add-hckms "tr-west-1:new-key-uuid" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: secrets/.*
    hckms: "tr-west-1:key-uuid-1"

Authentication

HuaweiCloud credentials can be provided via:

  • Environment variables: HUAWEICLOUD_SDK_AK, HUAWEICLOUD_SDK_SK, HUAWEICLOUD_SDK_PROJECT_ID
  • Credentials file: ~/.huaweicloud/credentials
  • Default credential provider chain (env → profile → metadata)

Testing

  • ✅ Manual testing completed with HuaweiCloud KMS
  • ✅ Manual testing completed
  • ✅ Unit tests added (68.1% coverage)
  • ✅ All existing tests pass

Implementation Notes

  • Follows the same patterns as AWS KMS, GCP KMS, and Azure Key Vault integrations for consistency
  • Uses HuaweiCloud SDK for Go V3 v0.1.176
  • Key format: region:key-uuid where region is the HuaweiCloud region identifier

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add HuaweiCloud KMS Support

1 participant

@enbiyagoral