Skip to content

feat: Add Tencent Cloud KMS Support#2032

Open
hoyeho wants to merge 4 commits into
getsops:mainfrom
tencent-kms:feat/tencent-kms
Open

feat: Add Tencent Cloud KMS Support#2032
hoyeho wants to merge 4 commits into
getsops:mainfrom
tencent-kms:feat/tencent-kms

Conversation

@hoyeho
Copy link
Copy Markdown

@hoyeho hoyeho commented Jan 4, 2026

Add Tencent Cloud KMS Support

Summary

This PR adds support for encrypting and decrypting SOPS files using Tencent Cloud KMS, similar to existing AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations.

Changes

Core Implementation

  • Added tencentkms package implementing MasterKey interface for Tencent Cloud KMS
  • Integrated Tencent Cloud SDK for Go (github.com/tencentcloud/tencentcloud-sdk-go)
  • Support for encryption/decryption operations via Tencent Cloud KMS API

CLI Integration

  • Added --tencent-kms flag for encrypt and edit commands
  • Added --add-tencent-kms and --rm-tencent-kms flags for rotate command
  • Support for SOPS_TENCENT_KMS_IDS environment variable

Configuration Support

  • Added Tencent Cloud KMS key support in .sops.yaml configuration files
  • Key format: key-uuid (e.g., xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

gRPC Keyservice Integration

  • Added TencentKmsKey message to protobuf definitions
  • Implemented encryption/decryption handlers in keyservice server

Storage Format

  • Added tencent_kms key serialization in stores package
  • Support for round-trip conversion (internal ↔ storage format)

Usage

Set credentials:

export TENCENTCLOUD_SECRET_ID="your-secret-id"
export TENCENTCLOUD_SECRET_KEY="your-secret-key"
export TENCENTCLOUD_REGION="ap-guangzhou"

Encrypt a file:

sops encrypt --tencent-kms "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" secrets.yaml > secrets.enc.yaml

Edit encrypted file:

sops edit secrets.enc.yaml

Rotate keys:

sops rotate --add-tencent-kms "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: secrets/.*
    tencent_kms:
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Authentication

Tencent Cloud credentials can be provided via environment variables:

Variable Required Description
TENCENTCLOUD_SECRET_ID Yes Tencent Cloud Secret ID
TENCENTCLOUD_SECRET_KEY Yes Tencent Cloud Secret Key
TENCENTCLOUD_TOKEN No STS token for temporary credentials
TENCENTCLOUD_REGION No Region (default: ap-guangzhou)
TENCENTCLOUD_KMS_ENDPOINT No Custom KMS endpoint (use kms.internal.tencentcloudapi.com for CVM/TKE environments)

Testing

  • ✅ Unit tests added
  • ✅ Integration tests added (requires Tencent Cloud credentials)
  • ✅ All existing tests pass
  • ✅ Documentation check pass (make checkdocs)

Implementation Notes

  • Follows the same patterns as AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations for consistency
  • Uses Tencent Cloud SDK for Go
  • Supports optional STS token for temporary credentials
  • Supports custom endpoint for internal network access in CVM/TKE environments

@hoyeho hoyeho marked this pull request as draft January 4, 2026 06:50
@hoyeho hoyeho marked this pull request as ready for review January 4, 2026 06:54
@hoyeho
Copy link
Copy Markdown
Author

hoyeho commented Jan 4, 2026

Hi maintainers — this PR is now ready for review.
I’ve run make test locally (and make checkdocs where applicable) and everything passed.
When you have a moment, could someone please approve the pending workflows so CI can run? Thanks!

@hoyeho
Copy link
Copy Markdown
Author

hoyeho commented Jan 27, 2026

Hi maintainers, this PR is ready.
Could someone with write access please approve and run the pending workflows (3 awaiting approval) and leave an approving review so the PR can be merged? Thanks!

@hoyeho
Copy link
Copy Markdown
Author

hoyeho commented Feb 25, 2026

Hi maintainers — I’ve resolved the merge conflict in CHANGELOG.md and committed the merge update.

Could someone please re-approve the pending workflows (if needed) and review the PR when you have a moment? Thanks!

hoyeho added 2 commits May 9, 2026 09:39
@hoyeho
feat: add Tencent Cloud KMS support
86db79b 
Add support for Tencent Cloud Key Management Service (KMS) as a new
encryption provider for SOPS. This implementation follows the same
pattern as existing cloud KMS integrations.

Features:
- Encrypt/decrypt SOPS data keys using Tencent Cloud KMS
- CLI flags: --tencent-kms, --add-tencent-kms, --rm-tencent-kms
- Environment variable: SOPS_TENCENT_KMS_IDS
- Configuration file support: tencent_kms key in .sops.yaml
- Optional STS token support via TENCENTCLOUD_TOKEN
- Customizable endpoint for CVM/TKE internal networks

Authentication via environment variables:
- TENCENTCLOUD_SECRET_ID (required)
- TENCENTCLOUD_SECRET_KEY (required)
- TENCENTCLOUD_TOKEN (optional, for STS)
- TENCENTCLOUD_REGION (optional, default: ap-guangzhou)
- TENCENTCLOUD_KMS_ENDPOINT (optional)

Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho
docs: add Tencent Cloud KMS documentation
63a3b9d 
- Add usage guide in README.rst
- Add CHANGELOG entry
- Include internal endpoint hint for CVM/TKE environments

Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho hoyeho force-pushed the feat/tencent-kms branch from 2abd8da to 043daf2 Compare May 9, 2026 01:59
hoyeho added 2 commits May 9, 2026 10:01
@hoyeho
fix: resolve merge conflict markers in CHANGELOG.md
9c9f806 
Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho
fix(tencentkms): address P0/P1 review issues from code review
1913df2 
Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho hoyeho force-pushed the feat/tencent-kms branch from 043daf2 to 1913df2 Compare May 9, 2026 02:01
@hoyeho
Copy link
Copy Markdown
Author

hoyeho commented May 9, 2026

Hi maintainers — I think the main question at this point is which Tencent KMS PR you want to move forward with.

PR #2032 is maintained by the Tencent Cloud KMS team and is intended to be the main Tencent KMS contribution going forward. Since HuaweiCloud KMS was merged in #2001, an in-tree KMS backend seems acceptable in principle. For Tencent KMS specifically, could you please clarify whether #2032 should be treated as the primary PR, and whether #1984 should be considered superseded?

Compared with #1984, this PR is rebased, mergeable, includes README/CHANGELOG updates, keyservice integration, and tests for the Tencent KMS implementation.

If #2032 is the preferred PR to continue with, could someone with write access please:

  1. confirm that this is the PR to move forward with;
  2. treat [Feature] Support Tencent Cloud KMS #1984 as superseded;
  3. approve the pending workflows so CI can run;
  4. request and/or leave a review here.

Thanks.

@felixfontein @sabre1041

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/keyservice enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hoyeho @felixfontein