Skip to content

feat: Add Tencent Cloud KMS Support#2032

Open
hoyeho wants to merge 5 commits intogetsops:mainfrom
tencent-kms:feat/tencent-kms
Open

feat: Add Tencent Cloud KMS Support#2032
hoyeho wants to merge 5 commits intogetsops:mainfrom
tencent-kms:feat/tencent-kms

Conversation

@hoyeho
Copy link

@hoyeho hoyeho commented Jan 4, 2026

Add Tencent Cloud KMS Support

Summary

This PR adds support for encrypting and decrypting SOPS files using Tencent Cloud KMS, similar to existing AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations.

Changes

Core Implementation

  • Added tencentkms package implementing MasterKey interface for Tencent Cloud KMS
  • Integrated Tencent Cloud SDK for Go (github.com/tencentcloud/tencentcloud-sdk-go)
  • Support for encryption/decryption operations via Tencent Cloud KMS API

CLI Integration

  • Added --tencent-kms flag for encrypt and edit commands
  • Added --add-tencent-kms and --rm-tencent-kms flags for rotate command
  • Support for SOPS_TENCENT_KMS_IDS environment variable

Configuration Support

  • Added Tencent Cloud KMS key support in .sops.yaml configuration files
  • Key format: key-uuid (e.g., xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

gRPC Keyservice Integration

  • Added TencentKmsKey message to protobuf definitions
  • Implemented encryption/decryption handlers in keyservice server

Storage Format

  • Added tencent_kms key serialization in stores package
  • Support for round-trip conversion (internal ↔ storage format)

Usage

Set credentials:

export TENCENTCLOUD_SECRET_ID="your-secret-id"
export TENCENTCLOUD_SECRET_KEY="your-secret-key"
export TENCENTCLOUD_REGION="ap-guangzhou"

Encrypt a file:

sops encrypt --tencent-kms "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" secrets.yaml > secrets.enc.yaml

Edit encrypted file:

sops edit secrets.enc.yaml

Rotate keys:

sops rotate --add-tencent-kms "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: secrets/.*
    tencent_kms:
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Authentication

Tencent Cloud credentials can be provided via environment variables:

Variable Required Description
TENCENTCLOUD_SECRET_ID Yes Tencent Cloud Secret ID
TENCENTCLOUD_SECRET_KEY Yes Tencent Cloud Secret Key
TENCENTCLOUD_TOKEN No STS token for temporary credentials
TENCENTCLOUD_REGION No Region (default: ap-guangzhou)
TENCENTCLOUD_KMS_ENDPOINT No Custom KMS endpoint (use kms.internal.tencentcloudapi.com for CVM/TKE environments)

Testing

  • ✅ Unit tests added
  • ✅ Integration tests added (requires Tencent Cloud credentials)
  • ✅ All existing tests pass
  • ✅ Documentation check pass (make checkdocs)

Implementation Notes

  • Follows the same patterns as AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations for consistency
  • Uses Tencent Cloud SDK for Go
  • Supports optional STS token for temporary credentials
  • Supports custom endpoint for internal network access in CVM/TKE environments

hoyeho added 2 commits January 4, 2026 14:45
@hoyeho
feat: add Tencent Cloud KMS support
b8a94c9 
Add support for Tencent Cloud Key Management Service (KMS) as a new
encryption provider for SOPS. This implementation follows the same
pattern as existing cloud KMS integrations.

Features:
- Encrypt/decrypt SOPS data keys using Tencent Cloud KMS
- CLI flags: --tencent-kms, --add-tencent-kms, --rm-tencent-kms
- Environment variable: SOPS_TENCENT_KMS_IDS
- Configuration file support: tencent_kms key in .sops.yaml
- Optional STS token support via TENCENTCLOUD_TOKEN
- Customizable endpoint for CVM/TKE internal networks

Authentication via environment variables:
- TENCENTCLOUD_SECRET_ID (required)
- TENCENTCLOUD_SECRET_KEY (required)
- TENCENTCLOUD_TOKEN (optional, for STS)
- TENCENTCLOUD_REGION (optional, default: ap-guangzhou)
- TENCENTCLOUD_KMS_ENDPOINT (optional)

Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho
docs: add Tencent Cloud KMS documentation
4cdbc7e 
- Add usage guide in README.rst
- Add CHANGELOG entry
- Include internal endpoint hint for CVM/TKE environments

Signed-off-by: frank <frankstarye@tencent.com>
@hoyeho hoyeho marked this pull request as draft January 4, 2026 06:50
@hoyeho hoyeho marked this pull request as ready for review January 4, 2026 06:54
@hoyeho
Copy link
Author

hoyeho commented Jan 4, 2026

Hi maintainers — this PR is now ready for review.
I’ve run make test locally (and make checkdocs where applicable) and everything passed.
When you have a moment, could someone please approve the pending workflows so CI can run? Thanks!

@hoyeho
Copy link
Author

hoyeho commented Jan 27, 2026

Hi maintainers, this PR is ready.
Could someone with write access please approve and run the pending workflows (3 awaiting approval) and leave an approving review so the PR can be merged? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/keyservice enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hoyeho @felixfontein

Comments