Skip to content

feat(stackitkms): Add STACKIT KMS support#2094

Open
xtavras wants to merge 1 commit intogetsops:mainfrom
xtavras:feat/stackit-kms-support
Open

feat(stackitkms): Add STACKIT KMS support#2094
xtavras wants to merge 1 commit intogetsops:mainfrom
xtavras:feat/stackit-kms-support

Conversation

@xtavras
Copy link

@xtavras xtavras commented Mar 4, 2026

Add STACKIT KMS Support

Summary

This PR adds support for encrypting and decrypting SOPS files using STACKIT KMS, similar to existing AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations.

Changes

Core Implementation

  • Added stackitkms package implementing MasterKey interface for STACKIT KMS
  • Integrated STACKIT SDK for Go (services/kms v1.3.2, core v0.22.0)
  • Support for encryption/decryption operations via STACKIT KMS API

CLI Integration

  • Added --stackit-kms flag for encrypt and edit commands
  • Added --add-stackit-kms and --rm-stackit-kms flags for rotate command
  • Support for SOPS_STACKIT_KMS_IDS environment variable

Configuration Support

  • Added STACKIT KMS key support in .sops.yaml configuration files
  • Key format: projects/<projectId>/regions/<regionId>/keyRings/<keyRingId>/keys/<keyId>/versions/<versionNumber>

gRPC Keyservice Integration

  • Added StackitKmsKey message to protobuf definitions
  • Implemented encryption/decryption handlers in keyservice server

Storage Format

  • Added stackit_kms key serialization in stores package
  • Support for round-trip conversion (internal ↔ storage format)

Usage

# Encrypt a file
sops encrypt --stackit-kms "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1" secrets.yaml > secrets.enc.yaml

# Edit encrypted file
sops edit secrets.enc.yaml

# Rotate keys
sops rotate --add-stackit-kms "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/2" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: .*
    stackit_kms: "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1"

  # Or with key groups:
  - path_regex: secrets/.*
    key_groups:
      - stackit_kms:
          - resource_id: "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1"

Authentication

STACKIT credentials are resolved automatically by the SDK in the following order:

  1. Workload Identity Federation (recommended) — OIDC-based, no secrets needed
    • STACKIT_FEDERATED_TOKEN_FILE, STACKIT_SERVICE_ACCOUNT_EMAIL
  2. Key Flow — RSA key-pair based, short-lived tokens
    • STACKIT_SERVICE_ACCOUNT_KEY_PATH, STACKIT_PRIVATE_KEY_PATH
  3. Token Flow (deprecated) — long-lived service account token
    • STACKIT_SERVICE_ACCOUNT_TOKEN
  4. Credentials file~/.stackit/credentials.json

Testing

  • ✅ Manual testing completed with STACKIT KMS (AES-256-GCM symmetric key)
  • ✅ Unit tests added for key parsing, serialization, and rotation logic
  • ✅ All existing tests pass
  • ✅ Builds successfully

Implementation Notes

  • Follows the same patterns as AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations for consistency
  • Uses GCP KMS-style resource ID format for familiarity
  • Key requires symmetric_encrypt_decrypt purpose with aes_256_gcm algorithm

@xtavras
Add STACKIT KMS support
9705d53 
Add encryption/decryption support using STACKIT KMS (Key Management Service).
This follows the same pattern as existing KMS providers (AWS, GCP, Azure, HuaweiCloud).

New files:
- stackitkms/keysource.go: MasterKey implementation using STACKIT SDK
- stackitkms/keysource_test.go: Unit tests
- keyservice/stackitkms.go: StackitKmsKey protobuf-compatible types

Modified files:
- cmd/sops/main.go: --stackit-kms, --add-stackit-kms, --rm-stackit-kms flags
- config/config.go: stackit_kms support in .sops.yaml
- keyservice/keyservice.proto: StackitKmsKey message
- keyservice/keyservice.go: KeyFromMasterKey conversion
- keyservice/server.go: encrypt/decrypt handlers
- stores/stores.go: serialization in encrypted file metadata
- go.mod: STACKIT SDK dependency

Key format: projects/<projectId>/regions/<regionId>/keyRings/<keyRingId>/keys/<keyId>/versions/<versionNumber>

Signed-off-by: Stanislav Kopp <stanislav.kopp@digits.schwarz>
@xtavras xtavras force-pushed the feat/stackit-kms-support branch from 7dc6048 to 9705d53 Compare March 4, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xtavras