feat(stackitkms): Add STACKIT KMS support

[xtavras]

Add STACKIT KMS Support

Summary

This PR adds support for encrypting and decrypting SOPS files using STACKIT KMS, similar to existing AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations.

Changes

Core Implementation

• Added stackitkms package implementing MasterKey interface for STACKIT KMS
• Integrated STACKIT SDK for Go (services/kms v1.3.2, core v0.22.0)
• Support for encryption/decryption operations via STACKIT KMS API

CLI Integration

• Added --stackit-kms flag for encrypt and edit commands
• Added --add-stackit-kms and --rm-stackit-kms flags for rotate command
• Support for SOPS_STACKIT_KMS_IDS environment variable

Configuration Support

• Added STACKIT KMS key support in .sops.yaml configuration files
• Key format: projects/<projectId>/regions/<regionId>/keyRings/<keyRingId>/keys/<keyId>/versions/<versionNumber>

gRPC Keyservice Integration

• Added StackitKmsKey message to protobuf definitions
• Implemented encryption/decryption handlers in keyservice server

Storage Format

• Added stackit_kms key serialization in stores package
• Support for round-trip conversion (internal ↔ storage format)

Usage

# Encrypt a file
sops encrypt --stackit-kms "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1" secrets.yaml > secrets.enc.yaml

# Edit encrypted file
sops edit secrets.enc.yaml

# Rotate keys
sops rotate --add-stackit-kms "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/2" secrets.enc.yaml

Configuration File Example

# .sops.yaml
creation_rules:
  - path_regex: .*
    stackit_kms: "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1"

  # Or with key groups:
  - path_regex: secrets/.*
    key_groups:
      - stackit_kms:
          - resource_id: "projects/my-project/regions/eu01/keyRings/my-keyring/keys/my-key/versions/1"

Authentication

STACKIT credentials are resolved automatically by the SDK in the following order:

1. Workload Identity Federation (recommended) — OIDC-based, no secrets needed
   • STACKIT_FEDERATED_TOKEN_FILE, STACKIT_SERVICE_ACCOUNT_EMAIL
2. Key Flow — RSA key-pair based, short-lived tokens
   • STACKIT_SERVICE_ACCOUNT_KEY_PATH, STACKIT_PRIVATE_KEY_PATH
3. Token Flow (deprecated) — long-lived service account token
   • STACKIT_SERVICE_ACCOUNT_TOKEN
4. Credentials file — ~/.stackit/credentials.json

Testing

• ✅ Manual testing completed with STACKIT KMS (AES-256-GCM symmetric key)
• ✅ Unit tests added for key parsing, serialization, and rotation logic
• ✅ All existing tests pass
• ✅ Builds successfully

Implementation Notes

• Follows the same patterns as AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS integrations for consistency
• Uses GCP KMS-style resource ID format for familiarity
• Key requires symmetric_encrypt_decrypt purpose with aes_256_gcm algorithm

[xtavras]

Hi @felixfontein I know there is lack of time and plan do create some kind of plugin system in the future, but I really love SOPS and used it before with GCP KMS, so it would be great to see official STACKIT KMS support as well as they work in a similar way (I use it already with my build).
I saw that HuaweiCloud got PR was merged, so there is a hope. Let me know if there is anything I can do to help move this forward.

[felixfontein]

I don't think there's much you can do right now, unless you can convince another of the maintainers that they'll review this. I think the best way forward for this (and all the other PRs that want to add other KMSes) is #2016.

[sabre1041]

Looking good. A few comments based on the initial review

[xtavras]

Hi @sabre1041, thank you for looking into PR, the comments should be resolved now.