feature: add HuaweiCloud KMS wrapper support for auto unseal

[enbiyagoral]

Description

This PR adds HuaweiCloud KMS wrapper support to Vault for auto unseal, addressing issue #31630.

What it accomplishes:
Adds HuaweiCloud KMS wrapper support to Vault for auto unseal (fixes #31630).
This enables organizations using HuaweiCloud infrastructure to leverage Vault’s auto unseal feature with the same behavior as existing KMS providers (AWS, Azure, GCP, etc.).

Changes

• Added GetHuaweiCloudKMSFunc to initialize the HuaweiCloud KMS wrapper
• Added HuaweiCloudKms cases in configureWrapper and getEnvConfig
• Environment variable and HCL config support (HUAWEICLOUD_REGION, HUAWEICLOUD_ACCESS_KEY, etc.)
• IPv6 normalization (consistent with other wrappers)
• Uses existing go-kms-wrapping/wrappers/huaweicloudkms/v2 package

Rationale

• Maintains consistency with existing KMS wrappers
• Minimal code changes and no impact on existing providers
• Enables seamless integration for HuaweiCloud users and hybrid cloud setups

Testing

• All existing tests pass
• Verified environment parsing and IPv6 normalization

Security

• No new controls introduced; follows established Vault KMS wrapper patterns

Related Issue:
Fixes #31630

TODO only if you're a HashiCorp employee

• Backport Labels: N/A - This is a new feature and does not require backporting
• Jira: N/A - Community contribution
• RFC: N/A - Small addition following existing patterns

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

  Reason: HuaweiCloud KMS support was missing in Vault (issue Add HuaweiCloud KMS support for auto unseal #31630). Organizations using HuaweiCloud infrastructure cannot take advantage of Vault's auto unseal feature. This PR adds complete HuaweiCloud KMS wrapper support, including environment variable and config file support, enabling seamless integration with existing HuaweiCloud infrastructure.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  Revert Plan: These changes only add new code and do not modify existing code. Reverting the PR is sufficient. There are no breaking changes, and existing KMS wrappers are not affected. The revert would simply remove HuaweiCloud KMS support without impacting other functionality.

• If applicable, I've documented the impact of any changes to security controls.

  Security Impact:

  • This PR adds support for a new KMS wrapper and does not modify existing security controls
  • The HuaweiCloud KMS wrapper uses the same security standards and patterns as other KMS wrappers (AWS, Azure, GCP, etc.)
  • The same parsing and validation mechanisms are used for environment variables
  • WithDisallowEnvVars(true) is used to disable the wrapper's own env var reading, keeping it under Vault's control
  • IPv6 address normalization support ensures RFC-5952 compliance, same as other wrappers
  • Config file parsing uses the same secure mechanisms as other KMS wrappers
  • No new security risks are introduced; the implementation follows established security patterns

[vercel]

@enbiyagoral is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

[enbiyagoral]

Hi @gautam-hashicorp, I've successfully tested the HuaweiCloud KMS wrapper implementation with a live Vault instance. The test confirms that auto-unseal works exactly as expected, matching the behavior of other KMS providers.

Test Configuration

• Seal Type: huaweicloudkms
• Recovery Seal Type: shamir
• Vault Version: v1.22.0-beta1 (latest main branch build)
• Storage Backend: inmem (for testing purposes)

Key Observations

Before Initialization:

Seal Type         huaweicloudkms
Initialized       false
Sealed            true

After Initialization:

Seal Type              huaweicloudkms
Recovery Seal Type     shamir
Initialized            true
Sealed                 false

Auto-Unseal Success:: The logs demonstrate successful auto-unseal behavior:

[INFO] core: stored unseal keys supported, attempting fetch
[INFO] core: vault is unsealed
[INFO] core: unsealed with stored key

Vault unsealed itself automatically after initialization without any manual intervention. The master key is securely stored in HuaweiCloud KMS and automatically retrieved when Vault restarts.

Teams using HuaweiCloud can now have the same auto-unseal experience as those using other cloud providers. 🎉

[131]

Is it possible to review and merge this ?

[enbiyagoral]

Friendly ping @gautam-hashicorp & @heatherezell . Would appreciate any feedback when you have a chance. Happy to make any adjustments needed. @131 Thanks for the interest! Hopefully we'll get some feedback soon. 🙂