feat(KMS): cli integration

[luxium30]

Description

Commands added:

All commands have a --zone flag to easily target another zone.

key:

• kms key show ID
• kms key list --ignore-replica --status XXX
• kms key create NAME --usage encrypt-decrypt --description XXX --multizone
• kms key enable ID
• kms key disable ID
• kms key rotate ID
• kms key delete ID --delay-days XXX
• kms key cancel-delete ID
• kms key replicate ID ZONE
• kms key enable-rotation ID --rotation-period XXX
• kms key disable-rotation ID
• kms key list-rotation ID

crypto

• kms crypto encrypt ID PLAINTEXT --encryption-context XXX
• kms crypto decrypt ID CIPHERTEXT --encryption-context XXX
• kms crypto generate-data-key ID <--bytes-count XXX | --key-spec XXX> --encryption-context XXX
• kms crypto reencrypt SRC_ID DEST_ID CIPHERTEXT --source-encryption-context XXX --dest-encryption-context XXX

Output

kms key list

┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼
│                  ID                  │                         NAME                         │ ORIGINZONE │      STATUS      │ MULTIZONE │          REPLICAS           │
┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼
│ 019e1783-a083-76b0-a903-73e883b94a1c │ a2                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e1785-3642-773f-ba76-f19adb5467ba │ a3                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e1cf6-7810-7512-9ba4-6d19cdd429e9 │ a4                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2023-23ac-75f7-a24d-31f0d1053fd2 │ kms-canary-keylifecycle-ch-gva-2-1778655634312805000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2029-d77b-7811-b2d4-2dca52f4ac5c │ kms-canary-keylifecycle-ch-gva-2-1778656073555519000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e202b-3343-7b21-a1c6-320a6beb1196 │ kms-canary-keylifecycle-ch-gva-2-1778656162585813000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2034-7cdf-7151-8115-2e1947d00d18 │ kms-canary-keylifecycle-ch-gva-2-1778656771259583000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2034-d30c-7ec6-9190-0e364878f689 │ kms-canary-multizone-ch-gva-2-1778656793321428000    │ ch-gva-2   │ disabled         │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
│ 019e2039-157e-7db8-8c86-ec5ddf65fafd │ Default                                              │ ch-gva-2   │ enabled          │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
│ 019e2090-936e-7857-b03b-277cb09726eb │ kms-canary-keylifecycle-ch-gva-2-1778662806309327000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2090-e4f7-7975-bdc6-a67f3d92fc9a │ kms-canary-keylifecycle-ch-gva-2-1778662827181757000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e20cb-6f0b-72c2-8e37-ce47c21afb6b │ kms-canary-keylifecycle-ch-gva-2-1778666663604396000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e20cc-1963-7acf-a0ba-b3bf15bba25a │ kms-canary-keylifecycle-ch-gva-2-1778666707213761000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2318-ddfe-7871-a8f6-213137e94b9e │ hello123                                             │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2b73-2b29-7b01-9c22-f1b93a8757dd │ hello1233                                            │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2b7f-d48d-79be-8ff2-ecd9ce2a5f9b │ hello1233 usage: encrypt-decrypt                     │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3a93-7f49-730a-9e86-7927e6c52b84 │ byebye                                               │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3aa0-7fd9-7449-a93a-85578c57d628 │ byeby2e                                              │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3aa1-5281-74aa-88f7-c214531dfb45 │ byebye2                                              │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3ab8-ceb9-7e9f-941b-5db3c265427c │ blabla                                               │ ch-gva-2   │ enabled          │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼

kms key show ID

┼─────────────────┼───────────────────────────────────────────────────┼
│     KMS KEY     │                                                   │
┼─────────────────┼───────────────────────────────────────────────────┼
│ ID              │ 019e2039-157e-7db8-8c86-ec5ddf65fafd              │
│ Name            │ Default                                           │
│ Created At      │ 2026-05-13 07:24:32.51101951 +0000 UTC            │
│ Multizone       │ true                                              │
│ Origin Zone     │ ch-gva-2                                          │
│ Status          │ enabled                                           │
│ Replicas Status │ at-vie-1, ch-dk-2, de-fra-1                       │
│ Material        │ auto: false                                       │
│                 │ createdAt: 2026-05-13 07:24:32.51101951 +0000 UTC │
│                 │ version: 1                                        │
│ Rotation        │ auto: true                                        │
│                 │ count: 0                                          │
│                 │ nextAt: 2027-05-13 07:24:32.515024172 +0000 UTC   │
│                 │ rotationPeriod: 365                               │
│ Usage           │ encrypt-decrypt                                   │
│ Source          │ exoscale-kms                                      │
│ Description     │ Exoscale KMS default key.                         │
┼─────────────────┼───────────────────────────────────────────────────┼

kms key list-rotation ID

┼─────────┼─────────────────────────────────────────┼───────────┼
│ VERSION │               ROTATED AT                │ AUTOMATIC │
┼─────────┼─────────────────────────────────────────┼───────────┼
│ 2       │ 2026-05-18 13:54:02.348056112 +0000 UTC │ false     │
│ 3       │ 2026-05-18 13:54:08.274114393 +0000 UTC │ false     │
│ 4       │ 2026-05-18 16:08:40.611917076 +0000 UTC │ false     │
│ 5       │ 2026-05-18 16:08:41.78315071 +0000 UTC  │ false     │
│ 6       │ 2026-05-18 16:08:42.717906733 +0000 UTC │ false     │
┼─────────┼─────────────────────────────────────────┼───────────┼

Checklist

(For exoscale contributors)

• Changelog updated (under Unreleased block, and add the Pull Request #number for each bit you add to the CHANGELOG.md)
• Testing

Testing

Tested in preprod with go run main.go kms ...

[emilehreich]

I am not entirely convinced by the way the operations are defined here. The separation between operations on a "key" and operations on a "rotation" doesn't match the logic of our API. It essentially treats "rotation" as a resource in itself, when it is actually an operation on a key.

On one hand, we have key lifecycle operations, where you operate directly on a key to change its state: in that case, it makes sense to have a command like kms key . On the other hand, we have cryptographic operations that use these keys to perform tasks unrelated to the key's state. For those, I would expect something like kms <crypto-op> --key <id > <required-params>.

Additionally, in the current split, rotation commands are spread across two different categories, which is confusing (e.g., kms rotation <> and kms key rotate <>).

Lastly, you are using the keyword "delete" for the schedule-key-deletion operation. I think the command should clearly reflect that it is a schedule and not an immediate deletion. Users will surely be confused by this.

[kobajagi]

Also keep in mind that command organization should follow Portal design and vice versa.

[jbelo]

The cli is not handling the defaults correctly, I believe. Currently, with egoscale still not updated to the current openapi spec a call to key create fails if, e.g., usage is not specified,

❯ bin/exo kms key create 'another-key' --zone 'ch-gva-2'
>>> Operation: list-zones
GET /v2/zone HTTP/1.1
Host: localhost:8040
Authorization: EXO2-HMAC-SHA256 credential=EXO8022e3e14aa57e593a52de51,expires=1780586947,signature=7IAzSRIqTtolQQD7yzLUTw0jU8xUzSjYWQ3HueiHWJ4=
User-Agent: exocli/dev/n/a egoscale/v3.1.36 (go1.26.0; darwin/arm64)


<<< HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Date: Thu, 04 Jun 2026 15:19:07 GMT
Server: Aleph/0.9.4

79
{"zones":[{"name":"ch-gva-2","api-endpoint":"http://localhost:8040/v2","sos-endpoint":"https://devsos-ch-gva-2.exo.io"}]}
0


----------------------------------------------------------------------
>>> Operation: create-kms-key
POST /v2/kms-key HTTP/1.1
Host: localhost:8040
Authorization: EXO2-HMAC-SHA256 credential=EXO8022e3e14aa57e593a52de51,expires=1780586947,signature=o7PwOgjUbTDvxRN2WrtIOwC60rpeae6Ut4T1wEAHMLw=
Content-Type: application/json
User-Agent: exocli/dev/n/a egoscale/v3.1.36 (go1.26.0; darwin/arm64)

{"description":"","multi-zone":false,"name":"another-key","usage":""}
<<< HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Date: Thu, 04 Jun 2026 15:19:07 GMT
Server: Aleph/0.9.4

1b7
{"type":"#/http-problem-types/request-invalid-parameters","title":"Invalid Request","status":400,"detail":"request body has an error: doesn't match schema #/components/schemas/create-kms-key-request: Error at \"/usage\": value is not one of the allowed values

Note in particular the body of the request,

{"description":"","multi-zone":false,"name":"another-key","usage":""}

In any case, for the updated spec, the egoscale request will probably be conditional on the arguments given to the eco command.