feat: add Alibaba Cloud KMS Support

[peiliqiancdt]

Add Alibaba Cloud KMS Support

Summary

This PR adds support for Alibaba Cloud KMS as a new key provider in SOPS.

Changes

Core Implementation

• Add the acskms package with ARN parsing, encrypt/decrypt, metadata serialization, and tests.
• Extend SOPS metadata/stores to persist acskms entries and ensure round-trip conversions.
• Allow .sops.yaml creation_rules/key_groups to declare acs_kms, with parsing, deduping, and tests.

CLI & Config Integration

• Add --acs-kms, --add-acs-kms, --rm-acs-kms, and SOPS_ACS_KMS_ARN flags/env vars across encrypt/edit/rotate/set/unset flows.
• Update key resolution paths so ACS KMS works with both CLI flags and .sops.yaml fallbacks.
• Refresh README sections (usage, key management, config examples) to document ACS KMS alongside other providers.

Keyservice / gRPC

• Introduce AcsKmsKey protobuf message and regenerate clients/servers so remote keyservice instances can wrap ACS KMS.
• Extend keyservice.KeyFromMasterKey plus Encrypt/Decrypt RPC handlers to cover ACS KMS master keys.

Dependencies

Pull in Alibaba Cloud SDK modules required by the new integration.

• alibabacloud-go/darabonba-openapi/v2
• aliyun/credentials-go
• alibabacloud-go/tea
• alibabacloud-go/kms-20160120/v3

Authentication

SOPS will use the Alibaba Cloud SDK's default credential provider chain to authenticate with KMS. This means it will look for credentials in the following order:

1. Environment variables (ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET).
2. Alibaba Cloud CLI configuration files (if the Alibaba Cloud CLI is installed and configured).
3. Instance metadata service (if running on an Alibaba Cloud ECS instance with appropriate IAM roles).

Usage

sops encrypt --acs-kms acs:kms:cn-shanghai:1234567890:key/your-key secrets.yaml > secrets.enc.yaml

Or via .sops.yaml:

creation_rules:
  - path_regex: secrets/.*
    acs_kms:
      - acs:kms:cn-shanghai:1234567890:key/your-key