feat: Add offline Azure Key Vault encryption support

[rkthtrifork]

Summary

This adds support for encrypting SOPS data keys for Azure Key Vault without network access.

When an Azure Key Vault public key is provided locally, SOPS now:

• generates the data key locally as usual
• encrypts the file contents with that data key
• encrypts the data key locally with the provided Azure RSA public key

Decryption still goes through Azure Key Vault using the corresponding private key.

Existing Azure Key Vault behavior remains unchanged when no local public key is configured.

Configuration

The existing azure_keyvault URL form is still supported unchanged:

creation_rules:
  - path_regex: ""
    azure_keyvault: https://<vault>/keys/<key>/<version>

Offline encryption is enabled through the structured form by adding publicKeyFile:

creation_rules:
  - path_regex: ""
    azure_keyvault:
      - vaultUrl: https://<vault>
        key: <key>
        version: <version>
        publicKeyFile: ./keys/azure.pub

Notes:

• version must be set when publicKeyFile is used, since SOPS cannot resolve the latest key version offline.
• relative publicKeyFile paths are resolved relative to the config file.

Implementation details

• keeps the existing online Azure encrypt/decrypt flow untouched by default
• adds an offline Azure encrypt path in azkv using a locally supplied RSA public key
• keeps Azure decryption remote via Key Vault
• persists the Azure public key in SOPS metadata so later offline edits/rotations can still rewrap the data key without network access
• threads the new Azure metadata through keyservice and stores
• supports PEM and RSA JWK public key input

Tests

Added coverage for:

• offline Azure encryption with a local public key
• JWK public key parsing
• config parsing for publicKeyFile
• metadata round-tripping of the persisted public key
• keyservice propagation of the Azure public key

Validated with:

go test ./azkv ./config ./stores ./keyservice ./cmd/sops/...

Not tested in practice. I would like to know if you are interested in this before i spend any more time on it.

[felixfontein]

Thanks for your contribution! I don't think this is a good fit for the SOPS "core" codebase, which is already way too big (and this seems to be another big chunk that also does more explicit cryptography then I think we should be doing), but I think this would be great to have as a plugin. Unfortunately there's no plugin infrastructure yet, see #2016.

[rkthtrifork]

Thanks for your contribution! I don't think this is a good fit for the SOPS "core" codebase, which is already way too big (and this seems to be another big chunk that also does more explicit cryptography then I think we should be doing), but I think this would be great to have as a plugin. Unfortunately there's no plugin infrastructure yet, see #2016.

That makes sense, I'll follow that proposal :)

Would you prefer I delete this PR to avoid bloating the repo or put the PR in draft or something?