The code part is not a issue, I think this question is mostly directed towards operators using Vault as the backend (backend storage with an API essentially) for Barbican. I’m also very interested in this topic, my idea was to email their licensing department and simply ask unless somebody here has an answer already. Best regards Tobias
On 18 Sep 2023, at 12:06, smooney@redhat.com wrote:
On Sun, 2023-09-17 at 18:52 +0200, Damian Bulira wrote:
Hi Guys,
Recently Hashicorp changed their product licensing from MPL to BSL. Did any of you carry out research on the impact of this change in regard to using Vault as a backend in Barbican and/or Cinder for both private and public clouds? Any thoughts about that?
im not that familiar with vault or barbican but unless we are importing code form vault it should nova no impact on the licensing of the barbican code base.
i belive we actully use https://github.com/openstack/castellan as an indirection layer in any openstack project that talks to vault.
if the BSL which is not generally accpted as a opensouce lisnce is incompatble with apache2 we woudl have to drop vault support if we were now calling any bsl code.
assumign we are using non CLIs or non bsl clinent libs we shoudl be unaffected by the chagne however it may have implicatoins for deployers both new and existing.
looking at it looks like its written in terms of vaults http api. https://github.com/openstack/castellan/blob/master/castellan/key_manager/vau... as a result castellan should be insulated form this change and proejcts like nova that only interact via castallan should be fine. barbincan appears to be using castellan at first glance too https://github.com/openstack/barbican/blob/c8e3dc14e6225f1d400131434e8afec0a...
so i think form a code licening point of view we are ok. that does not mean we hould nessisarly endorce the use of vault going forward but i honestly dont know enough about the politic or details of the bsl change to really comment on that.
if its not already a cpabality of barbican now might be a good time to investiage support for secrete migration between secrete backends...
Cheers, Damian