Meet OpenBao, an Open Source Fork of HashiCorp Vault
First Terraform, and now Vault: More open source code abandoned by HashiCorp is a finding a home with potential competitors.
In September, HashiCorp rivals forked Infrastructure as Code (IaC) software Terraform to create OpenTofu, after HashiCorp moved much of its core enterprise software from an open source to a Business Source License. Now the OpenBAO project has set out to maintain the open source version of HashiCorp’s widely used Vault security software.
And with OpenBao, the project has at least potentially very powerful backer: IBM.
Although no official announcements have been made by Big Blue, two IBM engineers are leading the effort to make OpenTofu a project of the Linux Foundation, under the LF Edge Umbrella.
Vault vs. OpenBAO
Developed by HashiCorp, Vault is used in many distributed computing setups to manage secrets, or encrypted passwords, API keys, and other bits of sensitive information. HashiCorp has done considerable work to make Vault an industry standard, as well as to have it work seamlessly with its Terraform, giving it a natural advantage over secrets management software from cloud providers, such as AWS Secrets Manager.
Vault is also cloud agnostic, an important attribute for organizations looking to go multicloud.
IBM engineers started OpenBao, though IBM has not endorsed it as an official project (though the company maintains a forwarding link to the project from its own site). The OpenBao proposal is residing on the Linux Foundation Edge site, though it is not listed yet as a project. IBM engineers Nathan Phelps and Joe Pearson are listed as contacts for the new project.
“OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. The OpenBao community intends to provide this software under an OSI-approved open-source license, led by a community run under open governance principles,” the mission statement, dated Oct. 20, on a project FAQ states.
Open Source All the Way down
In an interview earlier this year with TNS, Scalr cofounder (and OpenTofu contributor) Sebastian Stadil explained that the fork of OpenTofu came from, in part, the frustration some Terraform users felt around HashiCorp’s sluggish response to bug fixes, even those submitted by outside users.
A similar impatience seems to be swirling around Vault as well, to judge from at least one Hacker News comment: “Vault had a lot of community contributions blocked or stalled due to internal politics/roadmap stuff at [HashiCorp]. I think having a community fork will encourage folks to scratch itches that [HashiCorp] was reluctant to add into the product.”
The reader also pined for a replacement for the Vault plug-in mode. “Lifecycling plugins, especially with container deployments of Vault, is a nightmare,” they wrote.
In fact, besides bug-fixing, one of the initiatives of the project is to build out some of the advanced features that have only been in the Vault Enterprise commercial edition, such as high-speed replication, multiple namespaces, and perhaps even a policy-as-code framework. Tight integration with OpenTofu would also be a main concern.
Making a Meal of HashiCorp?
One of the surprising plot twists of OpenTofu earlier this year was how quickly the Linux Foundation became involved in the project, endorsing OpenTofu mere weeks after its launch.
But this was to be expected Stadil explained, given how prevalent Terraform was in the open source cloud native community. It would not due to have an entirely open source stack, as maintained by the Cloud Native Computing Community, to be built on on a proprietary infrastructure-as-code platform.
Presumably, a similar argument could be made for HashiCorp’s equally popular secrets software. The Linux Foundation did not respond to a last-minute request-for-comment. HashiCorp declined to respond to a last-minute request from TNS.
(12/17/2023: The headline of this post was updated to replace an erroneous mention of a HashiCorp product.)