TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Security

Meet OpenBao, an Open Source Fork of HashiCorp Vault

First Terraform, and now Vault: More open source code left by HashiCorp is a finding a home with potential competitors. This time, IBM is sniffing around the spoils.
Dec 15th, 2023 11:20am by
Featued image for: Meet OpenBao, an Open Source Fork of HashiCorp Vault
The official steamed bun OpenBao logo, not to be confused with the logo of the JavaScript Bun framework. 

First Terraform, and now Vault: More open source code abandoned by HashiCorp is a finding a home with potential competitors.

In September, HashiCorp rivals forked Infrastructure as Code (IaC) software Terraform to create OpenTofu, after HashiCorp moved much of its core enterprise software from an open source to a Business Source License. Now the OpenBAO project has set out to maintain the open source version of HashiCorp’s widely used Vault security software.

The OpenTofu project quickly accumulated contributors, primarily hungry third-party Terraform-oriented startups such as Scalr, Gruntwork, Spacelift, env0Terrateam, and Terramate, among others.

And with OpenBao, the project has at least potentially very powerful backer: IBM.

Although no official announcements have been made by Big Blue, two IBM engineers are leading the effort to make OpenTofu a project of the Linux Foundation, under the LF Edge Umbrella.

Vault vs. OpenBAO

Developed by HashiCorp, Vault is used in many distributed computing setups to manage secrets, or encrypted passwords, API keys, and other bits of sensitive information. HashiCorp has done considerable work to make Vault an industry standard, as well as to have it work seamlessly with its Terraform, giving it a natural advantage over secrets management software from cloud providers, such as AWS Secrets Manager.

Vault is also cloud agnostic, an important attribute for organizations looking to go multicloud.

IBM engineers started OpenBao, though IBM has not endorsed it as an official project (though the company maintains a forwarding link to the project from its own site). The OpenBao proposal is residing on the Linux Foundation Edge site, though it is not listed yet as a  project. IBM engineers Nathan Phelps and Joe Pearson are listed as contacts for the new project.

“OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. The OpenBao community intends to provide this software under an OSI-approved open-source license, led by a community run under open governance principles,” the mission statement, dated Oct. 20, on a project FAQ states.

OpenBao will be launched from the last open source version of Vault the 1.14 branch that was the last version HashiCorp sourced under a Mozilla Public License 2.0 (MPL 2.0) .

Open Source All the Way down

In an interview earlier this year with TNS, Scalr cofounder (and OpenTofu contributor) Sebastian Stadil explained that the fork of OpenTofu came from, in part, the frustration some Terraform users felt around HashiCorp’s sluggish response to bug fixes, even those submitted by outside users.

A similar impatience seems to be swirling around Vault as well, to judge from at least one Hacker News comment: “Vault had a lot of community contributions blocked or stalled due to internal politics/roadmap stuff at [HashiCorp]. I think having a community fork will encourage folks to scratch itches that [HashiCorp] was reluctant to add into the product.”

The reader also pined for a replacement for the Vault plug-in mode. “Lifecycling plugins, especially with container deployments of Vault, is a nightmare,” they wrote.

In fact, besides bug-fixing, one of the initiatives of the project is to build out some of the advanced features that have only been in the Vault Enterprise commercial edition, such as high-speed replication, multiple namespaces, and perhaps even a policy-as-code framework. Tight integration with OpenTofu would also be a main concern.

Making a Meal of HashiCorp?

One of the surprising plot twists of OpenTofu earlier this year was how quickly the Linux Foundation became involved in the project, endorsing OpenTofu mere weeks after its launch.

But this was to be expected Stadil explained, given how prevalent Terraform was in the open source cloud native community. It would not due to have an entirely open source stack, as maintained by the Cloud Native Computing Community, to be built on on a proprietary infrastructure-as-code platform.

Presumably, a similar argument could be made for HashiCorp’s equally popular secrets software. The Linux Foundation did not respond to a last-minute request-for-comment. HashiCorp declined to respond to a last-minute request from TNS.

In addition to Terraform and Vault, HashiCorp moved Consul, Packer, and Vagrant were also moved over to the BSL as well. Any bets as to what foodstuffs these open source variants may be named after?

(12/17/2023: The headline of this post was updated to replace an erroneous mention of a HashiCorp product.) 

 

 

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Spacelift.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.