kubernetes-helmPlugins.helm-secrets: depends on non-free vault package

[brianmay]

Describe the bug

Updating my falke to latest nixpkgs unstable gives an error that vault is non-free.

But my package doesn't use or need vault.

My package at https://github.com/electronicarts/helmci/ has:

        helm = pkgs.wrapHelm pkgs.kubernetes-helm {
          plugins = [
            pkgs.kubernetes-helmPlugins.helm-diff
            pkgs.kubernetes-helmPlugins.helm-secrets
          ];
          extraMakeWrapperArgs =
            "--set HELM_SECRETS_SOPS_PATH ${sops}/bin/sops --set HELM_SECRETS_VALS_PATH ${vals}/bin/vals";
        };

This gives the error:

$ nix build
warning: Git tree '/home/brian/tree/ea/cloudcell/helmci' is dirty
error:
       … while calling the 'derivationStrict' builtin

         at /builtin/derivation.nix:9:12: (source not available)

       … while evaluating derivation 'helmci-all'
         whose name attribute is located at /nix/store/3pif36ks3f56py4wb1dkq6sh0nkf3ygj-source/pkgs/stdenv/generic/make-derivation.nix:331:7

       … while evaluating attribute 'buildCommand' of derivation 'helmci-all'

         at /nix/store/3pif36ks3f56py4wb1dkq6sh0nkf3ygj-source/pkgs/build-support/trivial-builders/default.nix:68:16:

           67|         enableParallelBuilding = true;
           68|         inherit buildCommand name;
             |                ^
           69|         passAsFile = [ "buildCommand" ]

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: Package ‘vault-1.16.2’ in /nix/store/3pif36ks3f56py4wb1dkq6sh0nkf3ygj-source/pkgs/tools/security/vault/default.nix:47 has an unfree license (‘bsl11’), refusing to evaluate.

       a) To temporarily allow unfree packages, you can use an environment variable
          for a single invocation of the nix tools.

            $ export NIXPKGS_ALLOW_UNFREE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) For `nixos-rebuild` you can set
         { nixpkgs.config.allowUnfree = true; }
       in configuration.nix to override this.

       Alternatively you can configure a predicate to allow specific packages:
         { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
             "vault"
           ];
         }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
         { allowUnfree = true; }
       to ~/.config/nixpkgs/config.nix.

If I comment out the helm-secrets it works.

Steps To Reproduce

Steps to reproduce the behavior:

1. git clone https://github.com/electronicarts/helmci.git
2. cd helmci
3. Modify flake.nix to use nixpkgs-unstable instead of nixpkgs 23.11
4. nix flake update
5. nix build

Expected behavior

Should build without errors.

Screenshots

As above.

Notify maintainers

@yurrriq

Metadata

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.81, NixOS, 23.11 (Tapir), 23.11.20240308.2be119a`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - channels(brian): `""`
 - channels(root): `"nixos-23.11"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos````

---

Add a :+1: [reaction] to [issues you find important].

[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

[teto]

helm-secrets depends on vault

[brianmay]

What happened to vault? It use to be open source I thought. Did the license change?

[brianmay]

Does helm-secrets really depend on vault? From the About section it says:

Store your secrets a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.

Which seems to indicate that it should be able to use any secret manager, not just vault.

[teto]

the vault license change, which sparked quite the outrage.

Does helm-secrets really depend on vault? From the About section ...

you ask a question and follow with the answer, that's both rare and impressive ^^''
You can see it here:

nixpkgs/pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix

Line 32 in a10842c

--prefix PATH : ${lib.makeBinPath [ coreutils findutils getopt gnugrep gnused sops vault ]}

I suggest you follow the recommendation and accept the new license for vault. If you dont need it, you can remove support for it as well from helm-secrets (but will require some nix skills though you can search the web for plenty of examples)

[brianmay]

How about switching the dependency from vault to OpenBAO - would that be possible?

[yurrriq]

How about switching the dependency from vault to OpenBAO - would that be possible?

Heh, I didn't realize LF forked Vault too. 🍿

It's certainly possible, but might have unintended side effects for Nix users. (I realize how annoying that might sound, given your recent experience.)

By default, helm-secrets supports vals and sops. After a quick glance, it looks like both sops and vals use the Vault Go library, so maybe we don't even need vault at runtime anyway...

I wonder if sops and vals will have to alter their licenses...

Edit:
It seems the Go client library is still MPL-2.0.