Track the impact of HashiCorp license MPL -> BUSL

[stefanprodan]

This issue is for tracking the usage of HashiCorp Go packages and software products in the Flux project.
xref: cncf/foundation#617

License Evaluation

✅ All the HashiCorp Go packages imported by the Flux project are not affected by the license change as they remain on MPL.

⚠️ The HashiCorp software used in Flux end-to-end testing is affected, both Terraform and Vault are now under BUSL.

❓ We need to decide what do to with the various end-to-end tests that rely on Terraform for infrastructure bootstrap. We've invested tremendous time in developing automated e2e and conformance tests for Flux 2.0 GA. I hope we can keep using Terraform internally as we don't ship any HashiCorp software with Flux, we only use this software in GitHub Actions Workflows. Update: Using Terraform for testing is acceptable.

CNCF License Exceptions

✅ The CNCF exceptions list does cover all the Go packages imported by the Flux CLI and Controllers.

⚠️ The Go packages imported by the Flux Terraform Provider & Test Infra are NOT in the exception list.

❓ We need to decide what do to with the Flux Terraform Provider, if CNCF doesn't add the Terraform Plugin SDK to the exceptions list we may be forced to stop offering an official Terraform Provider for Flux.

Update: License exception request for Terraform Provider SDK cncf/foundation#619

Usage

Go Packages

List of HashiCorp Go packages imported by the Flux project.

Flux CLI & Controllers

• github.com/hashicorp/errwrap
• github.com/hashicorp/go-cleanhttp
• github.com/hashicorp/go-multierror
• github.com/hashicorp/go-retryablehttp
• github.com/hashicorp/go-rootcerts
• github.com/hashicorp/go-secure-stdlib
• github.com/hashicorp/go-sockaddr
• github.com/hashicorp/golang-lru
• github.com/hashicorp/hcl
• github.com/hashicorp/vault/api

Flux Terraform Provider & Test Infra

• github.com/hashicorp/terraform-plugin-docs
• github.com/hashicorp/terraform-plugin-framework
• github.com/hashicorp/terraform-plugin-framework-timeouts
• github.com/hashicorp/terraform-plugin-framework-validators
• github.com/hashicorp/terraform-plugin-go
• github.com/hashicorp/terraform-plugin-log
• github.com/hashicorp/terraform-plugin-sdk
• github.com/hashicorp/terraform-plugin-testing
• github.com/hashicorp/errwrap
• github.com/hashicorp/go-checkpoint
• github.com/hashicorp/go-cleanhttp
• github.com/hashicorp/go-cty
• github.com/hashicorp/go-hclog
• github.com/hashicorp/go-multierror
• github.com/hashicorp/go-plugin
• github.com/hashicorp/go-retryablehttp
• github.com/hashicorp/go-uuid
• github.com/hashicorp/go-version
• github.com/hashicorp/hc-install
• github.com/hashicorp/hcl
• github.com/hashicorp/logutils
• github.com/hashicorp/terraform-exec
• github.com/hashicorp/terraform-json
• github.com/hashicorp/terraform-registry-address
• github.com/hashicorp/terraform-svchost
• github.com/hashicorp/yamux

Flagger Controller

Flagger does not import any Hashicorp packages.

Software

List of HashiCorp software used by the Flux Project.

Flux end-to-end testing

• https://github.com/hashicorp/terraform
• https://github.com/hashicorp/vault

[stefanprodan]

I've raised cncf/foundation#619 with CNCF, we'll need to wait for their answer before we make any decision about Flux Terraform Provider future.

[hiddeco]

When the next SOPS release is out, the kustomize-controller no longer has to (directly) depend on github.com/hashicorp/vault/api (or the Vault container in tests) due to the possibility of dropping the forked key service. Configuration of the authentication token is via a string (https://github.com/getsops/sops/blob/f2a1d4c7828893b19ea2a2271de2f5039b71ba5f/hcvault/keysource.go#L38-L44).

[timofurrer]

❓ We need to decide what do to with the Flux Terraform Provider, if CNCF doesn't add the Terraform Plugin SDK to the exceptions list we may be forced to stop offering an official Terraform Provider for Flux.

@stefanprodan FWIW I think the Terraform Plugin SDK and Framework remain MLP licensed, see this information.

[stefanprodan]

@timofurrer MLP is not an allowed license for CNCF projects, MLP packages must be added the the exception list see cncf/foundation#619

[timofurrer]

@stefanprodan it always has been MLP though, right? I'm trying to understand what changes for the Flux Terraform provider to help make decisions for the once I maintain :)

[stefanprodan]

Hopefully nothing changes and CNCF adds the SDK to the exception list. Worst case scenario, we move the provider repo to https://github.com/fluxcd-community which shouldn’t affect users as this provider is consumed from the Hashicorp’s registry.

[stefanprodan]

We need to decide what do to with the various end-to-end tests that rely on Terraform for infrastructure bootstrap. We've invested tremendous time in developing automated e2e and conformance tests for Flux 2.0 GA. I hope we can keep using Terraform internally as we don't ship any HashiCorp software with Flux, we only use this software in GitHub Actions Workflows.

This has been solved, according to CNCF, only the runtime dependencies must comply with the accepted licenses.