flux2 icon indicating copy to clipboard operation
flux2 copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Track the impact of HashiCorp license MPL -> BUSL

Open stefanprodan opened this issue 10 months ago • 7 comments

This issue is for tracking the usage of HashiCorp Go packages and software products in the Flux project. xref: https://github.com/cncf/foundation/issues/617

License Evaluation

✅ All the HashiCorp Go packages imported by the Flux project are not affected by the license change as they remain on MPL.

⚠️ The HashiCorp software used in Flux end-to-end testing is affected, both Terraform and Vault are now under BUSL.

❓ ~We need to decide what do to with the various end-to-end tests that rely on Terraform for infrastructure bootstrap. We've invested tremendous time in developing automated e2e and conformance tests for Flux 2.0 GA. I hope we can keep using Terraform internally as we don't ship any HashiCorp software with Flux, we only use this software in GitHub Actions Workflows.~ Update: Using Terraform for testing is acceptable.

CNCF License Exceptions

✅ The CNCF exceptions list does cover all the Go packages imported by the Flux CLI and Controllers.

⚠️ The Go packages imported by the Flux Terraform Provider & Test Infra are NOT in the exception list.

❓ We need to decide what do to with the Flux Terraform Provider, if CNCF doesn't add the Terraform Plugin SDK to the exceptions list we may be forced to stop offering an official Terraform Provider for Flux.

Update: License exception request for Terraform Provider SDK https://github.com/cncf/foundation/issues/619

Usage

Go Packages

List of HashiCorp Go packages imported by the Flux project.

Flux CLI & Controllers

  • github.com/hashicorp/errwrap
  • github.com/hashicorp/go-cleanhttp
  • github.com/hashicorp/go-multierror
  • github.com/hashicorp/go-retryablehttp
  • github.com/hashicorp/go-rootcerts
  • github.com/hashicorp/go-secure-stdlib
  • github.com/hashicorp/go-sockaddr
  • github.com/hashicorp/golang-lru
  • github.com/hashicorp/hcl
  • github.com/hashicorp/vault/api

Flux Terraform Provider & Test Infra

  • github.com/hashicorp/terraform-plugin-docs
  • github.com/hashicorp/terraform-plugin-framework
  • github.com/hashicorp/terraform-plugin-framework-timeouts
  • github.com/hashicorp/terraform-plugin-framework-validators
  • github.com/hashicorp/terraform-plugin-go
  • github.com/hashicorp/terraform-plugin-log
  • github.com/hashicorp/terraform-plugin-sdk
  • github.com/hashicorp/terraform-plugin-testing
  • github.com/hashicorp/errwrap
  • github.com/hashicorp/go-checkpoint
  • github.com/hashicorp/go-cleanhttp
  • github.com/hashicorp/go-cty
  • github.com/hashicorp/go-hclog
  • github.com/hashicorp/go-multierror
  • github.com/hashicorp/go-plugin
  • github.com/hashicorp/go-retryablehttp
  • github.com/hashicorp/go-uuid
  • github.com/hashicorp/go-version
  • github.com/hashicorp/hc-install
  • github.com/hashicorp/hcl
  • github.com/hashicorp/logutils
  • github.com/hashicorp/terraform-exec
  • github.com/hashicorp/terraform-json
  • github.com/hashicorp/terraform-registry-address
  • github.com/hashicorp/terraform-svchost
  • github.com/hashicorp/yamux

Flagger Controller

Flagger does not import any Hashicorp packages.

Software

List of HashiCorp software used by the Flux Project.

Flux end-to-end testing

  • https://github.com/hashicorp/terraform
  • https://github.com/hashicorp/vault

stefanprodan avatar Aug 12 '23 10:08 stefanprodan

I've raised https://github.com/cncf/foundation/issues/619 with CNCF, we'll need to wait for their answer before we make any decision about Flux Terraform Provider future.

stefanprodan avatar Aug 14 '23 11:08 stefanprodan

When the next SOPS release is out, the kustomize-controller no longer has to (directly) depend on github.com/hashicorp/vault/api (or the Vault container in tests) due to the possibility of dropping the forked key service. Configuration of the authentication token is via a string (https://github.com/getsops/sops/blob/f2a1d4c7828893b19ea2a2271de2f5039b71ba5f/hcvault/keysource.go#L38-L44).

hiddeco avatar Aug 14 '23 12:08 hiddeco

❓ We need to decide what do to with the Flux Terraform Provider, if CNCF doesn't add the Terraform Plugin SDK to the exceptions list we may be forced to stop offering an official Terraform Provider for Flux.

@stefanprodan FWIW I think the Terraform Plugin SDK and Framework remain MLP licensed, see this information.

timofurrer avatar Aug 16 '23 11:08 timofurrer

@timofurrer MLP is not an allowed license for CNCF projects, MLP packages must be added the the exception list see https://github.com/cncf/foundation/issues/619

stefanprodan avatar Aug 16 '23 13:08 stefanprodan

@stefanprodan it always has been MLP though, right? I'm trying to understand what changes for the Flux Terraform provider to help make decisions for the once I maintain :)

timofurrer avatar Aug 16 '23 13:08 timofurrer

Hopefully nothing changes and CNCF adds the SDK to the exception list. Worst case scenario, we move the provider repo to https://github.com/fluxcd-community which shouldn’t affect users as this provider is consumed from the Hashicorp’s registry.

stefanprodan avatar Aug 16 '23 13:08 stefanprodan

We need to decide what do to with the various end-to-end tests that rely on Terraform for infrastructure bootstrap. We've invested tremendous time in developing automated e2e and conformance tests for Flux 2.0 GA. I hope we can keep using Terraform internally as we don't ship any HashiCorp software with Flux, we only use this software in GitHub Actions Workflows.

This has been solved, according to CNCF, only the runtime dependencies must comply with the accepted licenses.

stefanprodan avatar Aug 23 '23 09:08 stefanprodan