IBM employees leading the Linux Foundation's Open Horizon edge computing project began work last month on an open source alternative to HashiCorp Vault in response to HashiCorp's switch to a business source license in August.
Open Horizon is based on code that IBM initially contributed to The Linux Foundation through LF Edge. IBM is one of multiple project partners and adopters that continue to provide support to the project, said Joe Pearson, project chair of Open Horizon and one of the organizers of OpenBao, an incubating project within LF Edge. Pearson also serves as a technology strategist in IBM's Software Networking and Edge Computing CTO group.
OpenBao, an open-source alternative to HashiCorp Vault for secrets management, was first proposed as a design candidate for Open Horizon in late October, with IBM listed as the user sponsor. Pearson is listed as the submitter. Another IBM senior software engineer, Nathan Phelps, is listed along with Pearson as a point of contact on OpenBao's feature request page.
"Open Horizon's goal is not to compete with Hashicorp Vault, and in fact, they've built a great product with which we would like to continue to provide compatibility," Pearson said in an email to TechTarget Editorial this week. "Unfortunately, Linux Foundation projects cannot embed BSL-licensed code. So we've been placed in a situation where our alternatives are to switch to a competing product with an open-source friendly license or to fork an earlier MPL-licensed branch of Vault and continue to maintain that ourselves going forward."
The design candidate submission form identified an existing open source equivalent, EnvKey, but would require significant work to convert by the middle of the first quarter of 2024 to be a viable candidate, according to the form. This work would include migrating existing configured secrets; handling authorization redirection for existing Open Horizon installations; and changing or rebuilding interfaces for the Open Horizon command-line interface, agents and automation bots.
Instead, the technical support committee voted to fork HashiCorp Vault, and OpenBao officially began with its first working group meeting on Nov. 9. It was first publicized this month by an organizer of the Linux Foundation's HashiCorp Terraform fork project, OpenTofu, during a Linux Foundation event.
OpenBao vs. OpenTofu
The author of the OpenBao project's first documentation-related official merge request echoed Pearson's view that OpenBao isn't meant to compete with HashiCorp Vault as an enterprise product.
"I think they are parallel products that will probably diverge over time into different directions," said Andrew Savchyn, principal engineer at Blue Orange Digital, a data warehousing consulting and development firm in New York. "Maybe still kind of competing in some niches but with very different focuses. ... I would see it as an expansion to the available tools on the market."
OpenTofu was already under way within two weeks of HashiCorp's disclosure of its planned licensing change. It quickly garnered the public backing of 100 companies, 10 open source projects and 400 individuals committed to forking Terraform. In contrast, OpenBao is at a much earlier stage, still working on the basics of documentation and project organization with a handful of participants so far.
While OpenTofu's backers published a manifesto calling for HashiCorp to reverse its BSL decision, OpenBao has made no such statements. HashiCorp did not specifically name any companies in its initial BSL announcement but alleged that competitors had been commercializing its open source code without contributing back. Those companies were the target of its licensing change.
While it was immediately obvious which competitors it might be for Terraform -- companies that went on to co-found OpenTofu, including Spacelift, Env0 and Scalr -- it's unclear whether similar commercial competitors exist for HashiCorp Vault, according to industry analysts.
Secrets management tools are also subject to different enterprise market dynamics than infrastructure-as-code, said Katie Norton, an analyst at IDC. In a January 2022 IDC survey, over 73% of organizations doing DevOps indicated that they will sometimes seek out OSS over other alternatives, with 12.5% indicating they always do so.
But secrets management is quickly evolving from standalone tools to more broadly integrated enterprise products. HashiCorp Vault offers enterprise users centralized management that open source projects can't, according to Norton.
"Secrets management can get complex very quickly with so many different technology stacks, platforms, and tools. Many of these come with their own secrets capabilities," Norton said. "Its secrets sync capability, a key feature of HCP Vault Secrets, which is also available in beta for Vault Enterprise, helps better centralize the secrets management processes in multicloud organizations."
HashiCorp headwinds continue
However, other industry observers see OpenBao as a further reproof of HashiCorp's BSL decision.
"I think Hashi didn't expect for the customer base to so quickly and harshly rebuke them for their licensing changes," said Kyler Middleton, senior principal software engineer at healthcare tech company Veradigm and a HashiCorp Ambassador.
Middleton switched to OpenTofu for all her personal projects in response to the licensing change. She hasn't tried OpenBao yet.
"Good tools don't exist in a vacuum. They're popularized and proselytized by tons of people, and an outsized amount of those movers and shakers feel that knowledge ought to be free and available," Middleton said. "Licensing any type of valuable tool like this isn't ever going to be popular, and I don't think Hashi understood that. I hope they learn that lesson soon."
Open source components are also often attractive to enterprise security buyers, said Melinda Marks, an analyst at TechTarget's Enterprise Strategy Group.
"[This is] likely troublesome for Hashi since it is so well known for Vault," Marks said. "With shift-left efforts, you have DevOps and platform engineers using open source tools and customizing them in their environments. And then you also have security vendors trying to incorporate secrets detection and secrets scanning. Those are two areas where OpenBao could be attractive compared to Vault."
OpenTofu organizers and other open source community members have alleged that HashiCorp became less responsive to open source contributions to Terraform around the time of the company's IPO in late 2021. Since then, fiscal pressures on the company have mounted, as its revenue has grown but it has reported net quarterly losses.
The company reported 17% revenue growth in its third quarter of fiscal 2024 on Dec. 7 compared to the same quarter a year ago. While net losses weren't as steep -- $39.5 million as opposed to $72 million a year ago -- the company has yet to reach profitability by generally accepted accounting principles (GAAP). The quarter was the company's first with positive non-GAAP net income, which totaled $5.6 million, according to a HashiCorp press release.
HashiCorp responds to Terraform Cloud pricing critiques
HashiCorp officials also addressed objections made by some commercial Terraform Cloud customers to Terraform Cloud pricing changes which took effect May 16.
HashiCorp officials emphasized that its lowest pricing tier is more valuable due to expanded security features, but some customers took to online forums to complain about rising costs. A few who received updated licensing terms from HashiCorp following the pricing change contended that the updates made their Terraform licenses more expensive than the cloud resources they were managing.
In response, HashiCorp disclosed a pricing breakdown for its Terraform Cloud customers to TechTarget Editorial this month showing that nearly 95% of pay-as-you-go customers pay less than $500 per month, as seen in Figure 1.
"Terraform Cloud has over 270,000 users, and it grows at a rate of over 19,000 per quarter," said Meghan Liese, vice president of product marketing at HashiCorp, in an interview. "And 80% of our pay-as-you-go customers are paying less than $250 per month. Based on our customer feedback, we think it's priced appropriately to the value received."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.