ADR-0007: Updating Secrets Management Strategy Due to HashiCorp Vault Licensing & Vendor Risks¶
- Status: ✅ Accepted
- Date: 2026-02-13
- Owners: @osmank, @cagkan
- Context:
Appcircle (SaaS and self-hosted) requires a secrets management capability covering service/application secrets, auditability, policy-as-code, Kubernetes integrations, and—when needed—PKI and dynamic secrets.
HashiCorp Vault’s licensing change (from MPL to BSL 1.1) introduces a “source-available” model that can create legal/compliance ambiguity for certain usage patterns (e.g., scenarios that could be interpreted as a competing/hosted offering or embedded commercial use).
Additionally, the post-acquisition phase (IBM) may increase risks related to product direction, packaging, pricing, and ecosystem dependency (vendor lock-in).
This ADR records the licensing/vendor risks of Vault and defines an approach to evaluate sustainable alternatives for Appcircle.
Decision¶
Following POC evaluation and risk matrix scoring, Option B — OpenBao is accepted as the secrets management solution for Appcircle self-hosted deployments. OpenBao's open governance model and Vault API compatibility provide the best balance of migration cost, licensing sustainability, and long-term independence.
Options Considered¶
- Option A — Continue with HashiCorp Vault
- Pros:
- Existing operational maturity and team experience
- Broad ecosystem and integration surface (K8s auth, agent patterns, secrets engines, etc.)
-
Cons:
- BSL 1.1 licensing creates potential restrictions/interpretation differences and legal risk
- Potential Enterprise feature dependency and cost pressure
- Increased vendor lock-in risk (post-acquisition strategy changes, packaging/pricing shifts)
-
Option B — Migrate to OpenBao (Vault-compatible OSS fork direction) ✅ Accepted
- Pros:
- Open governance reduces vendor lock-in risk
- Vault API compatibility lowers migration cost and preserves existing integrations
- Aligns well with self-hosted strategy
- Cloud Foundation support simplifies infrastructure integration and accelerates adoption
-
Cons:
- Long-term feature parity and ecosystem compatibility must be monitored
- Storage backend support is narrower than Vault; the current Google Cloud Storage backend is not supported, requiring a migration to PostgreSQL as the storage backend
- Potential differences for enterprise-grade/edge features depending on roadmap
-
Option C — Standardize on CyberArk Conjur (OSS)
- Pros:
- Strong policy-as-code approach; aligns with enterprise security practices
- Known patterns for Kubernetes workload integrations
-
Cons:
- Conceptual differences vs Vault can increase migration/redesign effort
- Additional adaptation may be required where Vault-like workflows are assumed
-
Option D — Infisical (MIT)
- Pros:
- Modern UX/CLI/SDK ecosystem and fast self-hosted setup
- Permissive license reduces licensing risk
-
Cons:
- May not match Vault breadth (dynamic secrets/PKI) for all use-cases
- Operational maturity and enterprise controls require validation via POC
-
Option E — SOPS (Apache 2.0) + GitOps-focused encryption
- Pros:
- Simple and reliable “secrets at rest” encryption for files
- Natural fit for GitOps workflows
- Cons:
- Not a full secrets management system (no centralized auth methods/dynamic secrets/audit at Vault scope)
- Addresses encryption use-cases rather than centralized secrets lifecycle management
Consequences¶
- Positive:
- Reduced licensing and vendor lock-in risk (especially for self-hosted customers)
- More predictable long-term governance and sustainability
- Negative:
- POC and potential migration cost (runbooks, monitoring, upgrades, operational learning)
- Possible feature differences requiring additional components/adaptation
- Follow-ups / migrations:
- Produce a Vault usage inventory: auth methods, secrets engines, PKI, policies, agent/injection patterns
- POC-1 (OpenBao): existing KV secrets + K8s auth + audit + baseline policy scenarios
- POC-2 (Conjur OSS): policy-as-code modeling + K8s workload identity patterns
- Risk matrix & decision: licensing, operations, feature parity, security controls, cost
- Post-decision:
- If Accepted: migration guide, cutover strategy, rollback plan
- If Rejected: Vault continuation requires a licensing compliance checklist + legal review steps