Skip to content

ADR-0007: Updating Secrets Management Strategy Due to HashiCorp Vault Licensing & Vendor Risks

  • Status: ✅ Accepted
  • Date: 2026-02-13
  • Owners: @osmank, @cagkan
  • Context:
    Appcircle (SaaS and self-hosted) requires a secrets management capability covering service/application secrets, auditability, policy-as-code, Kubernetes integrations, and—when needed—PKI and dynamic secrets.

HashiCorp Vault’s licensing change (from MPL to BSL 1.1) introduces a “source-available” model that can create legal/compliance ambiguity for certain usage patterns (e.g., scenarios that could be interpreted as a competing/hosted offering or embedded commercial use).
Additionally, the post-acquisition phase (IBM) may increase risks related to product direction, packaging, pricing, and ecosystem dependency (vendor lock-in).

This ADR records the licensing/vendor risks of Vault and defines an approach to evaluate sustainable alternatives for Appcircle.

Decision

Following POC evaluation and risk matrix scoring, Option B — OpenBao is accepted as the secrets management solution for Appcircle self-hosted deployments. OpenBao's open governance model and Vault API compatibility provide the best balance of migration cost, licensing sustainability, and long-term independence.

Options Considered

  • Option A — Continue with HashiCorp Vault
  • Pros:
    • Existing operational maturity and team experience
    • Broad ecosystem and integration surface (K8s auth, agent patterns, secrets engines, etc.)
  • Cons:

    • BSL 1.1 licensing creates potential restrictions/interpretation differences and legal risk
    • Potential Enterprise feature dependency and cost pressure
    • Increased vendor lock-in risk (post-acquisition strategy changes, packaging/pricing shifts)
  • Option B — Migrate to OpenBao (Vault-compatible OSS fork direction) ✅ Accepted

  • Pros:
    • Open governance reduces vendor lock-in risk
    • Vault API compatibility lowers migration cost and preserves existing integrations
    • Aligns well with self-hosted strategy
    • Cloud Foundation support simplifies infrastructure integration and accelerates adoption
  • Cons:

    • Long-term feature parity and ecosystem compatibility must be monitored
    • Storage backend support is narrower than Vault; the current Google Cloud Storage backend is not supported, requiring a migration to PostgreSQL as the storage backend
    • Potential differences for enterprise-grade/edge features depending on roadmap
  • Option C — Standardize on CyberArk Conjur (OSS)

  • Pros:
    • Strong policy-as-code approach; aligns with enterprise security practices
    • Known patterns for Kubernetes workload integrations
  • Cons:

    • Conceptual differences vs Vault can increase migration/redesign effort
    • Additional adaptation may be required where Vault-like workflows are assumed
  • Option D — Infisical (MIT)

  • Pros:
    • Modern UX/CLI/SDK ecosystem and fast self-hosted setup
    • Permissive license reduces licensing risk
  • Cons:

    • May not match Vault breadth (dynamic secrets/PKI) for all use-cases
    • Operational maturity and enterprise controls require validation via POC
  • Option E — SOPS (Apache 2.0) + GitOps-focused encryption

  • Pros:
    • Simple and reliable “secrets at rest” encryption for files
    • Natural fit for GitOps workflows
  • Cons:
    • Not a full secrets management system (no centralized auth methods/dynamic secrets/audit at Vault scope)
    • Addresses encryption use-cases rather than centralized secrets lifecycle management

Consequences

  • Positive:
  • Reduced licensing and vendor lock-in risk (especially for self-hosted customers)
  • More predictable long-term governance and sustainability
  • Negative:
  • POC and potential migration cost (runbooks, monitoring, upgrades, operational learning)
  • Possible feature differences requiring additional components/adaptation
  • Follow-ups / migrations:
  • Produce a Vault usage inventory: auth methods, secrets engines, PKI, policies, agent/injection patterns
  • POC-1 (OpenBao): existing KV secrets + K8s auth + audit + baseline policy scenarios
  • POC-2 (Conjur OSS): policy-as-code modeling + K8s workload identity patterns
  • Risk matrix & decision: licensing, operations, feature parity, security controls, cost
  • Post-decision:
    • If Accepted: migration guide, cutover strategy, rollback plan
    • If Rejected: Vault continuation requires a licensing compliance checklist + legal review steps