As the tech lead of the OpenTofu project, I can tell you that I'm positively surprised by how quick the uptake has been so far since the stable release! We're also seeing a ton of external contributors jumping in, which has been heartwarming!
I also invite anybody using OpenTofu (or considering it) to join our Slack[0], it's quite active there. It's also a great place to influence the shape of new OpenTofu features.
Now 1.7 is coming out soon as well, and this week we have OpenTofu Day at KubeCon happening :)
Just started a new tiny greenfield infra project for a friend but was too cowardly to use OpenTF after I tried it and found that I needed Hashicorp providers etc, couldn’t be bothered to dig in and untangle. Gotta say, didn’t find opentf docs useful at all. But hoping things go well and one day I’ll be able to just fire things up and it’ll be frictionless.
Sorry to hear that, could you expand on the paint points? Esp. on the friction points, where it was different than just using `tofu` instead of `terraform` in your commands.
To answer some of your points:
There's no point in forking the providers, as they're still open-source, you're just fetching them from our registry - registry.opentofu.org.
Core docs are generally the same as Terraform docs, but we're still missing the registry UI to explore provider docs (and are currently working on a design for that).
Mainly because I installed it and ran it on a sample base infra - vpc and subnets - and I noted that it was still picking up Hashicorp providers, fine, but doesn’t this mean I have to run through a large codebase and start switching every provider out? Essentially I wasn’t sure what to do next. Should I stick with my standard terraform setup or figure out shifting to OpenTF and risk getting hit with something not available? Wasn’t something I could figure out in advance, if that makes sense? So was safest to stick with TF.
You should just keep using hashicorp providers - there's no changes to your codebase required, generally, as long as you don't specify provider sources in long form (as in, you should specify the source as `hashicorp/aws`, not as `registry.terraform.io/hashicorp/aws`). All providers should be available in our registry, and if you're missing any, just submit it[0]. Though as I said, all should be available.
There's also the migration guide you could take a look at[1].
Happy to answer technical questions about OpenBao as people have, though some might be best directed at the Technical Steering Committee, which I do not represent. :-)
Thank you for the RFE! Looking at the X-Forwarded-For handling might be good, I wasn't able to add tests for that easily, though maybe the existing test could be used as a template if you get time. I think we depend on nginx or Caddy elsewhere, but the pkiext tests might also serve as a good reference. :-)
I hoped that I could move from vault to openbao , but it looks like that is not the case.
I can understand the removal of secrets engines and stuff but the storage plugins should’ve been kept at least for the first few releases and than dropped a few of them while giving people a way to migrate them to supported options.
I have a few improvements I'd have liked to have see upstream, but couldn't land due to the vast storage plugin base. You're left writing to the lowest common denominator of 20 storage engines which isn't maintainable when HashiCorp only supports Raft and Consul.
Take paginated lists which I've proposed as a PR. If your backend engine of choice doesn't support efficient pagination aligning with the designated semantics, you're stuck implementing it from scratch. Now do that with transactional storage, which is another upstream requested feature... And so forth.
Additionally, the current contributor base is too small to support much more. Personally, I'd like to see Postgres as the only external storage engine. But I don't presently feel we have enough maintainers to justify multiple storage engines. Raft is easiest to support as it is what upstream is actively developing. It also eases migration for upstream-aligned users.
My 2c. But happy to take suggestions and contributions!
Edit to add: ideally I'd have liked to add an external storage plugin interface, but this would be a bit of a perf hit over native support and wouldn't be a stable target (as I'd like to see some of these things land).
Well with these changes before the first version I would not consider openbao a fork of vault. More like a different product.
Yeah some of these proposed changes are nice. But they shouldn’t be done in the first release if you wanted to take over vault customers.
I will probably never migrate to openbao.
Especially if raft is the only storage option.
And don’t get me wrong you can do that stuff. You do the work, so you guys can do whatever you like.
I think there's many counter examples to this: Jenkins & Hudson, Illumos & Solaris, LibreSSL & OpenSSL & BoringSSL, LibreOffice & OpenOffice, Spongy Castle & Bouncy Castle, and Webkit & KHTML to name a few.
A fork need not necessarily be 1:1, bug for bug, compatible.
But as noted here: https://developer.hashicorp.com/vault/docs/configuration/sto... -- upstream only supports the Raft backend. The other backends may have issues and don't see many commits as upstream has not delegated maintenance to external community members. Frequently, commentators (both employees and community members) suggest moving away from custom storage backends to Raft.
A storage migration only impacts one small category of users -- the operator -- but remains transparent to the consumers of secrets (whether humans or applications). This only occurs once. Yes, it requires planning. Yes, it is a lot of work to execute successfully. But it is also an approach upstream uses e.g., in FIPS 140-2 migrations: https://developer.hashicorp.com/vault/docs/enterprise/fips/f... -- as we get time, we'd like to make this type of cross-instance migration more automated if we can.
But our goal is to remain API compatible, so the vast majority of use cases require no changes to operate with the forked code. And we wish to remain as drop-in compatible with consumers using Raft as we can. So yes, I think OpenBao can still be called a fork of Vault. And IMO, even a 1:1 bug compatible fork is still a separate product, and that isn't necessarily a bad thing. :-)
OpenTofu has much the same approach, where they don't guarantee a 1:1 drop-in, bug-for-bug fork of upstream, but instead gives themselves some room to make changes for the best of their community: https://opentofu.org/docs/language/v1-compatibility-promises...
I think that every project needs to find their own balance, and this is what the OpenBao community has chosen. :-)
My 2c, views my own. But feel free to contact me via email if you have additional technical concerns to discuss.
We had some discussions about this before removing all storage plugins except Raft, In-Memory and File storage as cipherboy pointed out in the sibling comment. If you're currently not using Raft, this should not stop you from adopting OpenBao if you first migrate to the Raft storage backend. Hashicorp has a tutorial on this which you can follow:
Amazing - we actually had a secrets PoC for our org paused recently, and Vault is one of the options. But honestly this looks like it could solve a few things in our team right now.
