Bug 2244566

+++ This bug was initially created as a clone of Bug #2242374 +++

Description of problem (please be detailed as possible and provide log
snippests):
We currently have a redundant dependency on Vault SDKs that we don't use.

Due to a change in Vault licensing, we need to replace the BSL libraries using BSL license. 
We have the BSL license in use in the following containers: 
mcg-operator-container
odf-multicluster-operator-container
odf-operator-container
rook-ceph-operator-container
odr-operator-container

Libraries:

https://github.com/hashicorp/consul - BSL
https://github.com/hashicorp/terraform - BSL
https://github.com/hashicorp/vault - BSL
https://github.com/hashicorp/go-uuid - MPL. 
https://github.com/hashicorp/errwrap - MPL
https://github.com/hashicorp/go-cleanhttp - MPL
https://github.com/hashicorp/go-hclog - MIT 
https://github.com/hashicorp/go-immutable-radix - MPL
https://github.com/hashicorp/go-multierror - MPL
https://github.com/hashicorp/go-retryablehttp - MPL
https://github.com/hashicorp/go-rootcerts - MPL 
https://github.com/hashicorp/go-secure-stdlib -MPL
https://github.com/hashicorp/go-sockaddr - MPL 
https://github.com/hashicorp/go-plugin - MPL
https://github.com/hashicorp/eventlogger - MPL
https://github.com/hashicorp/go-discover - MPL
https://github.com/hashicorp/go-kms-wrapping - MPL
https://github.com/hashicorp/go-memdb - MPL
https://github.com/hashicorp/go-msgpack - MIT
https://github.com/hashicorp/go-raftchunking - MPL
https://github.com/hashicorp/go-version - MPL

--- Additional comment from RHEL Program Management on 2023-10-05 18:27:15 UTC ---

This bug having no release flag set previously, is now set with release flag 'odf‑4.14.0' to '?', and so is being proposed to be fixed at the ODF 4.14.0 release. Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag.

--- Additional comment from RHEL Program Management on 2023-10-05 18:27:15 UTC ---

Since this bug has severity set to 'urgent', it is being proposed as a blocker for the currently set release flag. Please resolve ASAP.

--- Additional comment from Blaine Gardner on 2023-10-10 18:32:35 UTC ---

For Rook, I tracked the top-level Vault gomod inclusion (github.com/hashicorp/vault) to github.com/libopenstorage/secrets which imports github.com/hashicorp/vault/command. Because 'command' is part of the Vault product, it is BUSL-1.1 licensed. My quick initial investigation shows that it should be straightforward to change to using github.com/hashicorp/vault/api in libopenstorage/secrets to make use of Vault's MPL-2.0 licensed API code.

The risk I identified is that libopenstorage/secrets does not have very regular contributors. I created an issue and tagged 6 recent contributors and reviewers to the project to try to get a commitment to merging the code within 2 weeks: https://github.com/libopenstorage/secrets/issues/79

If I don't get a positive response, then Rook will have to resort to using Vaul's API directly rather than using the libopenstorage/secrets library, which is not preferred. In the meantime, I'll begin making changes to a personal fork of libopenstorage/secrets to verfiy that the changes I'm proposing will fix the licensing issue.

---

I cannot speak to whether other ODF components will need to make different changes. I was able to find the source of the inclusion by deleting the line `github.com/hashicorp/vault v1.13.7 // indirect` in Rook's `go.mod` file and running `go mod tidy` to find output like below, and then investigating each import manually:

go: finding module for package github.com/hashicorp/vault/sdk/version
go: downloading github.com/hashicorp/vault/sdk v0.10.2
go: downloading github.com/hashicorp/vault v1.15.0
go: github.com/rook/rook/pkg/daemon/ceph/osd/kms imports
        github.com/libopenstorage/secrets/vault/utils imports
        github.com/hashicorp/vault/command/agent/auth tested by
        github.com/hashicorp/vault/command/agent/auth.test imports
        github.com/hashicorp/vault/http imports
        github.com/hashicorp/vault/sdk/version

--- Additional comment from Blaine Gardner on 2023-10-10 20:34:23 UTC ---

I have a draft PR already up and one interested developer willing to take a look already. 
  Library PR: https://github.com/libopenstorage/secrets/pull/80

I'm waiting to make sure that Rook's CI passes with the changes proposed before moving from "draft" PR to "ready" state.
  Rook CI: https://github.com/rook/rook/pull/13032

--- Additional comment from Blaine Gardner on 2023-10-11 22:11:20 UTC ---

PR waiting for backport to 4.14 here https://github.com/red-hat-storage/rook/pull/526.

4.13 and 4.12 should be using older versions of vault libs that are still under MPL-2.0

@etamir, need PM and QA acks to merge the Rook PR.

--- Additional comment from RHEL Program Management on 2023-10-12 03:44:23 UTC ---

This BZ is being approved for ODF 4.14.0 release, upon receipt of the 3 ACKs (PM,Devel,QA) for the release flag 'odf‑4.14.0

--- Additional comment from RHEL Program Management on 2023-10-12 03:44:23 UTC ---

Since this bug has been approved for ODF 4.14.0 release, through release flag 'odf-4.14.0+', the Target Release is being set to 'ODF 4.14.0

--- Additional comment from Eran Tamir on 2023-10-15 05:58:54 UTC ---

PM ack provided.

--- Additional comment from errata-xmlrpc on 2023-10-16 15:43:16 UTC ---

This bug has been added to advisory RHBA-2023:115514 by ceph-build service account (ceph-build.COM)

--- Additional comment from Blaine Gardner on 2023-10-16 16:40:08 UTC ---

I don't see any links to other BZs where ODF components need updating. Any component that uses Rook's API will need updated. Also, any component that uses libstorage/secrets directly will need updated. Those would be noobaa, ocs-operator, and odf-operator to my knowledge. There could be other components as well that I'm unaware of. Do those BZs exist already, but aren't linked here? Or do those need created?