Vault Dockerfile and TRG 4.06

[tom-rm-meyer-ISST]

Is your support request related to a problem? Please describe.
Hi, I use the vault image as base image to spin up a vault and put the keys for my connectors. According to TRG 4.06 this image is not part of the trusted base images.

Describe the solution you'd like
I see two ways to handle this:

• don't use the vault as base image and find another way to achieve this (current ideais to put via second container using alpine image)
• add the vault image to the accepted base images
• don't use vault for docker-compose

Additional context
I created a local docker-compose for easier local deployment and also for easier migration to updated edc versions. For this compose I use a vault (older version to not run into the license issue). This PR uses this approach. Please refer to local/docker-conpose and local/vault/Dockerfile.

[tomaszbarwicki]

H @tom-rm-meyer-ISST, we may want to add it to accepted base images after consultation with EF, can you please provide full link to the image you use/plan to use?

[tom-rm-meyer-ISST]

Hi Tomasz! According to docker hub the latest version is vault:1.13.3 which is OK regarding licensing. I also discussed the issue in the office hours and therefore created a PR to add the image to TRG 4.06. Further checks by EF are welcome.

[SebastianBezold]

HI @tom-rm-meyer-ISST,

I can see there hasn't been a lot of movement on this issue. Could you maybe elaborate a bit more on your usecase?

For background:

We are currently sharpening the TRG formulations. The text is not there yet, but for example, the aligned base images are "only" relevant for published docker images. This means only the images we build on our own and then publish it to DockerHub.

In case you are only using an existing Docker image, you are not affected by our checks. If you do create your own image based on HashiCorp Vault, you can still consider, you would need to publish it.

There will be a new feature for our automated release guideline checks, that allows you to exclude images, that are not published. I'll keep you posted on when this will be available.

If you are building your own image based on HashiCorp vault and you are publishing it, then i'll try to think about a solution for our automated checks. Right now we do not take tags into account, but maybe that's a good addition anyways

[tom-rm-meyer-ISST]

Ok, we don't publish the image. We just use it for means of having a local deployment for integration testing.

Actually I wanted to join tomorrows offic hour for this topic. If I remember correctly, @hzierer was aware of a fork of the HashiCorp vault that didn't yet have a container image published.

But overall: I as a team only use it for local testing. The EDC team does publish a helm chart with the hashicorp vault - is that something we need to remain aware of?

[SebastianBezold]

Hi @tom-rm-meyer-ISST,

in general, we need to be aware of the issue, because we need to care about open source governance. In Vault's case, we cannot use newer versions, that are licensed under BSL. So we will need to reconsider the HashiCorp Vault usage and find alternatives. I cannot speak for the EDC team, but I could imagine, they need to drop support for HashiCorp Vault in the future. I'm not aware of an open source fork of Vault. I'm just aware of the Terraform fork OpenTofu

[tom-rm-meyer-ISST]

Well, then from my side we could close this PR as we don't see a real need.

[SebastianBezold]

Ok cool. Like I mentioned earlier, we will also clarify the purpose of the aligned base images in the TRG. We can also take that to tomorrows office hour like you suggested. I guess we won't be that many though, since it seems to be vacation week :)

I'll close this issue here too for now, but feel free to re-open it at any time in case there is related questions

[kvendingoldo]

btw. you can also integrate tenv that support Terraform as well as OpenTofu (and Terragrunt :) ) in one tool. It allow you to simplify version management.