Investigate the impact of HashiCorp license MPL -> BUSL

[ThomasVitale]

This issue is for tracking the usage of HashiCorp Go packages and software products in the terraform-provider-carvel project.

The CNCF is tracking the impact of the HashiCorp license change in cncf/foundation#617 and they're collecting the list of affected projects in cncf/foundation#619

[ThomasVitale]

References:

• CNCF Policy for allowed third party licenses
• CNCF Source Available recommendations

[joaopapereira]

It looks like we do have these libraries that we are importing from HashiCorp

[joaopapereira]

Due to changes made by Hashicorp to the license of some of their products, I would like to provide some recommendations to the Reviews/approvers of all the tools so they do not impact Carvel.

1. If a dependabot PR bumps any Hashicorp libraries, we should not merge it. (We can discuss bumping some of these libraries in the future if we are sure no changes will happen to their licenses.)
2. If a PR unrelated to Hashicorp bumps some Hashicorp library, check if the version of the Hashicorp library is the Apache License; if it is, we can go ahead and merge the PR.
3. If a PR unrelated to Hashicorp bumps some Hashicorp library, check if the version of the Hashicorp library is the Apache License, and if it is NOT, the PR should NOT be merged. We should bring this up in the community meeting to see if any mitigation factor can be done or if we should move to a different library.
4. Every PR that bumps dependencies in kapp-controller, especially sops and helm, should be vetted using the above. steps

These are our initial recommendations, but we will bring this up again during the next community meeting, and we could have a more in-depth conversation. In the meantime, feel free to add any thoughts on this issue.