Description
Chainloop has a plugin mechanism for fanOut integrations.
A fanOut plugin implements logic that will be executed when attestations or materials are received. This logic can be anything from sending a Slack message, uploading the attestation to a storage backend, or sending a Software Bill Of Materials (SBOMs) to Dependency-Track for analysis, for example. You can find the current list of plugins here
This pattern fits exceptionally well with message streams like Kafka. This task is about exploring how an integration with Kafka would look like.
To design an integration, a couple of questions need to be answered.
a) What kind of metadata we want to send. Note that plugins can subscribe to attestation metadata or to any material. For example, dependency-track plugins handle CYCLONEDX_JSON_SBOM while Slack does ATTESTATIONS. For the record, we could do both.
b) What does it mean to configure Kafka in the context of both registration in a Chainloop org and attachment to a workflow? See lifecycle of an integration
For example, in dependency-track at registration, users can configure a Dependency-Track instance, while at attachment, they can configure the DPTrack project where to send the SBOMs. This could enable us, for example to onboard the Kafka instance on registration and choose the topic during attachment (I am not even sure this is valid, but just as an example)
In addition to that, we also support annotations on the attestations, and those could be used in plugins too, as we did in dependency-track to make the project name dynamic` (in any case this is an option that could be explored in the future.
### Tasks
- [ ] Define lifecycle and message types
- [ ] Implement plugin as part of the core (not compiled as plugin yet)
- [ ] Package and release as a plugin