As an implementer of Kessel, I want to ensure our application and its supply chain are compliant with FedRAMP requirements. Currently the relations sink relies on services and artifacts that may not fully align with FedRAMP requirements, or would make upkeep for CONMON very difficult. We should re-architect how the relations-sink plugin is built and deployed to ensure FedRAMP compatibility and efficiency.

Details are captured in https://docs.google.com/document/d/1lemUxpyDwZckEogJ5nSVJEn1abqh9NOAtkZhY5rs20c/edit#heading=h.bc4uoq4dwov4 but the high-level checklist consists of:

1. Migrate to using our own Kafka Cluster and Kafka Connect cluster

• Potentially follow same patterns as Platform MQ cluster using MSK
• KafkaConnect cluster can be deployed via CR similar to ephemeral and platform-mq
  2. The image build for the Kafka Connect pods are migrated to an App Interface Jenkins process (similar to how relations images are built
• Final pod must run on a ubi based image and is configured for FIPS
• This image is specified in the KafkaConnect CR and the build options are removed
  3. Ensure the artifact source (Maven Central) is secure in that no outside person can change/modify our package
• If Maven Central is not private and an outside user could push a new version or change ours, it will not suffice for a artifact source and we'll need to move to something else
• Potentially could leverage S3 or Github releases

See this thread for details: https://redhat-internal.slack.com/archives/C06DG81SE8J/p1728066790959489