CNCF-hosted Co-located Events North America 2024

Minder is an open-source project to secure software supply chains, starting with repository security. While Minder provides a gRPC API for user interactions, it also operates continuously in the background, detecting and reacting to supply chain events. In this talk, we’ll describe how this background operation evolved from ad-hoc webhooks into an asynchronous event-driven platform with multiple services. Our journey began with asynchronous flows, starting with Go channels and then using Watermill with a SQL database for events. This worked great for a single binary but had issues when sharing the database between two applications – each attempted to enforce its own schema on the shared database. The problem gets worse when trying to interoperate between languages – the Watermill library we used doesn’t support Python or NodeJS. The next step we’re undertaking is to migrate to using CloudEvents – a common schema which can be evolved independently of the specific components.