lib/servicecatalog: init to distribute catalog (#46999)

Part of sourcegraph/security-issues#327
Part of sourcegraph/security-issues#328
Part of sourcegraph/security-issues#334

Used by sourcegraph/controller#306

Author: bobheadxi

lib/servicecatalog/service-catalog.yaml

@@ -0,0 +1,53 @@
+# This is the source of truth for services dependencies of Sourcegraph. All names
+# should correspond to published images.
+#
+# Cloud started this file to ensure we can correctly maintain Network Policies
+# to ensure only necessary services can talk to each other.
+#
+# This file is not owned by Cloud but the entire engineering department.
+
+protected_services:
+  # $ go run ./dev/depgraph/ summary internal/gitserver
+  # union of all dependent commands
+  gitserver:
+    consumers:
+      - frontend
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      - migrator
+      - precise-code-intel-worker
+      # other stuff we just know about
+      - search-indexer
+      - indexed-searcher
+
+  # $ go run ./dev/depgraph/ summary internal/redispool
+  # $ go run ./dev/depgraph/ summary internal/rcache
+  # union of all dependent commands
+  redis:
+    consumers:
+      - blobstore
+      - frontend
+      - github-proxy
+      - gitserver
+      - migrator
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      # other stuff we just know about
+      - redis-exporter
+
+  # $ go run ./dev/depgraph/ summary internal/database
+  # the union of all dependent commands
+  postgres:
+    consumers:
+      - frontend
+      - gitserver
+      - migrator
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      - precise-code-intel-worker

lib/servicecatalog/servicecatalog.go

@@ -0,0 +1,28 @@
+package servicecatalog
+
+import (
+	_ "embed"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+)
+
+//go:embed service-catalog.yaml
+var rawCatalog string
+
+type Service struct {
+	Consumers []string `yaml:"consumers" json:"consumers"`
+}
+
+type Catalog struct {
+	ProtectedServices map[string]Service `yaml:"protected_services" json:"protected_services"`
+}
+
+func Get() (Catalog, error) {
+	var c Catalog
+	if err := yaml.Unmarshal([]byte(rawCatalog), &c); err != nil {
+		return c, errors.Wrap(err, "'service-catalog.yaml' is invalid")
+	}
+	return c, nil
+}

lib/servicecatalog/servicecatalog_test.go

@@ -0,0 +1,24 @@
+package servicecatalog
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGet(t *testing.T) {
+	c, err := Get()
+	require.NoError(t, err)
+	for _, k := range []string{
+		"gitserver",
+		"redis",
+		"postgres",
+	} {
+		t.Run(k, func(t *testing.T) {
+			require.NotEmpty(t, c.ProtectedServices)
+			require.NotEmpty(t, c.ProtectedServices[k])
+			assert.NotEmpty(t, c.ProtectedServices[k].Consumers)
+		})
+	}
+}

service-catalog.yaml

@@ -0,0 +1 @@
+./lib/servicecatalog/service-catalog.yaml