lib/servicecatalog: init to distribute catalog (#46999)

Part of https://github.com/sourcegraph/security-issues/issues/327 Part of https://github.com/sourcegraph/security-issues/issues/328 Part of https://github.com/sourcegraph/security-issues/issues/334 Used by https://github.com/sourcegraph/controller/pull/306
2026-02-06 11:01:44 +00:00 · 2023-01-26 17:22:27 -08:00 · 2023-01-26 17:22:27 -08:00 · f42c059997
commit f42c059997
parent acb5d060d1
4 changed files with 106 additions and 48 deletions
--- a/lib/servicecatalog/service-catalog.yaml
+++ b/lib/servicecatalog/service-catalog.yaml
@ -0,0 +1,53 @@
+# This is the source of truth for services dependencies of Sourcegraph. All names
+# should correspond to published images.
+#
+# Cloud started this file to ensure we can correctly maintain Network Policies
+# to ensure only necessary services can talk to each other.
+#
+# This file is not owned by Cloud but the entire engineering department.
+
+protected_services:
+  # $ go run ./dev/depgraph/ summary internal/gitserver
+  # union of all dependent commands
+  gitserver:
+    consumers:
+      - frontend
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      - migrator
+      - precise-code-intel-worker
+      # other stuff we just know about
+      - search-indexer
+      - indexed-searcher
+
+  # $ go run ./dev/depgraph/ summary internal/redispool
+  # $ go run ./dev/depgraph/ summary internal/rcache
+  # union of all dependent commands
+  redis:
+    consumers:
+      - blobstore
+      - frontend
+      - github-proxy
+      - gitserver
+      - migrator
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      # other stuff we just know about
+      - redis-exporter
+
+  # $ go run ./dev/depgraph/ summary internal/database
+  # the union of all dependent commands
+  postgres:
+    consumers:
+      - frontend
+      - gitserver
+      - migrator
+      - repo-updater
+      - searcher
+      - symbols
+      - worker
+      - precise-code-intel-worker
--- a/lib/servicecatalog/servicecatalog.go
+++ b/lib/servicecatalog/servicecatalog.go
@ -0,0 +1,28 @@
+package servicecatalog
+
+import (
+	_ "embed"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+)
+
+//go:embed service-catalog.yaml
+var rawCatalog string
+
+type Service struct {
+	Consumers []string `yaml:"consumers" json:"consumers"`
+}
+
+type Catalog struct {
+	ProtectedServices map[string]Service `yaml:"protected_services" json:"protected_services"`
+}
+
+func Get() (Catalog, error) {
+	var c Catalog
+	if err := yaml.Unmarshal([]byte(rawCatalog), &c); err != nil {
+		return c, errors.Wrap(err, "'service-catalog.yaml' is invalid")
+	}
+	return c, nil
+}
--- a/lib/servicecatalog/servicecatalog_test.go
+++ b/lib/servicecatalog/servicecatalog_test.go
@ -0,0 +1,24 @@
+package servicecatalog
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGet(t *testing.T) {
+	c, err := Get()
+	require.NoError(t, err)
+	for _, k := range []string{
+		"gitserver",
+		"redis",
+		"postgres",
+	} {
+		t.Run(k, func(t *testing.T) {
+			require.NotEmpty(t, c.ProtectedServices)
+			require.NotEmpty(t, c.ProtectedServices[k])
+			assert.NotEmpty(t, c.ProtectedServices[k].Consumers)
+		})
+	}
+}
--- a/service-catalog.yaml
+++ b/service-catalog.yaml
@ -1,48 +0,0 @@
-# This is the source of truth for services dependencies of Sourcegraph
-#
-# Cloud started this file to ensure we can correctly maintain Network Policies
-# to ensure only necessary services can talk to each other.
-#
-# This file is not owned by Cloud but the entire engineering department.
-
-protected_services:
-  # $ go run ./dev/depgraph/ summary internal/gitserver
-  # union of all dependent commands
-  gitserver:
-    consumers:
-      - frontend
-      - repo-updater
-      - searcher
-      - symbols
-      - worker
-      - migrator
-      - precise-code-intel-worker
-
-  # $ go run ./dev/depgraph/ summary internal/redispool
-  # $ go run ./dev/depgraph/ summary internal/rcache
-  # union of all dependent commands
-  redis:
-    consumers:
-      - blobstore
-      - frontend
-      - github-proxy
-      - gitserver
-      - migrator
-      - repo-updater
-      - searcher
-      - sitemap
-      - symbols
-      - worker
-
-  # $ go run ./dev/depgraph/ summary internal/database
-  # the union of all dependent commands
-  postgres:
-    consumers:
-      - frontend
-      - gitserver
-      - migrator
-      - repo-updater
-      - searcher
-      - symbols
-      - worker
-      - precise-code-intel-worker
--- a/service-catalog.yaml
+++ b/service-catalog.yaml
@ -0,0 +1 @@
+./lib/servicecatalog/service-catalog.yaml