feat: [APL-898] - Network Policies Page (#772)

* feat: podlabel fetch functions

* fix: k8s fetch functions rework

* fix: return env check

* feat: tests

* fix: removed logs

---------

Co-authored-by: svcAPLBot <[email protected]>

Author: dennisvankekem

src/api/v1/teams/{teamId}/kubernetes/fetchPodsFromLabel.ts

@@ -0,0 +1,25 @@
+import Debug from 'debug'
+import { Operation, OperationHandlerArray } from 'express-openapi'
+import { OpenApiRequestExt } from 'src/otomi-models'
+
+const debug = Debug('otomi:api:v1:teams:kubernetes:fetchPodsFromLabel')
+
+export default function (): OperationHandlerArray {
+  const get: Operation = [
+    async ({ otomi, query }: OpenApiRequestExt, res): Promise<void> => {
+      debug('fetchPodsFromLabel')
+      try {
+        const { labelSelector, namespace }: { labelSelector: string; namespace: string } = query as any
+        const v = await otomi.listUniquePodNamesByLabel(labelSelector, namespace)
+        res.json(v)
+      } catch (e) {
+        debug(e)
+        res.json([])
+      }
+    },
+  ]
+  const api = {
+    get,
+  }
+  return api
+}

src/api/v1/teams/{teamId}/kubernetes/networkPolicies.ts

@@ -0,0 +1,25 @@
+import Debug from 'debug'
+import { Operation, OperationHandlerArray } from 'express-openapi'
+import { OpenApiRequestExt } from 'src/otomi-models'
+
+const debug = Debug('otomi:api:v1:teams:kubernetes:networkPolicies')
+
+export default function (): OperationHandlerArray {
+  const get: Operation = [
+    async ({ otomi, query }: OpenApiRequestExt, res): Promise<void> => {
+      debug('getAllK8sPodLabelsForWorkload')
+      try {
+        const { workloadName, namespace }: { workloadName: string; namespace: string } = query as any
+        const v = await otomi.getK8sPodLabelsForWorkload(workloadName, namespace)
+        res.json(v)
+      } catch (e) {
+        debug(e)
+        res.json([])
+      }
+    },
+  ]
+  const api = {
+    get,
+  }
+  return api
+}

src/openapi/api.yaml

@@ -297,7 +297,7 @@ paths:
       x-aclSchema: Service
       responses:
         '200':
-          description: Successfully obtained kuberntes services
+          description: Successfully obtained kubernetes services
           content:
             application/json:
               schema:
@@ -307,6 +307,65 @@ paths:
         '400':
           <<: *BadRequest
 
+  '/v1/teams/{teamId}/kubernetes/networkpolicies':
+    parameters:
+      - $ref: '#/components/parameters/teamParams'
+    get:
+      operationId: getK8SWorkloadPodLabels
+      description: Get Podlabels from given workload
+      x-aclSchema: NetworkPolicies
+      parameters:
+        - name: workloadName
+          in: query
+          description: name of the workload to get Podlabels from
+          schema:
+            type: string
+        - name: namespace
+          in: query
+          description: namespace of the workload to get Podlabels from
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Successfully obtained Podlabels from given workload
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties:
+                  type: string
+        '400':
+          <<: *BadRequest
+
+  '/v1/teams/{teamId}/kubernetes/fetchPodsFromLabel':
+    parameters:
+      - $ref: '#/components/parameters/teamParams'
+    get:
+      operationId: listUniquePodNamesByLabel
+      description: Get pods name from label
+      parameters:
+        - name: labelSelector
+          in: query
+          description: name of the label to get pods name from
+          schema:
+            type: string
+        - name: namespace
+          in: query
+          description: namespace of the workload to get Podlabels from
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Successfully obtained pods from given label
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: string
+        '400':
+          <<: *BadRequest
+
   '/v1/teams/{teamId}/services/{serviceName}':
     parameters:
       - $ref: '#/components/parameters/teamParams'

src/otomi-stack.test.ts

@@ -756,6 +756,126 @@ describe('Users tests', () => {
   })
 })
 
+describe('PodService', () => {
+  let otomiStack: OtomiStack
+  let clientMock: {
+    listNamespacedPod: jest.Mock
+    listPodForAllNamespaces: jest.Mock
+  }
+
+  beforeEach(() => {
+    otomiStack = new OtomiStack()
+    clientMock = {
+      listNamespacedPod: jest.fn(),
+      listPodForAllNamespaces: jest.fn(),
+    }
+    // Override the API client
+    ;(otomiStack as any).getApiClient = jest.fn(() => clientMock)
+  })
+
+  describe('getK8sPodLabelsForWorkload', () => {
+    const baseLabels = { 'app.kubernetes.io/name': 'test', custom: 'label' }
+
+    it('should return labels on primary Istio selector (namespaced)', async () => {
+      clientMock.listNamespacedPod.mockResolvedValue({ items: [{ metadata: { labels: baseLabels } }] })
+
+      const labels = await otomiStack.getK8sPodLabelsForWorkload('test', 'default')
+
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledWith({
+        namespace: 'default',
+        labelSelector: 'service.istio.io/canonical-name=test',
+      })
+      expect(labels).toEqual(baseLabels)
+    })
+
+    it('should fallback to RabbitMQ selector when primary returns none', async () => {
+      clientMock.listNamespacedPod
+        .mockResolvedValueOnce({ items: [] })
+        .mockResolvedValueOnce({ items: [{ metadata: { labels: { rabbit: 'yes' } } }] })
+
+      const labels = await otomiStack.getK8sPodLabelsForWorkload('test', 'default')
+
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledTimes(2)
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledWith({
+        namespace: 'default',
+        labelSelector: 'service.istio.io/canonical-name=test',
+      })
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledWith({
+        namespace: 'default',
+        labelSelector: 'service.istio.io/canonical-name=test-rabbitmq-cluster',
+      })
+      expect(labels).toEqual({ rabbit: 'yes' })
+    })
+
+    it('should go through all fallback selectors and return empty object if none found', async () => {
+      clientMock.listNamespacedPod.mockResolvedValue({ items: [] })
+
+      const labels = await otomiStack.getK8sPodLabelsForWorkload('foo', 'bar')
+
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledTimes(5)
+      expect(labels).toEqual({})
+    })
+
+    it('should search across all namespaces when no namespace provided', async () => {
+      clientMock.listPodForAllNamespaces.mockResolvedValue({ items: [{ metadata: { labels: { global: 'yes' } } }] })
+
+      const labels = await otomiStack.getK8sPodLabelsForWorkload('global', undefined)
+
+      expect(clientMock.listPodForAllNamespaces).toHaveBeenCalledWith({
+        labelSelector: 'service.istio.io/canonical-name=global',
+      })
+      expect(labels).toEqual({ global: 'yes' })
+    })
+  })
+
+  describe('listUniquePodNamesByLabel', () => {
+    it('should return empty array when no pods found (namespaced)', async () => {
+      clientMock.listNamespacedPod.mockResolvedValue({ items: [] })
+
+      const names = await otomiStack.listUniquePodNamesByLabel('app=test', 'default')
+
+      expect(names).toEqual([])
+      expect(clientMock.listNamespacedPod).toHaveBeenCalledWith({ namespace: 'default', labelSelector: 'app=test' })
+    })
+
+    it('should return full names for unique bases', async () => {
+      const pods = [
+        { metadata: { name: 'frontend-abc123' } },
+        { metadata: { name: 'backend-def456' } },
+        { metadata: { name: 'db-gh789' } },
+      ]
+      clientMock.listPodForAllNamespaces.mockResolvedValue({ items: pods })
+
+      const names = await otomiStack.listUniquePodNamesByLabel('app=all')
+
+      expect(names).toEqual(['frontend-abc123', 'backend-def456', 'db-gh789'])
+    })
+
+    it('should filter out duplicate base names, keeping first occurrence', async () => {
+      const pods = [
+        { metadata: { name: 'app-1-a1' } },
+        { metadata: { name: 'app-1-b2' } },
+        { metadata: { name: 'app-2-c3' } },
+        { metadata: { name: 'app-2-d4' } },
+      ]
+      clientMock.listPodForAllNamespaces.mockResolvedValue({ items: pods })
+
+      const names = await otomiStack.listUniquePodNamesByLabel('app=dup')
+
+      expect(names).toEqual(['app-1-a1', 'app-2-c3'])
+    })
+
+    it('should handle pod names without dashes', async () => {
+      const pods = [{ metadata: { name: 'singlename' } }]
+      clientMock.listPodForAllNamespaces.mockResolvedValue({ items: pods })
+
+      const names = await otomiStack.listUniquePodNamesByLabel('app=uniq')
+
+      expect(names).toEqual(['singlename'])
+    })
+  })
+})
+
 describe('Code repositories tests', () => {
   let otomiStack: OtomiStack
   let teamConfigService: TeamConfigService

src/otomi-stack.ts

@@ -2169,6 +2169,85 @@ export default class OtomiStack {
     return this.apiClient
   }
 
+  async getK8sPodLabelsForWorkload(workloadName: string, namespace?: string): Promise<Record<string, string>> {
+    console.log('Fetching pod labels for workload', workloadName, namespace)
+    const api = this.getApiClient()
+    const istioKey = 'service.istio.io/canonical-name'
+    const otomiKey = 'otomi.io/app'
+    const instanceKey = 'app.kubernetes.io/instance'
+    const nameKey = 'app.kubernetes.io/name'
+
+    // Helper to list pods by label selector
+    const listPods = async (labelSelector: string) =>
+      namespace
+        ? await api.listNamespacedPod({ namespace, labelSelector })
+        : await api.listPodForAllNamespaces({ labelSelector })
+
+    // 1. Primary selector: Istio canonical name
+    let selector = `${istioKey}=${workloadName}`
+    let res = await listPods(selector)
+    let pods = res.items
+
+    // 2. RabbitMQ fallback: workloadName-rabbitmq-cluster
+    if (pods.length === 0) {
+      selector = `${istioKey}=${workloadName}-rabbitmq-cluster`
+      res = await listPods(selector)
+      pods = res.items
+    }
+
+    // 3. Otomi app label
+    if (pods.length === 0) {
+      selector = `${otomiKey}=${workloadName}`
+      res = await listPods(selector)
+      pods = res.items
+    }
+
+    // 4. app.kubernetes.io/instance
+    if (pods.length === 0) {
+      selector = `${instanceKey}=${workloadName}`
+      res = await listPods(selector)
+      pods = res.items
+    }
+
+    // 5. app.kubernetes.io/name
+    if (pods.length === 0) {
+      selector = `${nameKey}=${workloadName}`
+      res = await listPods(selector)
+      pods = res.items
+    }
+
+    // Return labels of the first matching pod, or empty object
+    return pods.length > 0 ? (pods[0].metadata?.labels ?? {}) : {}
+  }
+
+  async listUniquePodNamesByLabel(labelSelector: string, namespace?: string): Promise<string[]> {
+    const api = this.getApiClient()
+
+    // fetch pods, either namespaced or all
+    const res = namespace
+      ? await api.listNamespacedPod({ namespace, labelSelector })
+      : await api.listPodForAllNamespaces({ labelSelector })
+
+    const allPods = res.items
+    if (allPods.length === 0) return []
+
+    const seenBases = new Set<string>()
+    const names: string[] = []
+
+    for (const pod of allPods) {
+      const fullName = pod.metadata?.name || ''
+      // derive “base” by stripping off the last dash-segment
+      const base = fullName.includes('-') ? fullName.substring(0, fullName.lastIndexOf('-')) : fullName
+
+      if (!seenBases.has(base)) {
+        seenBases.add(base)
+        names.push(fullName)
+      }
+    }
+
+    return names
+  }
+
   async getK8sServices(teamId: string): Promise<Array<K8sService>> {
     if (env.isDev) return []
     // const teams = user.teams.map((name) => {