feat: Add Wildcards support in ApplicationSet Source Namespaces (argoproj-labs#1988)

* Add support Wildcards in ApplicationSet Source Namespaces

Signed-off-by: nmirasch <neus.miras@gmail.com>

* Removed doc mention to Enable ApplicationSets in all namespaces

Signed-off-by: nmirasch <neus.miras@gmail.com>

* Add sorting to ensure deterministic namespace ordering

Signed-off-by: nmirasch <neus.miras@gmail.com>

* added reg expression references and upstream documentation

Signed-off-by: nmirasch <neus.miras@gmail.com>

---------

Signed-off-by: nmirasch <neus.miras@gmail.com>

Author: nmirasch

controllers/argocd/applicationset.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
+	"sort"
 	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -32,6 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	"github.com/argoproj/argo-cd/v3/util/glob"
+
 	argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	"github.com/argoproj-labs/argocd-operator/common"
 	"github.com/argoproj-labs/argocd-operator/controllers/argoutil"
@@ -70,27 +73,31 @@ func (r *ReconcileArgoCD) getArgoApplicationSetCommand(cr *argoproj.ArgoCD) []st
 	if argoutil.IsNamespaceClusterConfigNamespace(cr.Namespace) {
 
 		// appset source namespaces should be subset of apps source namespaces
-		appsetsSourceNamespaces := []string{}
-		appsNamespaces, err := r.getSourceNamespaces(cr)
-		if err == nil {
-			for _, ns := range cr.Spec.ApplicationSet.SourceNamespaces {
-				if contains(appsNamespaces, ns) {
-					appsetsSourceNamespaces = append(appsetsSourceNamespaces, ns)
-				} else {
-					log.V(1).Info(fmt.Sprintf("Apps in target sourceNamespace %s is not enabled, thus skipping the namespace in deployment command.", ns))
+		appsetsSourceNamespacesExpanded, err := r.getApplicationSetSourceNamespaces(cr)
+		if err != nil {
+			log.Error(err, "failed to getting ApplicationSet source namespaces")
+		} else {
+			appsNamespaces, err := r.getSourceNamespaces(cr)
+			if err == nil {
+				appsetsSourceNamespaces := []string{}
+				for _, ns := range appsetsSourceNamespacesExpanded {
+					if contains(appsNamespaces, ns) {
+						appsetsSourceNamespaces = append(appsetsSourceNamespaces, ns)
+					} else {
+						log.V(1).Info(fmt.Sprintf("Apps in target sourceNamespace %s is not enabled, thus skipping the namespace in deployment command.", ns))
+					}
+				}
+				if len(appsetsSourceNamespaces) > 0 {
+					cmd = append(cmd, "--applicationset-namespaces", fmt.Sprint(strings.Join(appsetsSourceNamespaces, ",")))
 				}
-			}
-		}
-
-		if len(appsetsSourceNamespaces) > 0 {
-			cmd = append(cmd, "--applicationset-namespaces", fmt.Sprint(strings.Join(appsetsSourceNamespaces, ",")))
-		}
 
-		// appset in any ns is enabled and no scmProviders allow list is specified,
-		// disables scm & PR generators to prevent potential security issues
-		// https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Appset-Any-Namespace/#scm-providers-secrets-consideration
-		if len(appsetsSourceNamespaces) > 0 && (len(cr.Spec.ApplicationSet.SCMProviders) <= 0) {
-			cmd = append(cmd, "--enable-scm-providers=false")
+				// appset in any ns is enabled and no scmProviders allow list is specified,
+				// disables scm & PR generators to prevent potential security issues
+				// https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Appset-Any-Namespace/#scm-providers-secrets-consideration
+				if len(appsetsSourceNamespaces) > 0 && (len(cr.Spec.ApplicationSet.SCMProviders) <= 0) {
+					cmd = append(cmd, "--enable-scm-providers=false")
+				}
+			}
 		}
 	}
 
@@ -653,14 +660,20 @@ func (r *ReconcileArgoCD) reconcileApplicationSetSourceNamespacesResources(cr *a
 	}
 
 	// create resources for each appset source namespace
-	for _, sourceNamespace := range cr.Spec.ApplicationSet.SourceNamespaces {
+	appsetsSourceNamespacesExpanded, err := r.getApplicationSetSourceNamespaces(cr)
+	if err != nil {
+		return fmt.Errorf("failed getting ApplicationSet source namespaces: %w", err)
+	}
 
-		// source ns should be part of app-in-any-ns
-		appsNamespaces, err := r.getSourceNamespaces(cr)
-		if err != nil {
-			reconciliationErrors = append(reconciliationErrors, err)
-			continue
-		}
+	// source ns should be part of app-in-any-ns
+	appsNamespaces, err := r.getSourceNamespaces(cr)
+	if err != nil {
+		return fmt.Errorf("failed to get apps source namespaces: %w", err)
+	}
+
+	// create resources for each appset source namespace (after wildcard expansion)
+	for _, sourceNamespace := range appsetsSourceNamespacesExpanded {
+		// Only process namespaces that are also in apps source namespaces
 		if !contains(appsNamespaces, sourceNamespace) {
 			log.Info(fmt.Sprintf("skipping reconciliation of resources for sourceNamespace %s as Apps in target sourceNamespace is not enabled", sourceNamespace))
 			continue
@@ -986,17 +999,16 @@ func (r *ReconcileArgoCD) removeUnmanagedApplicationSetSourceNamespaceResources(
 
 			if cr.Spec.ApplicationSet != nil && cr.GetDeletionTimestamp() == nil {
 
-				// namespace is valid if it's mentioend in cr.Spec.ApplicationSet.SourceNamespaces AND cr.Spec.SourceNamespaces
-				//
+				// namespace is valid if it matches any pattern in cr.Spec.ApplicationSet.SourceNamespaces AND is in cr.Spec.SourceNamespaces
 				appsNamespaces, err := r.getSourceNamespaces(cr)
 				if err != nil {
 					return err
 				}
-				for _, namespace := range cr.Spec.ApplicationSet.SourceNamespaces {
+				// Check if the namespace matches any of the ApplicationSet source namespace patterns
+				if glob.MatchStringInList(cr.Spec.ApplicationSet.SourceNamespaces, appsetsInAnyNamespaceLabelledNS, glob.REGEXP) {
 					// appset ns should be part of apps ns
-					if namespace == appsetsInAnyNamespaceLabelledNS && contains(appsNamespaces, namespace) {
+					if contains(appsNamespaces, appsetsInAnyNamespaceLabelledNS) {
 						managedNamespace = true
-						break
 					}
 				}
 			}
@@ -1170,10 +1182,28 @@ func (r *ReconcileArgoCD) reconcileSourceNamespaceRoleBinding(roleBinding v1.Rol
 	return nil
 }
 
-// getApplicationSetSourceNamespaces return list of namespaces from .spec.ApplicationSet.SourceNamespaces
-func (r *ReconcileArgoCD) getApplicationSetSourceNamespaces(cr *argoproj.ArgoCD) []string {
-	if cr.Spec.ApplicationSet != nil {
-		return cr.Spec.ApplicationSet.SourceNamespaces
+// getApplicationSetSourceNamespaces returns the list of actual namespaces that match the patterns
+// specified in .spec.ApplicationSet.SourceNamespaces. It supports wildcard patterns (e.g., team-*).
+func (r *ReconcileArgoCD) getApplicationSetSourceNamespaces(cr *argoproj.ArgoCD) ([]string, error) {
+	if cr.Spec.ApplicationSet == nil {
+		return []string(nil), nil
+	}
+
+	sourceNamespaces := []string{}
+	namespaces := &corev1.NamespaceList{}
+
+	if err := r.List(context.TODO(), namespaces, &client.ListOptions{}); err != nil {
+		return nil, err
+	}
+
+	// Intentional: use REGEXP so .spec.applicationSet.sourceNamespaces can contain either
+	// glob-like wildcards or full regular expressions. We expand to concrete namespaces here,
+	// and pass the final list to the controller via --applicationset-namespaces.
+	for _, namespace := range namespaces.Items {
+		if glob.MatchStringInList(cr.Spec.ApplicationSet.SourceNamespaces, namespace.Name, glob.REGEXP) {
+			sourceNamespaces = append(sourceNamespaces, namespace.Name)
+		}
 	}
-	return []string(nil)
+	sort.Strings(sourceNamespaces)
+	return sourceNamespaces, nil
 }

controllers/argocd/applicationset_test.go

@@ -557,7 +557,7 @@ func TestReconcileApplicationSet_Deployments_Command(t *testing.T) {
 				},
 				SourceNamespaces: []string{"foo", "bar"},
 			},
-			expectedCmd: []string{"--applicationset-namespaces", "foo,bar", "--enable-scm-providers=false"},
+			expectedCmd: []string{"--applicationset-namespaces", "bar,foo", "--enable-scm-providers=false"},
 		},
 		{
 			name: "with SCM provider list",
@@ -1258,34 +1258,123 @@ func TestArgoCDApplicationSet_getApplicationSetSourceNamespaces(t *testing.T) {
 	tests := []struct {
 		name        string
 		appSetField *argoproj.ArgoCDApplicationSet
+		namespaces  []client.Object
 		expected    []string
 	}{
 		{
 			name:        "Appsets not enabled",
 			appSetField: nil,
+			namespaces:  []client.Object{},
 			expected:    []string(nil),
 		},
 		{
 			name: "No appset source namespaces",
 			appSetField: &argoproj.ArgoCDApplicationSet{
 				Enabled: boolPtr(true),
 			},
-			expected: []string(nil),
+			namespaces: []client.Object{},
+			expected:   []string(nil),
 		},
 		{
-			name: "Appset source namespaces",
+			name: "Appset source namespaces - exact match",
 			appSetField: &argoproj.ArgoCDApplicationSet{
 				SourceNamespaces: []string{"foo", "bar"},
 			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "bar"}},
+			},
 			expected: []string{"foo", "bar"},
 		},
+		{
+			name: "Appset source namespaces with wildcard glob pattern",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"team-*"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-1"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-2"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-backend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "other-ns"}},
+			},
+			expected: []string{"team-1", "team-2", "team-backend", "team-frontend"},
+		},
+		{
+			name: "Appset source namespaces with regex pattern - anchored",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"/^team-(1|2)$/"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-1"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-2"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-10"}},
+			},
+			expected: []string{"team-1", "team-2"},
+		},
+		{
+			name: "Appset source namespaces with regex pattern - unanchored",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"/team-.*/"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-1"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-2"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "other-ns"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "not-team"}},
+			},
+			expected: []string{"team-1", "team-2", "team-frontend"},
+		},
+		{
+			name: "Appset source namespaces with regex pattern - character class",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"/^team-[0-9]+$/"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-1"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-2"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-10"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-frontend"}},
+			},
+			expected: []string{"team-1", "team-10", "team-2"},
+		},
+		{
+			name: "Appset source namespaces with multiple patterns",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"team-*", "app-*"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-1"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "team-2"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "app-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "app-backend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "other-ns"}},
+			},
+			expected: []string{"app-backend", "app-frontend", "team-1", "team-2"},
+		},
+		{
+			name: "Appset source namespaces with regex pattern - starts with",
+			appSetField: &argoproj.ArgoCDApplicationSet{
+				SourceNamespaces: []string{"/^prod-.*/"},
+			},
+			namespaces: []client.Object{
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "prod-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "prod-backend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "dev-frontend"}},
+				&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "staging-prod"}},
+			},
+			expected: []string{"prod-backend", "prod-frontend"},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 
 			a := makeTestArgoCD()
 			resObjs := []client.Object{a}
+			resObjs = append(resObjs, test.namespaces...)
 			subresObjs := []client.Object{a}
 			runtimeObjs := []runtime.Object{}
 			sch := makeTestReconcilerScheme(argoproj.AddToScheme)
@@ -1297,8 +1386,21 @@ func TestArgoCDApplicationSet_getApplicationSetSourceNamespaces(t *testing.T) {
 
 			a.Spec.ApplicationSet = test.appSetField
 
-			actual := r.getApplicationSetSourceNamespaces(a)
-			assert.Equal(t, test.expected, actual)
+			actual, err := r.getApplicationSetSourceNamespaces(a)
+			assert.NoError(t, err)
+
+			if actual == nil {
+				actual = []string{}
+			}
+			expected := test.expected
+			if expected == nil {
+				expected = []string{}
+			}
+
+			sort.Strings(actual)
+			sort.Strings(expected)
+
+			assert.Equal(t, expected, actual)
 		})
 	}
 }

controllers/argocd/role.go

@@ -261,13 +261,14 @@ func (r *ReconcileArgoCD) reconcileRoleForApplicationSourceNamespaces(name strin
 		}
 		role.Namespace = namespace.Name
 		// patch rules if appset in source namespace is allowed
-		if contains(r.getApplicationSetSourceNamespaces(cr), sourceNamespace) {
+		appsetSourceNamespaces, err := r.getApplicationSetSourceNamespaces(cr)
+		if err == nil && contains(appsetSourceNamespaces, sourceNamespace) {
 			role.Rules = append(role.Rules, policyRuleForServerApplicationSetSourceNamespaces()...)
 		}
 
 		created := false
 		existingRole := v1.Role{}
-		err := r.Get(context.TODO(), types.NamespacedName{Name: role.Name, Namespace: namespace.Name}, &existingRole)
+		err = r.Get(context.TODO(), types.NamespacedName{Name: role.Name, Namespace: namespace.Name}, &existingRole)
 		if err != nil {
 			if !errors.IsNotFound(err) {
 				return fmt.Errorf("failed to reconcile the role for the service account associated with %s : %s", name, err)

docs/usage/appsets-in-any-namespace.md

@@ -14,7 +14,19 @@ To manage the `ApplicationSet` resources in non-control plane namespaces i.e out
 
 ## Enable ApplicationSets in a namespace
 
-To enable this feature in a namespace, add the namespace name under `.spec.applicationSet.sourceNamespaces` field in ArgoCD CR.
+To enable this feature in a namespace, add the namespace name under `.spec.applicationSet.sourceNamespaces` in the ArgoCD CR.
+This field supports both:
+ - Glob-style wildcards (e.g., `team-*`, `team-frontend`, `app-??`)
+ - Regular expressions (wrapped in forward slashes, e.g., `/^team-(frontend|backend)$/`, `/^team-.*$/`)
+ 
+ The operator resolves these patterns to actual namespaces at reconcile time and passes the expanded, concrete list to the ApplicationSet controller.
+ 
+ !!! note
+     Regular expression patterns must be wrapped in forward slashes (`/pattern/`) to be treated as regex. Patterns without slashes are treated as glob patterns. For example:
+     - `team-*` - glob pattern (matches team-1, team-2, etc.)
+     - `/^team-[0-9]+$/` - regex pattern (matches team-1, team-2, but not team-frontend)
+
+### Enable ApplicationSets in a specific namespace
 
 For example, following configuration will allow `example` Argo CD instance to create & manage `ApplicationSet` resource in `foo` namespace. 
 ```yaml
@@ -28,10 +40,46 @@ spec:
       - foo
 ```
 
-As of now, wildcards are not supported in `.spec.applicationSet.sourceNamespaces`. 
+### Enable ApplicationSets in namespaces matching a pattern
+
+You can use wildcard patterns or regular expressions to automatically provision ApplicationSet permissions in all namespaces that match the pattern:
+
+**Using glob patterns:**
+```yaml
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: example
+spec:
+  applicationSet:
+    sourceNamespaces:
+      - team-*           # glob pattern
+```
+
+**Using regular expressions:**
+```yaml
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: example
+spec:
+  applicationSet:
+    sourceNamespaces:
+      - /^team-(frontend|backend)$/    # regex pattern (note the /.../ wrapper)
+      - /^team-[0-9]+$/                # regex: matches team-1, team-2, etc. (numbers only)
+```
+
+In the glob pattern example, permissions are granted to namespaces matching `team-*`, such as `team-1`, `team-2`, `team-frontend`, etc. In the regex example, permissions are granted only to namespaces matching the specific regex patterns (e.g., `team-frontend` and `team-backend` for the first pattern, or numeric-only namespaces like `team-1`, `team-2` for the second pattern).
+
+The Operator will automatically create the necessary RBAC permissions in all existing namespaces that match the pattern, and will continue to provision permissions for newly created namespaces that match the pattern. 
+
+!!! warning 
+    Exercise caution when using broad wildcard patterns such as `*` or `*-prod`. These patterns can match a large number of namespaces, including system namespaces or sensitive environments, potentially granting unintended access. Always use the most specific pattern that meets your requirements and regularly audit which namespaces match your patterns.    
 
 !!! important 
     Ensure that [Apps in Any Namespace](./apps-in-any-namespace.md) is enabled on target namespace i.e the target namespace name is part of `.spec.sourceNamespaces` field in ArgoCD CR.
+    
+For more details about ApplicationSets in Any Namespace, see the upstream [Argo CD documentation](https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Appset-Any-Namespace/).
 
 The Operator creates/modifies below RBAC resources when ApplicationSets in Any Namespace is enabled