Bump version to 2.12.3 (#19694)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: ishitasequeira <46771830+ishitasequeira@users.noreply.github.com>

VERSION

@@ -1 +1 @@
-2.12.2
+2.12.3

applicationset/controllers/applicationset_controller.go

@@ -580,7 +580,7 @@ func (r *ApplicationSetReconciler) applyTemplatePatch(app *argov1alpha1.Applicat
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
 	return predicate.Funcs{
 		CreateFunc: func(e event.CreateEvent) bool {
-			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), false)
+			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), glob.REGEXP)
 		},
 	}
 }

controller/appcontroller.go

@@ -2011,7 +2011,7 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool,
 // isAppNamespaceAllowed returns whether the application is allowed in the
 // namespace it's residing in.
 func (ctrl *ApplicationController) isAppNamespaceAllowed(app *appv1.Application) bool {
-	return app.Namespace == ctrl.namespace || glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false)
+	return app.Namespace == ctrl.namespace || glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, glob.REGEXP)
 }
 
 func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {

docs/operator-manual/app-any-namespace.md

@@ -42,8 +42,11 @@ In order for an application to be managed and reconciled outside the Argo CD's c
 
 In order to enable this feature, the Argo CD administrator must reconfigure the `argocd-server` and `argocd-application-controller` workloads to add the `--application-namespaces` parameter to the container's startup command.
 
-The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports:
 
+- shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+- regex, requires wrapping the string in ```/```, example to allow all namespaces except a particular one: ```/^((?!not-allowed).)*$/```.
+  
 The startup parameters for both, the `argocd-server` and the `argocd-application-controller` can also be conveniently set up and kept in sync by specifying the `application.namespaces` settings in the `argocd-cmd-params-cm` ConfigMap _instead_ of changing the manifests for the respective workloads. For example:
 
 ```yaml

go.mod

@@ -187,6 +187,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dlclark/regexp2 v1.11.2
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect

go.sum

@@ -843,6 +843,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/dlclark/regexp2 v1.11.2 h1:/u628IuisSTwri5/UKloiIsH8+qF2Pu7xEQX+yIKg68=
+github.com/dlclark/regexp2 v1.11.2/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.2
+  newTag: v2.12.3
 resources:
 - ./application-controller
 - ./dex

manifests/core-install.yaml

@@ -21270,7 +21270,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21388,7 +21388,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -21641,7 +21641,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -21693,7 +21693,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -21965,7 +21965,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.2
+  newTag: v2.12.3

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.2
+  newTag: v2.12.3
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install.yaml

@@ -22613,7 +22613,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -22736,7 +22736,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -22818,7 +22818,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -22937,7 +22937,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -23218,7 +23218,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -23270,7 +23270,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -23594,7 +23594,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -23893,7 +23893,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1688,7 +1688,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1811,7 +1811,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1893,7 +1893,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2012,7 +2012,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2293,7 +2293,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2345,7 +2345,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2669,7 +2669,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2968,7 +2968,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -21730,7 +21730,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21853,7 +21853,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -21935,7 +21935,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -22035,7 +22035,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -22288,7 +22288,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -22340,7 +22340,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -22662,7 +22662,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -22961,7 +22961,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -805,7 +805,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -928,7 +928,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1010,7 +1010,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1110,7 +1110,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1363,7 +1363,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1415,7 +1415,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1737,7 +1737,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2036,7 +2036,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.2
+        image: quay.io/argoproj/argocd:v2.12.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

notification_controller/controller/controller.go

@@ -122,7 +122,7 @@ func NewController(
 
 // Check if app is not in the namespace where the controller is in, and also app is not in one of the applicationNamespaces
 func checkAppNotInAdditionalNamespaces(app *unstructured.Unstructured, namespace string, applicationNamespaces []string) bool {
-	return namespace != app.GetNamespace() && !glob.MatchStringInList(applicationNamespaces, app.GetNamespace(), false)
+	return namespace != app.GetNamespace() && !glob.MatchStringInList(applicationNamespaces, app.GetNamespace(), glob.REGEXP)
 }
 
 func (c *notificationController) alterDestinations(obj v1.Object, destinations services.Destinations, cfg api.Config) services.Destinations {
@@ -151,7 +151,7 @@ func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string
 				}
 				newItems := []unstructured.Unstructured{}
 				for _, res := range appList.Items {
-					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), false) {
+					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), glob.REGEXP) {
 						newItems = append(newItems, res)
 					}
 				}

pkg/apis/application/v1alpha1/app_project_types.go

@@ -562,5 +562,5 @@ func (p AppProject) IsAppNamespacePermitted(app *Application, controllerNs strin
 		return true
 	}
 
-	return glob.MatchStringInList(p.Spec.SourceNamespaces, app.Namespace, false)
+	return glob.MatchStringInList(p.Spec.SourceNamespaces, app.Namespace, glob.REGEXP)
 }

util/argo/argo.go

@@ -1132,7 +1132,7 @@ func GetAppEventLabels(app *argoappv1.Application, projLister applicationsv1.App
 	// Filter out event labels to include
 	inKeys := settingsManager.GetIncludeEventLabelKeys()
 	for k, v := range labels {
-		found := glob.MatchStringInList(inKeys, k, false)
+		found := glob.MatchStringInList(inKeys, k, glob.GLOB)
 		if found {
 			eventLabels[k] = v
 		}
@@ -1141,7 +1141,7 @@ func GetAppEventLabels(app *argoappv1.Application, projLister applicationsv1.App
 	// Remove excluded event labels
 	exKeys := settingsManager.GetExcludeEventLabelKeys()
 	for k := range eventLabels {
-		found := glob.MatchStringInList(exKeys, k, false)
+		found := glob.MatchStringInList(exKeys, k, glob.GLOB)
 		if found {
 			delete(eventLabels, k)
 		}

util/glob/glob_test.go

@@ -31,26 +31,28 @@ func Test_Match(t *testing.T) {
 
 func Test_MatchList(t *testing.T) {
 	tests := []struct {
-		name   string
-		input  string
-		list   []string
-		exact  bool
-		result bool
+		name         string
+		input        string
+		list         []string
+		patternMatch string
+		result       bool
 	}{
-		{"Exact name in list", "test", []string{"test"}, true, true},
-		{"Exact name not in list", "test", []string{"other"}, true, false},
-		{"Exact name not in list, multiple elements", "test", []string{"some", "other"}, true, false},
-		{"Exact name not in list, list empty", "test", []string{}, true, false},
-		{"Exact name not in list, empty element", "test", []string{""}, true, false},
-		{"Glob name in list, but exact wanted", "test", []string{"*"}, true, false},
-		{"Glob name in list with simple wildcard", "test", []string{"*"}, false, true},
-		{"Glob name in list without wildcard", "test", []string{"test"}, false, true},
-		{"Glob name in list, multiple elements", "test", []string{"other*", "te*"}, false, true},
+		{"Exact name in list", "test", []string{"test"}, EXACT, true},
+		{"Exact name not in list", "test", []string{"other"}, EXACT, false},
+		{"Exact name not in list, multiple elements", "test", []string{"some", "other"}, EXACT, false},
+		{"Exact name not in list, list empty", "test", []string{}, EXACT, false},
+		{"Exact name not in list, empty element", "test", []string{""}, EXACT, false},
+		{"Glob name in list, but exact wanted", "test", []string{"*"}, EXACT, false},
+		{"Glob name in list with simple wildcard", "test", []string{"*"}, GLOB, true},
+		{"Glob name in list without wildcard", "test", []string{"test"}, GLOB, true},
+		{"Glob name in list, multiple elements", "test", []string{"other*", "te*"}, GLOB, true},
+		{"match everything but specified word: fail", "disallowed", []string{"/^((?!disallowed).)*$/"}, REGEXP, false},
+		{"match everything but specified word: pass", "allowed", []string{"/^((?!disallowed).)*$/"}, REGEXP, true},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			res := MatchStringInList(tt.list, tt.input, tt.exact)
+			res := MatchStringInList(tt.list, tt.input, tt.patternMatch)
 			assert.Equal(t, tt.result, res)
 		})
 	}

util/glob/list.go

@@ -1,10 +1,30 @@
 package glob
 
-// MatchStringInList will return true if item is contained in list. If
-// exactMatch is set to false, list may contain globs to be matched.
-func MatchStringInList(list []string, item string, exactMatch bool) bool {
+import (
+	"strings"
+
+	"github.com/argoproj/argo-cd/v2/util/regex"
+)
+
+const (
+	EXACT  = "exact"
+	GLOB   = "glob"
+	REGEXP = "regexp"
+)
+
+// MatchStringInList will return true if item is contained in list.
+// patternMatch; can be set to  exact, glob, regexp.
+// If patternMatch; is set to exact, the item must be an exact match.
+// If patternMatch; is set to glob, the item must match a glob pattern.
+// If patternMatch; is set to regexp, the item must match a regular expression or glob.
+func MatchStringInList(list []string, item string, patternMatch string) bool {
 	for _, ll := range list {
-		if item == ll || (!exactMatch && Match(ll, item)) {
+		// If string is wrapped in "/", assume it is a regular expression.
+		if patternMatch == REGEXP && strings.HasPrefix(ll, "/") && strings.HasSuffix(ll, "/") && regex.Match(ll[1:len(ll)-1], item) {
+			return true
+		} else if (patternMatch == REGEXP || patternMatch == GLOB) && Match(ll, item) {
+			return true
+		} else if patternMatch == EXACT && item == ll {
 			return true
 		}
 	}

util/regex/regex.go

@@ -0,0 +1,20 @@
+package regex
+
+import (
+	"github.com/dlclark/regexp2"
+	log "github.com/sirupsen/logrus"
+)
+
+func Match(pattern, text string) bool {
+	compiledRegex, err := regexp2.Compile(pattern, 0)
+	if err != nil {
+		log.Warnf("failed to compile pattern %s due to error %v", pattern, err)
+		return false
+	}
+	regexMatch, err := compiledRegex.MatchString(text)
+	if err != nil {
+		log.Warnf("failed to match pattern %s due to error %v", pattern, err)
+		return false
+	}
+	return regexMatch
+}

util/security/application_namespaces.go

@@ -7,7 +7,7 @@ import (
 )
 
 func IsNamespaceEnabled(namespace string, serverNamespace string, enabledNamespaces []string) bool {
-	return namespace == serverNamespace || glob.MatchStringInList(enabledNamespaces, namespace, false)
+	return namespace == serverNamespace || glob.MatchStringInList(enabledNamespaces, namespace, glob.REGEXP)
 }
 
 func NamespaceNotPermittedError(namespace string) error {

util/security/application_namespaces_test.go

@@ -49,6 +49,20 @@ func Test_IsNamespaceEnabled(t *testing.T) {
 			[]string{"allowed"},
 			false,
 		},
+		{
+			"match everything but specified word: fail",
+			"disallowed",
+			"argocd",
+			[]string{"/^((?!disallowed).)*$/"},
+			false,
+		},
+		{
+			"match everything but specified word: pass",
+			"allowed",
+			"argocd",
+			[]string{"/^((?!disallowed).)*$/"},
+			true,
+		},
 	}
 
 	for _, tc := range testCases {

util/webhook/webhook.go

@@ -278,7 +278,7 @@ func (a *ArgoCDWebhookHandler) HandleEvent(payload interface{}) {
 	// nor in the list of enabled namespaces.
 	var filteredApps []v1alpha1.Application
 	for _, app := range apps.Items {
-		if app.Namespace == a.ns || glob.MatchStringInList(a.appNs, app.Namespace, false) {
+		if app.Namespace == a.ns || glob.MatchStringInList(a.appNs, app.Namespace, glob.REGEXP) {
 			filteredApps = append(filteredApps, app)
 		}
 	}