open-policy-agent · sozercan · Jul 5, 2023 · Jun 29, 2023 · Jul 5, 2023
@@ -16,7 +16,7 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -63,8 +63,8 @@ type SyncOnlyEntry struct {
 }
 
 type MatchEntry struct {
-	Processes          []string        `json:"processes,omitempty"`
-	ExcludedNamespaces []util.Wildcard `json:"excludedNamespaces,omitempty"`
+	Processes          []string            `json:"processes,omitempty"`
+	ExcludedNamespaces []wildcard.Wildcard `json:"excludedNamespaces,omitempty"`
 }
 
 type ReadinessSpec struct {

@@ -30,8 +30,8 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/fakes"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/readiness"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/watch"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	testclient "github.com/open-policy-agent/gatekeeper/v3/test/clients"
 	"github.com/open-policy-agent/gatekeeper/v3/test/testutils"
 	"github.com/prometheus/client_golang/prometheus"
@@ -104,11 +104,11 @@ func TestReconcile(t *testing.T) {
 			},
 			Match: []configv1alpha1.MatchEntry{
 				{
-					ExcludedNamespaces: []util.Wildcard{"foo"},
+					ExcludedNamespaces: []wildcard.Wildcard{"foo"},
 					Processes:          []string{"*"},
 				},
 				{
-					ExcludedNamespaces: []util.Wildcard{"bar"},
+					ExcludedNamespaces: []wildcard.Wildcard{"bar"},
 					Processes:          []string{"audit", "webhook"},
 				},
 			},
@@ -719,7 +719,7 @@ func configFor(kinds []schema.GroupVersionKind) *configv1alpha1.Config {
 			},
 			Match: []configv1alpha1.MatchEntry{
 				{
-					ExcludedNamespaces: []util.Wildcard{"kube-system"},
+					ExcludedNamespaces: []wildcard.Wildcard{"kube-system"},
 					Processes:          []string{"sync"},
 				},
 			},

@@ -5,7 +5,7 @@ import (
 	"sync"
 
 	configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -23,7 +23,7 @@ const (
 
 type Excluder struct {
 	mux                sync.RWMutex
-	excludedNamespaces map[Process]map[util.Wildcard]bool
+	excludedNamespaces map[Process]map[wildcard.Wildcard]bool
 }
 
 var allProcesses = []Process{
@@ -34,7 +34,7 @@ var allProcesses = []Process{
 }
 
 var processExcluder = &Excluder{
-	excludedNamespaces: make(map[Process]map[util.Wildcard]bool),
+	excludedNamespaces: make(map[Process]map[wildcard.Wildcard]bool),
 }
 
 func Get() *Excluder {
@@ -43,7 +43,7 @@ func Get() *Excluder {
 
 func New() *Excluder {
 	return &Excluder{
-		excludedNamespaces: make(map[Process]map[util.Wildcard]bool),
+		excludedNamespaces: make(map[Process]map[wildcard.Wildcard]bool),
 	}
 }
 
@@ -58,13 +58,13 @@ func (s *Excluder) Add(entry []configv1alpha1.MatchEntry) {
 				if Process(op) == Star {
 					for _, o := range allProcesses {
 						if s.excludedNamespaces[o] == nil {
-							s.excludedNamespaces[o] = make(map[util.Wildcard]bool)
+							s.excludedNamespaces[o] = make(map[wildcard.Wildcard]bool)
 						}
 						s.excludedNamespaces[o][ns] = true
 					}
 				} else {
 					if s.excludedNamespaces[Process(op)] == nil {
-						s.excludedNamespaces[Process(op)] = make(map[util.Wildcard]bool)
+						s.excludedNamespaces[Process(op)] = make(map[wildcard.Wildcard]bool)
 					}
 					s.excludedNamespaces[Process(op)][ns] = true
 				}
@@ -96,7 +96,7 @@ func (s *Excluder) IsNamespaceExcluded(process Process, obj client.Object) (bool
 	return exactOrWildcardMatch(s.excludedNamespaces[process], obj.GetNamespace()), nil
 }
 
-func exactOrWildcardMatch(boolMap map[util.Wildcard]bool, ns string) bool {
+func exactOrWildcardMatch(boolMap map[wildcard.Wildcard]bool, ns string) bool {
 	for k := range boolMap {
 		if k.Matches(ns) {
 			return true

@@ -3,19 +3,19 @@ package process
 import (
 	"testing"
 
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 )
 
 func TestExactOrWildcardMatch(t *testing.T) {
 	tcs := []struct {
 		name     string
-		nsMap    map[util.Wildcard]bool
+		nsMap    map[wildcard.Wildcard]bool
 		ns       string
 		excluded bool
 	}{
 		{
 			name: "exact text match",
-			nsMap: map[util.Wildcard]bool{
+			nsMap: map[wildcard.Wildcard]bool{
 				"kube-system": true,
 				"foobar":      true,
 			},
@@ -24,7 +24,7 @@ func TestExactOrWildcardMatch(t *testing.T) {
 		},
 		{
 			name: "wildcard prefix match",
-			nsMap: map[util.Wildcard]bool{
+			nsMap: map[wildcard.Wildcard]bool{
 				"kube-*": true,
 				"foobar": true,
 			},
@@ -33,7 +33,7 @@ func TestExactOrWildcardMatch(t *testing.T) {
 		},
 		{
 			name: "wildcard suffix match",
-			nsMap: map[util.Wildcard]bool{
+			nsMap: map[wildcard.Wildcard]bool{
 				"*-system": true,
 				"foobar":   true,
 			},
@@ -42,7 +42,7 @@ func TestExactOrWildcardMatch(t *testing.T) {
 		},
 		{
 			name: "lack of asterisk prevents globbing",
-			nsMap: map[util.Wildcard]bool{
+			nsMap: map[wildcard.Wildcard]bool{
 				"kube-": true,
 			},
 			ns:       "kube-system",

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -188,7 +188,7 @@ func TestMatch(t *testing.T) {
 			name:   "namespace matches",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"nonmatching", "namespace"},
+				Namespaces: []wildcard.Wildcard{"nonmatching", "namespace"},
 			},
 			namespace: &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "namespace"}},
 			source:    types.SourceTypeOriginal,
@@ -198,7 +198,7 @@ func TestMatch(t *testing.T) {
 			name:   "is a matching Namespace",
 			object: makeNamespace("matching"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"matching"},
+				Namespaces: []wildcard.Wildcard{"matching"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -208,7 +208,7 @@ func TestMatch(t *testing.T) {
 			name:   "is not a matching Namespace",
 			object: makeNamespace("non-matching"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"matching"},
+				Namespaces: []wildcard.Wildcard{"matching"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -219,7 +219,7 @@ func TestMatch(t *testing.T) {
 			name:   "namespaces configured, but cluster scoped",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "", "name"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"nonmatching", "namespace"},
+				Namespaces: []wildcard.Wildcard{"nonmatching", "namespace"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -229,7 +229,7 @@ func TestMatch(t *testing.T) {
 			name:   "namespace prefix matches",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "kube-system", "name"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"nonmatching", "kube-*"},
+				Namespaces: []wildcard.Wildcard{"nonmatching", "kube-*"},
 			},
 			namespace: &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "kube-system"}},
 			source:    types.SourceTypeOriginal,
@@ -239,7 +239,7 @@ func TestMatch(t *testing.T) {
 			name:   "namespace is not in the matches list",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace2", "name"),
 			matcher: Match{
-				Namespaces: []util.Wildcard{"nonmatching", "notmatchingeither"},
+				Namespaces: []wildcard.Wildcard{"nonmatching", "notmatchingeither"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -319,7 +319,7 @@ func TestMatch(t *testing.T) {
 			name:   "object's namespace is excluded",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name"),
 			matcher: Match{
-				ExcludedNamespaces: []util.Wildcard{"namespace"},
+				ExcludedNamespaces: []wildcard.Wildcard{"namespace"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -329,7 +329,7 @@ func TestMatch(t *testing.T) {
 			name:   "object is an excluded Namespace",
 			object: makeNamespace("excluded"),
 			matcher: Match{
-				ExcludedNamespaces: []util.Wildcard{"excluded"},
+				ExcludedNamespaces: []wildcard.Wildcard{"excluded"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -339,7 +339,7 @@ func TestMatch(t *testing.T) {
 			name:   "object is not an excluded Namespace",
 			object: makeNamespace("not-excluded"),
 			matcher: Match{
-				ExcludedNamespaces: []util.Wildcard{"excluded"},
+				ExcludedNamespaces: []wildcard.Wildcard{"excluded"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -350,7 +350,7 @@ func TestMatch(t *testing.T) {
 			name:   "a namespace is excluded, but object is cluster scoped",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "", "name"),
 			matcher: Match{
-				ExcludedNamespaces: []util.Wildcard{"namespace"},
+				ExcludedNamespaces: []wildcard.Wildcard{"namespace"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -360,7 +360,7 @@ func TestMatch(t *testing.T) {
 			name:   "namespace is excluded by wildcard match",
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "kube-system", "name"),
 			matcher: Match{
-				ExcludedNamespaces: []util.Wildcard{"kube-*"},
+				ExcludedNamespaces: []wildcard.Wildcard{"kube-*"},
 			},
 			namespace: &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "kube-system"}},
 			source:    types.SourceTypeOriginal,
@@ -598,7 +598,7 @@ func TestMatch(t *testing.T) {
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name-foo"),
 			matcher: Match{
 				Name:       "name-foo",
-				Namespaces: []util.Wildcard{"other-namespace"},
+				Namespaces: []wildcard.Wildcard{"other-namespace"},
 			},
 			namespace: nil,
 			source:    types.SourceTypeOriginal,
@@ -609,7 +609,7 @@ func TestMatch(t *testing.T) {
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name-foo"),
 			matcher: Match{
 				Name:       "name-foo",
-				Namespaces: []util.Wildcard{"my-ns"},
+				Namespaces: []wildcard.Wildcard{"my-ns"},
 				Source:     string(types.SourceTypeGenerated),
 			},
 			source: types.SourceTypeGenerated,
@@ -625,7 +625,7 @@ func TestMatch(t *testing.T) {
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name-foo"),
 			matcher: Match{
 				Name:       "name-foo",
-				Namespaces: []util.Wildcard{"my-ns"},
+				Namespaces: []wildcard.Wildcard{"my-ns"},
 			},
 			source: types.SourceTypeGenerated,
 			namespace: &corev1.Namespace{
@@ -640,7 +640,7 @@ func TestMatch(t *testing.T) {
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name-foo"),
 			matcher: Match{
 				Name:       "name-foo",
-				Namespaces: []util.Wildcard{"my-ns"},
+				Namespaces: []wildcard.Wildcard{"my-ns"},
 				Source:     string(types.SourceTypeOriginal),
 			},
 			source: types.SourceTypeGenerated,
@@ -656,7 +656,7 @@ func TestMatch(t *testing.T) {
 			object: makeObject(schema.GroupVersionKind{Kind: "kind", Group: "group"}, "namespace", "name-foo"),
 			matcher: Match{
 				Name:       "name-foo",
-				Namespaces: []util.Wildcard{"my-ns"},
+				Namespaces: []wildcard.Wildcard{"my-ns"},
 				Source:     string(types.SourceTypeOriginal),
 			},
 			namespace: &corev1.Namespace{

@@ -3,7 +3,7 @@
 package match
 
 import (
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -26,14 +26,14 @@ type Match struct {
 	// prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both
 	// `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both
 	// `kube-system` and `gatekeeper-system`.
-	Namespaces []util.Wildcard `json:"namespaces,omitempty"`
+	Namespaces []wildcard.Wildcard `json:"namespaces,omitempty"`
 	// ExcludedNamespaces is a list of namespace names. If defined, a
 	// constraint only applies to resources not in a listed namespace.
 	// ExcludedNamespaces also supports a prefix or suffix based glob.  For example,
 	// `excludedNamespaces: [kube-*]` matches both `kube-system` and
 	// `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and
 	// `gatekeeper-system`.
-	ExcludedNamespaces []util.Wildcard `json:"excludedNamespaces,omitempty"`
+	ExcludedNamespaces []wildcard.Wildcard `json:"excludedNamespaces,omitempty"`
 	// LabelSelector is the combination of two optional fields: `matchLabels`
 	// and `matchExpressions`.  These two fields provide different methods of
 	// selecting or excluding k8s objects based on the label keys and values
@@ -47,7 +47,7 @@ type Match struct {
 	// Name is the name of an object.  If defined, it will match against objects with the specified
 	// name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match
 	// both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.
-	Name util.Wildcard `json:"name,omitempty"`
+	Name wildcard.Wildcard `json:"name,omitempty"`
 }
 
 // Kinds accepts a list of objects with apiGroups and kinds fields