feat: add !=, == support for namespace field selector

[miltalex]

Fixes #13468

Motivation

Currently, argo-workflows only supports the '=' operator for the field selector metadata.namespace when listing workflows. This limitation restricts the flexibility of our queries, particularly when users wish to exclude specific namespaces from their results. The goal of this PR is to expand support to include the '==' and '!=' operators for metadata.namespace, aligning our capabilities with native Kubernetes functionality. This enhancement allows users to perform exclusion queries (e.g., "list all workflows except those in the 'test' namespace"), improving overall system usability.

Modifications

• ListOptions Expansion:

  • Extended the ListOptions struct in server/utils to include a new NamespaceFilter field to store the operator type.

• BuildListOptions Enhancement:

  • Modified the BuildListOptions function to parse metadata.namespace== and metadata.namespace!=.
  • Logic added to ensure != sets the correct filter type and == behaves consistent with =.

• Database Selector Update:

  • Updated BuildArchivedWorkflowSelector and BuildWorkflowSelector in persist/sqldb to handle the NamespaceFilter.
  • Implemented SQL generation for namespace exclusion (namespace != ?) to support the NotEquals filter in the archive.

• Workflow Server Authorization:

  • Updated ListWorkflows in server/workflow/workflow_server.go to handle authorization for namespace exclusion.
  • Implemented strict security logic: If metadata.namespace!= is used, the user must have cluster-wide list permissions. If they do not, the request is denied immediately. This mirrors kubectl behavior and prevents potential security issues where excluding a namespace might imply access to all others.

Verification

• Unit Testing:

  • Added comprehensive unit tests in server/utils/list_options_test.go to cover parsing of the new operators and conflict detection.
  • Updated server/workflowarchive/archived_workflow_server_test.go to verify that the new options are correctly passed to the repository layer.

• E2E Testing:

  • Added end-to-e2e tests in test/e2e/argo_server_test.go.
  • Validated that argo list --field-selector metadata.namespace!=<ns> returns the correct workflows for authorized users.
  • Validated that unauthorized users (lacking cluster-wide permissions) receive a 403 Forbidden error when attempting to use the exclusion operator.

Example audit log from local testing:

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Metadata",
    "auditID": "f8a139b4-9201-4dee-b57b-15e095887f79",
    "stage": "ResponseComplete",
    "requestURI": "/apis/argoproj.io/v1alpha1/workflows?fieldSelector=metadata.namespace%21%3Dargo-test-2\u0026labelSelector=%21workflows.argoproj.io%2Fcontroller-instanceid",
    "verb": "list",
    "user": {
        "username": "system:admin",
        "groups": [
            "system:masters",
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "192.168.107.3"
    ],
    "userAgent": "argo/v0.0.0 (darwin/amd64) kubernetes/$Format/argo-workflows/latest+6fb2b9f.dirty argo-api-client",
    "objectRef": {
        "resource": "workflows",
        "apiGroup": "argoproj.io",
        "apiVersion": "v1alpha1"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestReceivedTimestamp": "2025-12-03T10:34:35.475997Z",
    "stageTimestamp": "2025-12-03T10:34:35.483591Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": ""
    }
}