OCPBUGS-78480: add watchlist new semantic support to project watcher

[dusk125]

support watch list by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Summary by CodeRabbit

• New Features

  • Initial watch requests can now include a bookmark event, improving support for watchers that need a clear “start here” signal.
  • Watches now better handle initial event delivery, including cases where all existing projects are sent first or only the bookmark is returned.

• Bug Fixes

  • Improved consistency of watch behavior when initial events are enabled, including correct annotation on the bookmark event.
  • Ensured bookmark delivery works correctly even when filters are applied.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/jira refresh

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 01487419-c3f8-4ab8-98d5-63c874c4bfb8

📥 Commits

Reviewing files that changed from the base of the PR and between 2a7784b and 2ce34b3.

📒 Files selected for processing (2)

• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/project/auth/watch_test.go

---

Walkthrough

Adds a sendBookmark bool parameter to NewUserProjectWatcher and a corresponding field on userProjectWatcher. When set, Watch() emits a watch.Bookmark event annotated with metav1.InitialEventsAnnotationKey: "true" before entering the main loop. The proxy Watch handler derives this flag from options.SendInitialEvents.

Bookmark support for project watch-list

Layer / File(s)	Summary
sendBookmark field, constructor, and Watch emission pkg/project/auth/watch.go	Adds sendBookmark bool to userProjectWatcher and NewUserProjectWatcher signature, assigns it during construction, and conditionally emits a watch.Bookmark with InitialEventsAnnotationKey: "true" in Watch().
Proxy wiring pkg/project/apiserver/registry/project/proxy/proxy.go	Watch derives sendBookmark from options.SendInitialEvents and forwards it into NewUserProjectWatcher.
Test updates and new bookmark tests pkg/project/auth/watch_test.go	Updates newTestWatcher to accept includeAllExistingProjects; adjusts all existing call sites; adds TestSendInitialEventsBookmark covering Added+Bookmark sequences, bookmark-only mode, and field-selector bypass.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the PR’s main change: adding watchlist/sendInitialEvents support to the project watcher.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The added subtest titles are static string literals; none embed generated names, timestamps, or other dynamic data.
Test Structure And Quality	✅ Passed	The added tests are plain unit subtests, use deferred cleanup and bounded waits, and introduce no cluster ops or Ginkgo-pattern issues.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e specs were added; the changed tests are plain testing.T unit tests, so MicroShift-only skip/tag rules don’t apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Added tests are plain testing.T unit tests, not Ginkgo e2e, and they only validate watcher bookmarks/annotations without multi-node or HA assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The PR only changes project watch/event handling and tests; no manifests, replicas, affinity, node selectors, or topology constraints were added.
Ote Binary Stdout Contract	✅ Passed	Touched files only add watch logic/tests; no main/init/TestMain or stdout print calls were added. The only logging is klog.Infof in library code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo/e2e tests were added; the touched tests are unit tests and contain no IPv4-only or external connectivity assumptions.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or non-constant-time secret comparisons appear in the changed watcher code.
Container-Privileges	✅ Passed	The PR only changes project watch logic/tests; scans of touched files and the repo found no privileged/hostPID/hostNetwork/hostIPC/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	Touched files add bookmark watch logic only; no logs expose passwords, tokens, PII, or host/customer data. Existing klog line logs only queue depth.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci-robot]

@dusk125: This pull request references Jira Issue OCPBUGS-78480, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gangwgr

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dusk125: This pull request references Jira Issue OCPBUGS-78480, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gangwgr

Details

In response to this:

support watch list by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/project/auth/watch.go (1)

77-82: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Handle authCache.List errors instead of discarding them.

Line 78 drops the error from authCache.List, and Line 80 can panic if namespaces is nil. Please return/propagate an error from constructor setup rather than proceeding with unknown state.

Suggested direction

-func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool, predicate kstorage.SelectionPredicate, sendBookmark bool) *userProjectWatcher {
-	namespaces, _ := authCache.List(user, labels.Everything())
+func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool, predicate kstorage.SelectionPredicate, sendBookmark bool) (*userProjectWatcher, error) {
+	namespaces, err := authCache.List(user, labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+	if namespaces == nil {
+		return nil, errors.New("auth cache returned nil namespace list")
+	}
@@
-	return w
+	return w, nil
 }

As per coding guidelines, "**/*.go: Go security (prodsec-skills) - Never ignore error returns".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/project/auth/watch.go` around lines 77 - 82, In the NewUserProjectWatcher
constructor function, the error returned by authCache.List on line 78 is being
ignored with a blank identifier, and line 80 can panic if namespaces is nil.
Instead of discarding the error, you must check the return value from
authCache.List and propagate any error to the caller. This requires updating the
function signature to return both *userProjectWatcher and an error (changing
from returning only *userProjectWatcher), then checking if the error from
authCache.List is non-nil and returning it early if so, rather than proceeding
with potentially nil or invalid state.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/project/auth/watch.go`:
- Around line 229-236: The bookmark event emitted in the w.emit() call at this
location includes only the InitialEventsAnnotationKey annotation in the
ObjectMeta but is missing the ResourceVersion field. Update the
projectapi.Project object's ObjectMeta to include both the ResourceVersion and
the InitialEventsAnnotationKey annotation to match upstream watch-list semantics
as documented in KEP-3157. The ResourceVersion should reflect the current watch
state at the point the bookmark is being emitted.

---

Outside diff comments:
In `@pkg/project/auth/watch.go`:
- Around line 77-82: In the NewUserProjectWatcher constructor function, the
error returned by authCache.List on line 78 is being ignored with a blank
identifier, and line 80 can panic if namespaces is nil. Instead of discarding
the error, you must check the return value from authCache.List and propagate any
error to the caller. This requires updating the function signature to return
both *userProjectWatcher and an error (changing from returning only
*userProjectWatcher), then checking if the error from authCache.List is non-nil
and returning it early if so, rather than proceeding with potentially nil or
invalid state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0e0a97fc-bfa0-4801-b272-0789eef3b06c

📥 Commits

Reviewing files that changed from the base of the PR and between 831ab1b and 8eb0697.

📒 Files selected for processing (3)

• pkg/project/apiserver/registry/project/proxy/proxy.go
• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

[dusk125]

/testwith ?

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[openshift-ci]

@dusk125: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	2a7784b	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31313

[ricardomaraschini]

Have you implemented a "resume" watching here ? My understanding is that the ResourceVersion is completely ignored (except when it is "zero"). Can you elaborate a little over this one ?

[dusk125]

This was a Claude-ism, It was concerned that having a blank ResourceVersion would break RetryWatchers, so it tried to give a "meaningful" value here.

I've reverted this for now and will run the updated origin tests to see if it was necessary or not.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31313

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/project/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment