OCPBUGS-78480: add new watchlist semantic support to project watcher

[ricardomaraschini]

Support WatchList by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Summary by CodeRabbit

• New Features

  • Watch API can optionally emit initial project events followed by a bookmark to mark end-of-initial-state when initial-events delivery is requested.

• Tests

  • Added tests covering both initial-events-with-bookmark and non-initial modes to validate watch behavior and bookmark emission.

[openshift-ci-robot]

@ricardomaraschini: This pull request references Jira Issue OCPBUGS-78480, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.23.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

support watch list by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Watch now propagates an explicit sendInitialEvents flag from REST into the user project watcher; when enabled the watcher emits initial project Add events and then a Bookmark event annotated with metav1.InitialEventsAnnotationKey before normal streaming resumes.

Changes

Cohort / File(s)	Summary
Watch flag threading & watcher behavior pkg/project/apiserver/registry/project/proxy/proxy.go, pkg/project/auth/watch.go, pkg/project/auth/watch_test.go	REST.Watch computes and forwards sendInitialEvents (in addition to existing includeAllExistingProjects) into NewUserProjectWatcher. Watcher now conditionally emits a watch.Bookmark annotated with metav1.InitialEventsAnnotationKey="true" immediately after initial watch.Added events. Tests added/updated to validate both rv=0 and rv!=0 behaviors.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant REST as REST.Watch
    participant Watcher as UserProjectWatcher
    participant Cache as AuthCache
    participant Stream as EventStream

    Client->>REST: Watch(options { ResourceVersion, SendInitialEvents })
    REST->>Watcher: NewUserProjectWatcher(includeAllExistingProjects?, sendBookmark?)
    Watcher->>Cache: enumerate existing projects (if includeAllExistingProjects)
    alt includeAllExistingProjects true
        Watcher->>Stream: emit watch.Added events (initial projects)
        alt sendBookmark true
            Watcher->>Stream: emit watch.Bookmark (InitialEventsAnnotationKey="true")
        end
    else includeAllExistingProjects false
        alt sendBookmark true
            Watcher->>Stream: emit watch.Bookmark (InitialEventsAnnotationKey="true")
        end
    end
    Watcher->>Stream: enter main event loop -> emit subsequent events
    Client->>Stream: receive events

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	The test violates setup and cleanup principles by manually mutating watcher.sendBookmark instead of using the helper function.	Update newTestWatcher helper to accept sendBookmark parameter and pass it to NewUserProjectWatcher instead of manual mutation.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding watchlist semantic support (specifically initial-events-end bookmark handling) to the project watcher.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in watch_test.go are static, deterministic strings with no dynamic information. Test data is properly contained in test bodies following Go testing best practices.
Microshift Test Compatibility	✅ Passed	This PR adds unit tests to watch_test.go, not Ginkgo e2e tests. The test function TestSendInitialEventsBookmark follows standard Go naming (func TestXxx) and is not a Ginkgo test using Describe/Context/It patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request does not add any new Ginkgo e2e tests. Changes are limited to standard Go unit tests in pkg/project/auth/watch_test.go.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only API server watcher logic without introducing deployment manifests, operator code, pod specifications, or scheduling constraints that would affect different OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	No stdout writes found in process-level code; fmt.Errorf() used only for error creation, klog writes to stderr by default, test output intercepted by framework.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The pull request does not include any Ginkgo e2e tests. The changes consist of modifications to production code in proxy.go and watch.go, plus a new unit test TestSendInitialEventsBookmark in watch_test.go that uses Go's standard testing package, not Ginkgo. Since the custom check explicitly targets Ginkgo e2e tests (with patterns like It(), Describe(), Context(), When()), and this PR contains only standard Go unit tests with no external connectivity or IPv4 assumptions, the check does not apply to this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 8/10 reviews remaining, refill in 11 minutes and 27 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/project/auth/watch_test.go (1)

278-308: Good test coverage for the happy path.

The test correctly validates:

• Initial Added events are emitted for existing namespaces
• A Bookmark event with InitialEventsAnnotationKey annotation follows

Consider adding edge case tests for completeness (optional):

• Empty namespace list: verify only the bookmark is emitted
• Single namespace: verify one Added event plus bookmark

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/project/auth/watch_test.go` around lines 278 - 308, Add two edge-case
tests alongside TestSendInitialEventsBookmark: one that calls newTestWatcher
with no namespaces to assert only a Bookmark event with the
metav1.InitialEventsAnnotationKey annotation is emitted and no Added events are
received, and another that calls newTestWatcher with a single namespace to
assert exactly one Added event followed by the Bookmark; reuse the same test
pattern (newTestWatcher(..., matchAllPredicate(), true, newNamespaces(...)),
watcher.Watch(), and reading from watcher.ResultChan()) and include the same
timeout checks and annotation assertions against
project.Annotations[metav1.InitialEventsAnnotationKey].

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/project/auth/watch.go`:
- Around line 229-238: The bookmark event emitted when w.sendInitialEvents is
true lacks a ResourceVersion; update the watch.Bookmark event created in the
sendInitialEvents block (the emit call creating a watch.Event with
projectapi.Project) to set ObjectMeta.ResourceVersion to the latest known
resource version tracked by this watcher (from the knownProjects structure
initialized earlier). Locate the knownProjects store (referenced as
knownProjects) and use its latest ResourceVersion value when constructing the
projectapi.Project.ObjectMeta (e.g., set ObjectMeta.ResourceVersion = <latest
from knownProjects>) before calling w.emit so the bookmark complies with
WatchList/KEP-3157.

---

Nitpick comments:
In `@pkg/project/auth/watch_test.go`:
- Around line 278-308: Add two edge-case tests alongside
TestSendInitialEventsBookmark: one that calls newTestWatcher with no namespaces
to assert only a Bookmark event with the metav1.InitialEventsAnnotationKey
annotation is emitted and no Added events are received, and another that calls
newTestWatcher with a single namespace to assert exactly one Added event
followed by the Bookmark; reuse the same test pattern (newTestWatcher(...,
matchAllPredicate(), true, newNamespaces(...)), watcher.Watch(), and reading
from watcher.ResultChan()) and include the same timeout checks and annotation
assertions against project.Annotations[metav1.InitialEventsAnnotationKey].

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 324fb4c0-346b-4b3c-8817-33ca9b8db862

📥 Commits

Reviewing files that changed from the base of the PR and between 8afd81a and 08018d5.

📒 Files selected for processing (3)

• pkg/project/apiserver/registry/project/proxy/proxy.go
• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

[ricardomaraschini]

/retest

[ricardomaraschini]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/project/OWNERS [ricardomaraschini]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/project/auth/watch_test.go (1)

26-47: Thread the bookmark flag through the test helper instead of mutating internal state.

newTestWatcher always constructs NewUserProjectWatcher(..., false) and the new bookmark test flips watcher.sendBookmark afterward. That bypasses the constructor path used by production code and can hide regressions in the new plumbing.

Proposed helper update

-func newTestWatcher(username string, groups []string, predicate storage.SelectionPredicate, includeAllExistingProjects bool, namespaces ...*corev1.Namespace) (*userProjectWatcher, *fakeAuthCache, chan struct{}) {
+func newTestWatcher(username string, groups []string, predicate storage.SelectionPredicate, includeAllExistingProjects, sendBookmark bool, namespaces ...*corev1.Namespace) (*userProjectWatcher, *fakeAuthCache, chan struct{}) {
@@
-	return NewUserProjectWatcher(&user.DefaultInfo{Name: username, Groups: groups}, sets.NewString("*"), projectCache, fakeAuthCache, includeAllExistingProjects, predicate, false), fakeAuthCache, stopCh
+	return NewUserProjectWatcher(&user.DefaultInfo{Name: username, Groups: groups}, sets.NewString("*"), projectCache, fakeAuthCache, includeAllExistingProjects, predicate, sendBookmark), fakeAuthCache, stopCh
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/project/auth/watch_test.go` around lines 26 - 47, newTestWatcher
currently forces the bookmark flag false and tests mutate watcher.sendBookmark
directly; change newTestWatcher signature to accept a bookmark boolean (e.g.,
includeBookmark bool) and pass that value into NewUserProjectWatcher(...,
includeBookmark) so tests exercise the constructor path; update callers/tests to
pass true where the bookmark behavior is required and remove any direct
mutations of watcher.sendBookmark; reference newTestWatcher and
NewUserProjectWatcher to locate the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/project/auth/watch_test.go`:
- Around line 26-47: newTestWatcher currently forces the bookmark flag false and
tests mutate watcher.sendBookmark directly; change newTestWatcher signature to
accept a bookmark boolean (e.g., includeBookmark bool) and pass that value into
NewUserProjectWatcher(..., includeBookmark) so tests exercise the constructor
path; update callers/tests to pass true where the bookmark behavior is required
and remove any direct mutations of watcher.sendBookmark; reference
newTestWatcher and NewUserProjectWatcher to locate the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c19465da-674b-4f45-91d3-fc76e5b0119a

📥 Commits

Reviewing files that changed from the base of the PR and between 08018d5 and c9c3b8a.

📒 Files selected for processing (3)

• pkg/project/apiserver/registry/project/proxy/proxy.go
• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/project/auth/watch.go

[ricardomaraschini]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681,openshift/origin#31095

[ricardomaraschini]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[ricardomaraschini]

/retest

[ricardomaraschini]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[openshift-ci]

@ricardomaraschini: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-upgrade	c9c3b8a	link	true	/test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.