OCPBUGS-78480: add watchlist new semantic support to project watcher

[dusk125]

support watch list by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Summary by CodeRabbit

• New Features
  • Project watch startup can now emit bookmark events alongside initial project events, improving client sync and signaling delivery completion.
  • Bookmark events include an initial-events annotation and use a deterministic resource version derived from namespace resource versions; behavior varies based on initial-event settings.
• Tests
  • Added/updated tests to verify bookmark event sequencing, annotations, and deterministic resource version behavior for both enabled/disabled initial-event modes.
  • Added tests covering image registry whitelisting defaults and denial behavior when the allow list is empty.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/jira refresh

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b6a641bb-8137-4234-8169-83a882934c85

📥 Commits

Reviewing files that changed from the base of the PR and between e4e3717 and 2a7784b.

📒 Files selected for processing (2)

• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/project/auth/watch_test.go
• pkg/project/auth/watch.go

---

Walkthrough

Adds a sendBookmark boolean parameter to NewUserProjectWatcher. When enabled, the watcher's Watch() method emits a watch.Bookmark event annotated with metav1.InitialEventsAnnotationKey: "true" before the main event loop. The proxy Watch handler derives this flag from options.SendInitialEvents. Also adds test coverage for registry whitelist allow/deny behavior under default and empty configurations.

Changes

Project Watcher Bookmark Support

Layer / File(s)	Summary
Watcher struct fields and NewUserProjectWatcher initialization pkg/project/auth/watch.go	Adds strconv import for ResourceVersion parsing, extends userProjectWatcher with sendBookmark and bookmarkResourceVersion fields, updates NewUserProjectWatcher signature to accept sendBookmark bool, computes maximum numeric resource version from namespace list, and wires computed values into the watcher.
Bookmark event emission and design documentation pkg/project/auth/watch.go	Adds design-decision comment on initial-events and bookmark behavior relative to resourceVersion semantics and RBAC visibility, and conditionally emits watch.Bookmark event with metav1.InitialEventsAnnotationKey annotation and computed resource version in Watch().
Proxy flag derivation and wiring pkg/project/apiserver/registry/project/proxy/proxy.go	Derives sendBookmark flag from options.SendInitialEvents alongside includeAllExistingProjects, and forwards both flags into NewUserProjectWatcher call.
Test infrastructure updates and bookmark validation tests pkg/project/auth/watch_test.go	Adds fmt import, updates newTestWatcher to accept includeAllExistingProjects and conditionally seed auth cache, updates four existing test call sites, and adds TestSendInitialEventsBookmark with helpers validating bookmark annotation, resource version, event sequences, predicate bypass, and absence of spurious events.

Registry Whitelist Test Coverage

Layer / File(s)	Summary
Registry whitelist default and empty configuration tests pkg/image/apis/image/validation/whitelist/whitelister_test.go	Adds TestDefaultAllowedRegistries to verify allowed/denied hostnames under hard-coded defaults, and TestEmptyAllowedRegistriesDeniesAll to confirm empty configuration denies all tested registries using secure transport.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	TestEmptyAllowedRegistriesDeniesAll uses dynamic hostname values in test names: t.Run(hostname, ...) where hostname comes from a slice. These values (quay.io, registry.redhat.io, docker.io, etc.) s...	Change TestEmptyAllowedRegistriesDeniesAll to use static subtest names like TestDefaultAllowedRegistries does: t.Run(tc.name, func(t *testing.T) {...}) using a struct with a name field instead of t.Run(hostname, ...).
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding watchlist new semantic support (specifically sendInitialEvents/bookmark handling) to the project watcher, which aligns with all file changes across proxy, watch, watch_test, and whitelister_test.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	All test quality requirements are met: (1) Single responsibility - TestSendInitialEventsBookmark uses t.Run() subtests for 3 distinct scenarios; (2) Setup/cleanup - all 3 subtests use defer close(s...
Microshift Test Compatibility	✅ Passed	PR adds only standard Go unit tests (not Ginkgo e2e tests), so the MicroShift compatibility check does not apply. No Ginkgo It()/Describe()/Context()/When() constructs found.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. New tests are standard Go unit tests in pkg/project/auth/watch_test.go and pkg/image/apis/image/validation/whitelist/whitelister_test.go, which are not su...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only API server code (watch registry, auth validation) with no deployment manifests, operator code, controllers, or pod scheduling constraints. Check does not apply.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. The only logging statement in modified code (klog.V(2).Infof in Watch() method) is called as a goroutine during request handling, not in process-leve...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests, not Ginkgo e2e tests. No IPv4 assumptions, hardcoded IPs, or external connectivity requirements detected in new tests.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns detected in modified files: no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or non-constant-time secret comparisons found.
Container-Privileges	✅ Passed	No Kubernetes manifests or container configurations present in PR. Changes are Go source files for watch list functionality, not container privilege settings.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains one debug-level logging statement that only logs a queue length (performance metric), containing no passwords, tokens, PII, session IDs, hostnames, or customer data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@dusk125: This pull request references Jira Issue OCPBUGS-78480, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gangwgr

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dusk125: This pull request references Jira Issue OCPBUGS-78480, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gangwgr

Details

In response to this:

support watch list by handling sendInitialEvents option, which sends initial state followed by a bookmark with initial-events-end annotation when enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/project/auth/watch.go (1)

77-82: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Handle authCache.List errors instead of discarding them.

Line 78 drops the error from authCache.List, and Line 80 can panic if namespaces is nil. Please return/propagate an error from constructor setup rather than proceeding with unknown state.

Suggested direction

-func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool, predicate kstorage.SelectionPredicate, sendBookmark bool) *userProjectWatcher {
-	namespaces, _ := authCache.List(user, labels.Everything())
+func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool, predicate kstorage.SelectionPredicate, sendBookmark bool) (*userProjectWatcher, error) {
+	namespaces, err := authCache.List(user, labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+	if namespaces == nil {
+		return nil, errors.New("auth cache returned nil namespace list")
+	}
@@
-	return w
+	return w, nil
 }

As per coding guidelines, "**/*.go: Go security (prodsec-skills) - Never ignore error returns".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/project/auth/watch.go` around lines 77 - 82, In the NewUserProjectWatcher
constructor function, the error returned by authCache.List on line 78 is being
ignored with a blank identifier, and line 80 can panic if namespaces is nil.
Instead of discarding the error, you must check the return value from
authCache.List and propagate any error to the caller. This requires updating the
function signature to return both *userProjectWatcher and an error (changing
from returning only *userProjectWatcher), then checking if the error from
authCache.List is non-nil and returning it early if so, rather than proceeding
with potentially nil or invalid state.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/project/auth/watch.go`:
- Around line 229-236: The bookmark event emitted in the w.emit() call at this
location includes only the InitialEventsAnnotationKey annotation in the
ObjectMeta but is missing the ResourceVersion field. Update the
projectapi.Project object's ObjectMeta to include both the ResourceVersion and
the InitialEventsAnnotationKey annotation to match upstream watch-list semantics
as documented in KEP-3157. The ResourceVersion should reflect the current watch
state at the point the bookmark is being emitted.

---

Outside diff comments:
In `@pkg/project/auth/watch.go`:
- Around line 77-82: In the NewUserProjectWatcher constructor function, the
error returned by authCache.List on line 78 is being ignored with a blank
identifier, and line 80 can panic if namespaces is nil. Instead of discarding
the error, you must check the return value from authCache.List and propagate any
error to the caller. This requires updating the function signature to return
both *userProjectWatcher and an error (changing from returning only
*userProjectWatcher), then checking if the error from authCache.List is non-nil
and returning it early if so, rather than proceeding with potentially nil or
invalid state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0e0a97fc-bfa0-4801-b272-0789eef3b06c

📥 Commits

Reviewing files that changed from the base of the PR and between 831ab1b and 8eb0697.

📒 Files selected for processing (3)

• pkg/project/apiserver/registry/project/proxy/proxy.go
• pkg/project/auth/watch.go
• pkg/project/auth/watch_test.go

[dusk125]

/testwith ?

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k, ricardomaraschini for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/image/OWNERS
• pkg/project/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31095

[openshift-ci]

@dusk125: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	2a7784b	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dusk125]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/cluster-openshift-apiserver-operator#681 openshift/origin#31313