vendor files

vendor/k8s.io/kubernetes/pkg/kubelet/secret/BUILD

@@ -0,0 +1,57 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["secret_manager_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubelet/secret",
+    library = ":go_default_library",
+    deps = [
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//vendor/k8s.io/client-go/testing:go_default_library",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "fake_manager.go",
+        "secret_manager.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/kubelet/secret",
+    deps = [
+        "//pkg/api/v1/pod:go_default_library",
+        "//pkg/kubelet/util:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/storage/etcd:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubelet/secret/fake_manager.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"k8s.io/api/core/v1"
+)
+
+// fakeManager implements Manager interface for testing purposes.
+// simple operations to apiserver.
+type fakeManager struct {
+}
+
+func NewFakeManager() Manager {
+	return &fakeManager{}
+}
+
+func (s *fakeManager) GetSecret(namespace, name string) (*v1.Secret, error) {
+	return nil, nil
+}
+
+func (s *fakeManager) RegisterPod(pod *v1.Pod) {
+}
+
+func (s *fakeManager) UnregisterPod(pod *v1.Pod) {
+}

vendor/k8s.io/kubernetes/pkg/kubelet/secret/secret_manager.go

@@ -0,0 +1,307 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+	"strconv"
+	"sync"
+	"time"
+
+	"k8s.io/api/core/v1"
+	storageetcd "k8s.io/apiserver/pkg/storage/etcd"
+	clientset "k8s.io/client-go/kubernetes"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/kubelet/util"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+const (
+	defaultTTL = time.Minute
+)
+
+type Manager interface {
+	// Get secret by secret namespace and name.
+	GetSecret(namespace, name string) (*v1.Secret, error)
+
+	// WARNING: Register/UnregisterPod functions should be efficient,
+	// i.e. should not block on network operations.
+
+	// RegisterPod registers all secrets from a given pod.
+	RegisterPod(pod *v1.Pod)
+
+	// UnregisterPod unregisters secrets from a given pod that are not
+	// used by any other registered pod.
+	UnregisterPod(pod *v1.Pod)
+}
+
+// simpleSecretManager implements SecretManager interfaces with
+// simple operations to apiserver.
+type simpleSecretManager struct {
+	kubeClient clientset.Interface
+}
+
+func NewSimpleSecretManager(kubeClient clientset.Interface) Manager {
+	return &simpleSecretManager{kubeClient: kubeClient}
+}
+
+func (s *simpleSecretManager) GetSecret(namespace, name string) (*v1.Secret, error) {
+	return s.kubeClient.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
+}
+
+func (s *simpleSecretManager) RegisterPod(pod *v1.Pod) {
+}
+
+func (s *simpleSecretManager) UnregisterPod(pod *v1.Pod) {
+}
+
+type GetObjectTTLFunc func() (time.Duration, bool)
+
+type objectKey struct {
+	namespace string
+	name      string
+}
+
+// secretStoreItems is a single item stored in secretStore.
+type secretStoreItem struct {
+	refCount int
+	secret   *secretData
+}
+
+type secretData struct {
+	sync.Mutex
+
+	secret         *v1.Secret
+	err            error
+	lastUpdateTime time.Time
+}
+
+// secretStore is a local cache of secrets.
+type secretStore struct {
+	kubeClient clientset.Interface
+	clock      clock.Clock
+
+	lock  sync.Mutex
+	items map[objectKey]*secretStoreItem
+
+	defaultTTL time.Duration
+	getTTL     GetObjectTTLFunc
+}
+
+func newSecretStore(kubeClient clientset.Interface, clock clock.Clock, getTTL GetObjectTTLFunc, ttl time.Duration) *secretStore {
+	return &secretStore{
+		kubeClient: kubeClient,
+		clock:      clock,
+		items:      make(map[objectKey]*secretStoreItem),
+		defaultTTL: ttl,
+		getTTL:     getTTL,
+	}
+}
+
+func isSecretOlder(newSecret, oldSecret *v1.Secret) bool {
+	if newSecret == nil || oldSecret == nil {
+		return false
+	}
+	newVersion, _ := storageetcd.Versioner.ObjectResourceVersion(newSecret)
+	oldVersion, _ := storageetcd.Versioner.ObjectResourceVersion(oldSecret)
+	return newVersion < oldVersion
+}
+
+func (s *secretStore) Add(namespace, name string) {
+	key := objectKey{namespace: namespace, name: name}
+
+	// Add is called from RegisterPod, thus it needs to be efficient.
+	// Thus Add() is only increasing refCount and generation of a given secret.
+	// Then Get() is responsible for fetching if needed.
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	item, exists := s.items[key]
+	if !exists {
+		item = &secretStoreItem{
+			refCount: 0,
+			secret:   &secretData{},
+		}
+		s.items[key] = item
+	}
+
+	item.refCount++
+	// This will trigger fetch on the next Get() operation.
+	item.secret = nil
+}
+
+func (s *secretStore) Delete(namespace, name string) {
+	key := objectKey{namespace: namespace, name: name}
+
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	if item, ok := s.items[key]; ok {
+		item.refCount--
+		if item.refCount == 0 {
+			delete(s.items, key)
+		}
+	}
+}
+
+func GetObjectTTLFromNodeFunc(getNode func() (*v1.Node, error)) GetObjectTTLFunc {
+	return func() (time.Duration, bool) {
+		node, err := getNode()
+		if err != nil {
+			return time.Duration(0), false
+		}
+		if node != nil && node.Annotations != nil {
+			if value, ok := node.Annotations[v1.ObjectTTLAnnotationKey]; ok {
+				if intValue, err := strconv.Atoi(value); err == nil {
+					return time.Duration(intValue) * time.Second, true
+				}
+			}
+		}
+		return time.Duration(0), false
+	}
+}
+
+func (s *secretStore) isSecretFresh(data *secretData) bool {
+	secretTTL := s.defaultTTL
+	if ttl, ok := s.getTTL(); ok {
+		secretTTL = ttl
+	}
+	return s.clock.Now().Before(data.lastUpdateTime.Add(secretTTL))
+}
+
+func (s *secretStore) Get(namespace, name string) (*v1.Secret, error) {
+	key := objectKey{namespace: namespace, name: name}
+
+	data := func() *secretData {
+		s.lock.Lock()
+		defer s.lock.Unlock()
+		item, exists := s.items[key]
+		if !exists {
+			return nil
+		}
+		if item.secret == nil {
+			item.secret = &secretData{}
+		}
+		return item.secret
+	}()
+	if data == nil {
+		return nil, fmt.Errorf("secret %q/%q not registered", namespace, name)
+	}
+
+	// After updating data in secretStore, lock the data, fetch secret if
+	// needed and return data.
+	data.Lock()
+	defer data.Unlock()
+	if data.err != nil || !s.isSecretFresh(data) {
+		opts := metav1.GetOptions{}
+		if data.secret != nil && data.err == nil {
+			// This is just a periodic refresh of a secret we successfully fetched previously.
+			// In this case, server data from apiserver cache to reduce the load on both
+			// etcd and apiserver (the cache is eventually consistent).
+			util.FromApiserverCache(&opts)
+		}
+		secret, err := s.kubeClient.CoreV1().Secrets(namespace).Get(name, opts)
+		if err != nil && !apierrors.IsNotFound(err) && data.secret == nil && data.err == nil {
+			// Couldn't fetch the latest secret, but there is no cached data to return.
+			// Return the fetch result instead.
+			return secret, err
+		}
+		if (err == nil && !isSecretOlder(secret, data.secret)) || apierrors.IsNotFound(err) {
+			// If the fetch succeeded with a newer version of the secret, or if the
+			// secret could not be found in the apiserver, update the cached data to
+			// reflect the current status.
+			data.secret = secret
+			data.err = err
+			data.lastUpdateTime = s.clock.Now()
+		}
+	}
+	return data.secret, data.err
+}
+
+// cachingSecretManager keeps a cache of all secrets necessary for registered pods.
+// It implements the following logic:
+// - whenever a pod is created or updated, the cached versions of all its secrets
+//   are invalidated
+// - every GetSecret() call tries to fetch the value from local cache; if it is
+//   not there, invalidated or too old, we fetch it from apiserver and refresh the
+//   value in cache; otherwise it is just fetched from cache
+type cachingSecretManager struct {
+	secretStore *secretStore
+
+	lock           sync.Mutex
+	registeredPods map[objectKey]*v1.Pod
+}
+
+func NewCachingSecretManager(kubeClient clientset.Interface, getTTL GetObjectTTLFunc) Manager {
+	csm := &cachingSecretManager{
+		secretStore:    newSecretStore(kubeClient, clock.RealClock{}, getTTL, defaultTTL),
+		registeredPods: make(map[objectKey]*v1.Pod),
+	}
+	return csm
+}
+
+func (c *cachingSecretManager) GetSecret(namespace, name string) (*v1.Secret, error) {
+	return c.secretStore.Get(namespace, name)
+}
+
+func getSecretNames(pod *v1.Pod) sets.String {
+	result := sets.NewString()
+	podutil.VisitPodSecretNames(pod, func(name string) bool {
+		result.Insert(name)
+		return true
+	})
+	return result
+}
+
+func (c *cachingSecretManager) RegisterPod(pod *v1.Pod) {
+	names := getSecretNames(pod)
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	for name := range names {
+		c.secretStore.Add(pod.Namespace, name)
+	}
+	var prev *v1.Pod
+	key := objectKey{namespace: pod.Namespace, name: pod.Name}
+	prev = c.registeredPods[key]
+	c.registeredPods[key] = pod
+	if prev != nil {
+		for name := range getSecretNames(prev) {
+			// On an update, the .Add() call above will have re-incremented the
+			// ref count of any existing secrets, so any secrets that are in both
+			// names and prev need to have their ref counts decremented. Any that
+			// are only in prev need to be completely removed. This unconditional
+			// call takes care of both cases.
+			c.secretStore.Delete(prev.Namespace, name)
+		}
+	}
+}
+
+func (c *cachingSecretManager) UnregisterPod(pod *v1.Pod) {
+	var prev *v1.Pod
+	key := objectKey{namespace: pod.Namespace, name: pod.Name}
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	prev = c.registeredPods[key]
+	delete(c.registeredPods, key)
+	if prev != nil {
+		for name := range getSecretNames(prev) {
+			c.secretStore.Delete(prev.Namespace, name)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubelet/secret/secret_manager_test.go

@@ -0,0 +1,539 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/clock"
+	core "k8s.io/client-go/testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func checkSecret(t *testing.T, store *secretStore, ns, name string, shouldExist bool) {
+	_, err := store.Get(ns, name)
+	if shouldExist && err != nil {
+		t.Errorf("unexpected actions: %#v", err)
+	}
+	if !shouldExist && (err == nil || !strings.Contains(err.Error(), fmt.Sprintf("secret %q/%q not registered", ns, name))) {
+		t.Errorf("unexpected actions: %#v", err)
+	}
+}
+
+func noObjectTTL() (time.Duration, bool) {
+	return time.Duration(0), false
+}
+
+func TestSecretStore(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	store := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	store.Add("ns1", "name1")
+	store.Add("ns2", "name2")
+	store.Add("ns1", "name1")
+	store.Add("ns1", "name1")
+	store.Delete("ns1", "name1")
+	store.Delete("ns2", "name2")
+	store.Add("ns3", "name3")
+
+	// Adds don't issue Get requests.
+	actions := fakeClient.Actions()
+	assert.Equal(t, 0, len(actions), "unexpected actions: %#v", actions)
+	// Should issue Get request
+	store.Get("ns1", "name1")
+	// Shouldn't issue Get request, as secret is not registered
+	store.Get("ns2", "name2")
+	// Should issue Get request
+	store.Get("ns3", "name3")
+
+	actions = fakeClient.Actions()
+	assert.Equal(t, 2, len(actions), "unexpected actions: %#v", actions)
+
+	for _, a := range actions {
+		assert.True(t, a.Matches("get", "secrets"), "unexpected actions: %#v", a)
+	}
+
+	checkSecret(t, store, "ns1", "name1", true)
+	checkSecret(t, store, "ns2", "name2", false)
+	checkSecret(t, store, "ns3", "name3", true)
+	checkSecret(t, store, "ns4", "name4", false)
+}
+
+func TestSecretStoreDeletingSecret(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	store := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	store.Add("ns", "name")
+
+	result := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "name", ResourceVersion: "10"}}
+	fakeClient.AddReactor("get", "secrets", func(action core.Action) (bool, runtime.Object, error) {
+		return true, result, nil
+	})
+	secret, err := store.Get("ns", "name")
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	if !reflect.DeepEqual(secret, result) {
+		t.Errorf("Unexpected secret: %v", secret)
+	}
+
+	fakeClient.PrependReactor("get", "secrets", func(action core.Action) (bool, runtime.Object, error) {
+		return true, &v1.Secret{}, apierrors.NewNotFound(v1.Resource("secret"), "name")
+	})
+	secret, err = store.Get("ns", "name")
+	if err == nil || !apierrors.IsNotFound(err) {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	if !reflect.DeepEqual(secret, &v1.Secret{}) {
+		t.Errorf("Unexpected secret: %v", secret)
+	}
+}
+
+func TestSecretStoreGetAlwaysRefresh(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	fakeClock := clock.NewFakeClock(time.Now())
+	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, 0)
+
+	for i := 0; i < 10; i++ {
+		store.Add(fmt.Sprintf("ns-%d", i), fmt.Sprintf("name-%d", i))
+	}
+	fakeClient.ClearActions()
+
+	wg := sync.WaitGroup{}
+	wg.Add(100)
+	for i := 0; i < 100; i++ {
+		go func(i int) {
+			store.Get(fmt.Sprintf("ns-%d", i%10), fmt.Sprintf("name-%d", i%10))
+			wg.Done()
+		}(i)
+	}
+	wg.Wait()
+	actions := fakeClient.Actions()
+	assert.Equal(t, 100, len(actions), "unexpected actions: %#v", actions)
+
+	for _, a := range actions {
+		assert.True(t, a.Matches("get", "secrets"), "unexpected actions: %#v", a)
+	}
+}
+
+func TestSecretStoreGetNeverRefresh(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	fakeClock := clock.NewFakeClock(time.Now())
+	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+
+	for i := 0; i < 10; i++ {
+		store.Add(fmt.Sprintf("ns-%d", i), fmt.Sprintf("name-%d", i))
+	}
+	fakeClient.ClearActions()
+
+	wg := sync.WaitGroup{}
+	wg.Add(100)
+	for i := 0; i < 100; i++ {
+		go func(i int) {
+			store.Get(fmt.Sprintf("ns-%d", i%10), fmt.Sprintf("name-%d", i%10))
+			wg.Done()
+		}(i)
+	}
+	wg.Wait()
+	actions := fakeClient.Actions()
+	// Only first Get, should forward the Get request.
+	assert.Equal(t, 10, len(actions), "unexpected actions: %#v", actions)
+}
+
+func TestCustomTTL(t *testing.T) {
+	ttl := time.Duration(0)
+	ttlExists := false
+	customTTL := func() (time.Duration, bool) {
+		return ttl, ttlExists
+	}
+
+	fakeClient := &fake.Clientset{}
+	fakeClock := clock.NewFakeClock(time.Time{})
+	store := newSecretStore(fakeClient, fakeClock, customTTL, time.Minute)
+
+	store.Add("ns", "name")
+	store.Get("ns", "name")
+	fakeClient.ClearActions()
+
+	// Set 0-ttl and see if that works.
+	ttl = time.Duration(0)
+	ttlExists = true
+	store.Get("ns", "name")
+	actions := fakeClient.Actions()
+	assert.Equal(t, 1, len(actions), "unexpected actions: %#v", actions)
+	fakeClient.ClearActions()
+
+	// Set 5-minute ttl and see if this works.
+	ttl = time.Duration(5) * time.Minute
+	store.Get("ns", "name")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 0, len(actions), "unexpected actions: %#v", actions)
+	// Still no effect after 4 minutes.
+	fakeClock.Step(4 * time.Minute)
+	store.Get("ns", "name")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 0, len(actions), "unexpected actions: %#v", actions)
+	// Now it should have an effect.
+	fakeClock.Step(time.Minute)
+	store.Get("ns", "name")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 1, len(actions), "unexpected actions: %#v", actions)
+	fakeClient.ClearActions()
+
+	// Now remove the custom ttl and see if that works.
+	ttlExists = false
+	fakeClock.Step(55 * time.Second)
+	store.Get("ns", "name")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 0, len(actions), "unexpected actions: %#v", actions)
+	// Pass the minute and it should be triggered now.
+	fakeClock.Step(5 * time.Second)
+	store.Get("ns", "name")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 1, len(actions), "unexpected actions: %#v", actions)
+}
+
+func TestParseNodeAnnotation(t *testing.T) {
+	testCases := []struct {
+		node   *v1.Node
+		err    error
+		exists bool
+		ttl    time.Duration
+	}{
+		{
+			node:   nil,
+			err:    fmt.Errorf("error"),
+			exists: false,
+		},
+		{
+			node: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "node",
+				},
+			},
+			exists: false,
+		},
+		{
+			node: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node",
+					Annotations: map[string]string{},
+				},
+			},
+			exists: false,
+		},
+		{
+			node: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node",
+					Annotations: map[string]string{v1.ObjectTTLAnnotationKey: "bad"},
+				},
+			},
+			exists: false,
+		},
+		{
+			node: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node",
+					Annotations: map[string]string{v1.ObjectTTLAnnotationKey: "0"},
+				},
+			},
+			exists: true,
+			ttl:    time.Duration(0),
+		},
+		{
+			node: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node",
+					Annotations: map[string]string{v1.ObjectTTLAnnotationKey: "60"},
+				},
+			},
+			exists: true,
+			ttl:    time.Minute,
+		},
+	}
+	for i, testCase := range testCases {
+		getNode := func() (*v1.Node, error) { return testCase.node, testCase.err }
+		ttl, exists := GetObjectTTLFromNodeFunc(getNode)()
+		if exists != testCase.exists {
+			t.Errorf("%d: incorrect parsing: %t", i, exists)
+			continue
+		}
+		if exists && ttl != testCase.ttl {
+			t.Errorf("%d: incorrect ttl: %v", i, ttl)
+		}
+	}
+}
+
+type envSecrets struct {
+	envVarNames  []string
+	envFromNames []string
+}
+
+type secretsToAttach struct {
+	imagePullSecretNames []string
+	containerEnvSecrets  []envSecrets
+}
+
+func podWithSecrets(ns, podName string, toAttach secretsToAttach) *v1.Pod {
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      podName,
+		},
+		Spec: v1.PodSpec{},
+	}
+	for _, name := range toAttach.imagePullSecretNames {
+		pod.Spec.ImagePullSecrets = append(
+			pod.Spec.ImagePullSecrets, v1.LocalObjectReference{Name: name})
+	}
+	for i, secrets := range toAttach.containerEnvSecrets {
+		container := v1.Container{
+			Name: fmt.Sprintf("container-%d", i),
+		}
+		for _, name := range secrets.envFromNames {
+			envFrom := v1.EnvFromSource{
+				SecretRef: &v1.SecretEnvSource{
+					LocalObjectReference: v1.LocalObjectReference{
+						Name: name,
+					},
+				},
+			}
+			container.EnvFrom = append(container.EnvFrom, envFrom)
+		}
+
+		for _, name := range secrets.envVarNames {
+			envSource := &v1.EnvVarSource{
+				SecretKeyRef: &v1.SecretKeySelector{
+					LocalObjectReference: v1.LocalObjectReference{
+						Name: name,
+					},
+				},
+			}
+			container.Env = append(container.Env, v1.EnvVar{ValueFrom: envSource})
+		}
+		pod.Spec.Containers = append(pod.Spec.Containers, container)
+	}
+	return pod
+}
+
+func TestCacheInvalidation(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	fakeClock := clock.NewFakeClock(time.Now())
+	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	manager := &cachingSecretManager{
+		secretStore:    store,
+		registeredPods: make(map[objectKey]*v1.Pod),
+	}
+
+	// Create a pod with some secrets.
+	s1 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s1"}, envFromNames: []string{"s10"}},
+			{envVarNames: []string{"s2"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name1", s1))
+	// Fetch both secrets - this should triggger get operations.
+	store.Get("ns1", "s1")
+	store.Get("ns1", "s10")
+	store.Get("ns1", "s2")
+	actions := fakeClient.Actions()
+	assert.Equal(t, 3, len(actions), "unexpected actions: %#v", actions)
+	fakeClient.ClearActions()
+
+	// Update a pod with a new secret.
+	s2 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s1"}},
+			{envVarNames: []string{"s2"}, envFromNames: []string{"s20"}},
+			{envVarNames: []string{"s3"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name1", s2))
+	// All secrets should be invalidated - this should trigger get operations.
+	store.Get("ns1", "s1")
+	store.Get("ns1", "s2")
+	store.Get("ns1", "s20")
+	store.Get("ns1", "s3")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 4, len(actions), "unexpected actions: %#v", actions)
+	fakeClient.ClearActions()
+
+	// Create a new pod that is refencing the first three secrets - those should
+	// be invalidated.
+	manager.RegisterPod(podWithSecrets("ns1", "name2", s1))
+	store.Get("ns1", "s1")
+	store.Get("ns1", "s10")
+	store.Get("ns1", "s2")
+	store.Get("ns1", "s20")
+	store.Get("ns1", "s3")
+	actions = fakeClient.Actions()
+	assert.Equal(t, 3, len(actions), "unexpected actions: %#v", actions)
+	fakeClient.ClearActions()
+}
+
+func TestCacheRefcounts(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	fakeClock := clock.NewFakeClock(time.Now())
+	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	manager := &cachingSecretManager{
+		secretStore:    store,
+		registeredPods: make(map[objectKey]*v1.Pod),
+	}
+
+	s1 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s1"}, envFromNames: []string{"s10"}},
+			{envVarNames: []string{"s2"}},
+			{envVarNames: []string{"s3"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name1", s1))
+	manager.RegisterPod(podWithSecrets("ns1", "name2", s1))
+	s2 := secretsToAttach{
+		imagePullSecretNames: []string{"s2"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s4"}},
+			{envVarNames: []string{"s5"}, envFromNames: []string{"s50"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name2", s2))
+	manager.RegisterPod(podWithSecrets("ns1", "name3", s2))
+	manager.RegisterPod(podWithSecrets("ns1", "name4", s2))
+	manager.UnregisterPod(podWithSecrets("ns1", "name3", s2))
+	s3 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s3"}, envFromNames: []string{"s30"}},
+			{envVarNames: []string{"s5"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name5", s3))
+	manager.RegisterPod(podWithSecrets("ns1", "name6", s3))
+	s4 := secretsToAttach{
+		imagePullSecretNames: []string{"s3"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s6"}},
+			{envFromNames: []string{"s60"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name7", s4))
+	manager.UnregisterPod(podWithSecrets("ns1", "name7", s4))
+
+	// Also check the Add + Update + Remove scenario.
+	manager.RegisterPod(podWithSecrets("ns1", "other-name", s1))
+	manager.RegisterPod(podWithSecrets("ns1", "other-name", s2))
+	manager.UnregisterPod(podWithSecrets("ns1", "other-name", s2))
+
+	s5 := secretsToAttach{
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s7"}},
+			{envFromNames: []string{"s70"}},
+		},
+	}
+	// Check the no-op update scenario
+	manager.RegisterPod(podWithSecrets("ns1", "noop-pod", s5))
+	manager.RegisterPod(podWithSecrets("ns1", "noop-pod", s5))
+
+	// Now we have: 3 pods with s1, 2 pods with s2 and 2 pods with s3, 0 pods with s4.
+	refs := func(ns, name string) int {
+		store.lock.Lock()
+		defer store.lock.Unlock()
+		item, ok := store.items[objectKey{ns, name}]
+		if !ok {
+			return 0
+		}
+		return item.refCount
+	}
+	assert.Equal(t, 3, refs("ns1", "s1"))
+	assert.Equal(t, 1, refs("ns1", "s10"))
+	assert.Equal(t, 3, refs("ns1", "s2"))
+	assert.Equal(t, 3, refs("ns1", "s3"))
+	assert.Equal(t, 2, refs("ns1", "s30"))
+	assert.Equal(t, 2, refs("ns1", "s4"))
+	assert.Equal(t, 4, refs("ns1", "s5"))
+	assert.Equal(t, 2, refs("ns1", "s50"))
+	assert.Equal(t, 0, refs("ns1", "s6"))
+	assert.Equal(t, 0, refs("ns1", "s60"))
+	assert.Equal(t, 1, refs("ns1", "s7"))
+	assert.Equal(t, 1, refs("ns1", "s70"))
+}
+
+func TestCachingSecretManager(t *testing.T) {
+	fakeClient := &fake.Clientset{}
+	secretStore := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	manager := &cachingSecretManager{
+		secretStore:    secretStore,
+		registeredPods: make(map[objectKey]*v1.Pod),
+	}
+
+	// Create a pod with some secrets.
+	s1 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s1"}},
+			{envVarNames: []string{"s2"}},
+			{envFromNames: []string{"s20"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name1", s1))
+	// Update the pod with a different secrets.
+	s2 := secretsToAttach{
+		imagePullSecretNames: []string{"s1"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s3"}},
+			{envVarNames: []string{"s4"}},
+			{envFromNames: []string{"s40"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns1", "name1", s2))
+	// Create another pod, but with same secrets in different namespace.
+	manager.RegisterPod(podWithSecrets("ns2", "name2", s2))
+	// Create and delete a pod with some other secrets.
+	s3 := secretsToAttach{
+		imagePullSecretNames: []string{"s5"},
+		containerEnvSecrets: []envSecrets{
+			{envVarNames: []string{"s6"}},
+			{envFromNames: []string{"s60"}},
+		},
+	}
+	manager.RegisterPod(podWithSecrets("ns3", "name", s3))
+	manager.UnregisterPod(podWithSecrets("ns3", "name", s3))
+
+	// We should have only: s1, s3 and s4 secrets in namespaces: ns1 and ns2.
+	for _, ns := range []string{"ns1", "ns2", "ns3"} {
+		for _, secret := range []string{"s1", "s2", "s3", "s4", "s5", "s6", "s20", "s40", "s50"} {
+			shouldExist :=
+				(secret == "s1" || secret == "s3" || secret == "s4" || secret == "s40") && (ns == "ns1" || ns == "ns2")
+			checkSecret(t, secretStore, ns, secret, shouldExist)
+		}
+	}
+}