vendor files

vendor/k8s.io/kubernetes/pkg/volume/secret/BUILD

@@ -0,0 +1,60 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "secret.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/volume/secret",
+    deps = [
+        "//pkg/util/io:go_default_library",
+        "//pkg/util/mount:go_default_library",
+        "//pkg/util/strings:go_default_library",
+        "//pkg/volume:go_default_library",
+        "//pkg/volume/util:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["secret_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/volume/secret",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/volume:go_default_library",
+        "//pkg/volume/empty_dir:go_default_library",
+        "//pkg/volume/testing:go_default_library",
+        "//pkg/volume/util:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/volume/secret/OWNERS

@@ -0,0 +1,14 @@
+approvers:
+- pmorie
+- saad-ali
+- thockin
+- matchstick
+reviewers:
+- ivan4th
+- rata
+- sjenning
+- saad-ali
+- jsafrane
+- rootfs
+- jingxu97
+- msau42

vendor/k8s.io/kubernetes/pkg/volume/secret/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package secret contains the internal representation of secret volumes.
+package secret // import "k8s.io/kubernetes/pkg/volume/secret"

vendor/k8s.io/kubernetes/pkg/volume/secret/secret.go

@@ -0,0 +1,319 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ioutil "k8s.io/kubernetes/pkg/util/io"
+	"k8s.io/kubernetes/pkg/util/mount"
+	"k8s.io/kubernetes/pkg/util/strings"
+	"k8s.io/kubernetes/pkg/volume"
+	volumeutil "k8s.io/kubernetes/pkg/volume/util"
+)
+
+// ProbeVolumePlugin is the entry point for plugin detection in a package.
+func ProbeVolumePlugins() []volume.VolumePlugin {
+	return []volume.VolumePlugin{&secretPlugin{}}
+}
+
+const (
+	secretPluginName = "kubernetes.io/secret"
+)
+
+// secretPlugin implements the VolumePlugin interface.
+type secretPlugin struct {
+	host      volume.VolumeHost
+	getSecret func(namespace, name string) (*v1.Secret, error)
+}
+
+var _ volume.VolumePlugin = &secretPlugin{}
+
+func wrappedVolumeSpec() volume.Spec {
+	return volume.Spec{
+		Volume: &v1.Volume{VolumeSource: v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{Medium: v1.StorageMediumMemory}}},
+	}
+}
+
+func getPath(uid types.UID, volName string, host volume.VolumeHost) string {
+	return host.GetPodVolumeDir(uid, strings.EscapeQualifiedNameForDisk(secretPluginName), volName)
+}
+
+func (plugin *secretPlugin) Init(host volume.VolumeHost) error {
+	plugin.host = host
+	plugin.getSecret = host.GetSecretFunc()
+	return nil
+}
+
+func (plugin *secretPlugin) GetPluginName() string {
+	return secretPluginName
+}
+
+func (plugin *secretPlugin) GetVolumeName(spec *volume.Spec) (string, error) {
+	volumeSource, _ := getVolumeSource(spec)
+	if volumeSource == nil {
+		return "", fmt.Errorf("Spec does not reference a Secret volume type")
+	}
+
+	return volumeSource.SecretName, nil
+}
+
+func (plugin *secretPlugin) CanSupport(spec *volume.Spec) bool {
+	return spec.Volume != nil && spec.Volume.Secret != nil
+}
+
+func (plugin *secretPlugin) RequiresRemount() bool {
+	return true
+}
+
+func (plugin *secretPlugin) SupportsMountOption() bool {
+	return false
+}
+
+func (plugin *secretPlugin) SupportsBulkVolumeVerification() bool {
+	return false
+}
+
+func (plugin *secretPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
+	return &secretVolumeMounter{
+		secretVolume: &secretVolume{
+			spec.Name(),
+			pod.UID,
+			plugin,
+			plugin.host.GetMounter(plugin.GetPluginName()),
+			plugin.host.GetWriter(),
+			volume.NewCachedMetrics(volume.NewMetricsDu(getPath(pod.UID, spec.Name(), plugin.host))),
+		},
+		source:    *spec.Volume.Secret,
+		pod:       *pod,
+		opts:      &opts,
+		getSecret: plugin.getSecret,
+	}, nil
+}
+
+func (plugin *secretPlugin) NewUnmounter(volName string, podUID types.UID) (volume.Unmounter, error) {
+	return &secretVolumeUnmounter{
+		&secretVolume{
+			volName,
+			podUID,
+			plugin,
+			plugin.host.GetMounter(plugin.GetPluginName()),
+			plugin.host.GetWriter(),
+			volume.NewCachedMetrics(volume.NewMetricsDu(getPath(podUID, volName, plugin.host))),
+		},
+	}, nil
+}
+
+func (plugin *secretPlugin) ConstructVolumeSpec(volName, mountPath string) (*volume.Spec, error) {
+	secretVolume := &v1.Volume{
+		Name: volName,
+		VolumeSource: v1.VolumeSource{
+			Secret: &v1.SecretVolumeSource{
+				SecretName: volName,
+			},
+		},
+	}
+	return volume.NewSpecFromVolume(secretVolume), nil
+}
+
+type secretVolume struct {
+	volName string
+	podUID  types.UID
+	plugin  *secretPlugin
+	mounter mount.Interface
+	writer  ioutil.Writer
+	volume.MetricsProvider
+}
+
+var _ volume.Volume = &secretVolume{}
+
+func (sv *secretVolume) GetPath() string {
+	return getPath(sv.podUID, sv.volName, sv.plugin.host)
+}
+
+// secretVolumeMounter handles retrieving secrets from the API server
+// and placing them into the volume on the host.
+type secretVolumeMounter struct {
+	*secretVolume
+
+	source    v1.SecretVolumeSource
+	pod       v1.Pod
+	opts      *volume.VolumeOptions
+	getSecret func(namespace, name string) (*v1.Secret, error)
+}
+
+var _ volume.Mounter = &secretVolumeMounter{}
+
+func (sv *secretVolume) GetAttributes() volume.Attributes {
+	return volume.Attributes{
+		ReadOnly:        true,
+		Managed:         true,
+		SupportsSELinux: true,
+	}
+}
+
+// Checks prior to mount operations to verify that the required components (binaries, etc.)
+// to mount the volume are available on the underlying node.
+// If not, it returns an error
+func (b *secretVolumeMounter) CanMount() error {
+	return nil
+}
+
+func (b *secretVolumeMounter) SetUp(fsGroup *int64) error {
+	return b.SetUpAt(b.GetPath(), fsGroup)
+}
+
+func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+	glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
+
+	// Wrap EmptyDir, let it do the setup.
+	wrapped, err := b.plugin.host.NewWrapperMounter(b.volName, wrappedVolumeSpec(), &b.pod, *b.opts)
+	if err != nil {
+		return err
+	}
+	if err := wrapped.SetUpAt(dir, fsGroup); err != nil {
+		return err
+	}
+
+	optional := b.source.Optional != nil && *b.source.Optional
+	secret, err := b.getSecret(b.pod.Namespace, b.source.SecretName)
+	if err != nil {
+		if !(errors.IsNotFound(err) && optional) {
+			glog.Errorf("Couldn't get secret %v/%v: %v", b.pod.Namespace, b.source.SecretName, err)
+			return err
+		}
+		secret = &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: b.pod.Namespace,
+				Name:      b.source.SecretName,
+			},
+		}
+	}
+
+	totalBytes := totalSecretBytes(secret)
+	glog.V(3).Infof("Received secret %v/%v containing (%v) pieces of data, %v total bytes",
+		b.pod.Namespace,
+		b.source.SecretName,
+		len(secret.Data),
+		totalBytes)
+
+	payload, err := MakePayload(b.source.Items, secret, b.source.DefaultMode, optional)
+	if err != nil {
+		return err
+	}
+
+	writerContext := fmt.Sprintf("pod %v/%v volume %v", b.pod.Namespace, b.pod.Name, b.volName)
+	writer, err := volumeutil.NewAtomicWriter(dir, writerContext)
+	if err != nil {
+		glog.Errorf("Error creating atomic writer: %v", err)
+		return err
+	}
+
+	err = writer.Write(payload)
+	if err != nil {
+		glog.Errorf("Error writing payload to dir: %v", err)
+		return err
+	}
+
+	err = volume.SetVolumeOwnership(b, fsGroup)
+	if err != nil {
+		glog.Errorf("Error applying volume ownership settings for group: %v", fsGroup)
+		return err
+	}
+
+	return nil
+}
+
+// Note: this function is exported so that it can be called from the projection volume driver
+func MakePayload(mappings []v1.KeyToPath, secret *v1.Secret, defaultMode *int32, optional bool) (map[string]volumeutil.FileProjection, error) {
+	if defaultMode == nil {
+		return nil, fmt.Errorf("No defaultMode used, not even the default value for it")
+	}
+
+	payload := make(map[string]volumeutil.FileProjection, len(secret.Data))
+	var fileProjection volumeutil.FileProjection
+
+	if len(mappings) == 0 {
+		for name, data := range secret.Data {
+			fileProjection.Data = []byte(data)
+			fileProjection.Mode = *defaultMode
+			payload[name] = fileProjection
+		}
+	} else {
+		for _, ktp := range mappings {
+			content, ok := secret.Data[ktp.Key]
+			if !ok {
+				if optional {
+					continue
+				}
+				err_msg := "references non-existent secret key"
+				glog.Errorf(err_msg)
+				return nil, fmt.Errorf(err_msg)
+			}
+
+			fileProjection.Data = []byte(content)
+			if ktp.Mode != nil {
+				fileProjection.Mode = *ktp.Mode
+			} else {
+				fileProjection.Mode = *defaultMode
+			}
+			payload[ktp.Path] = fileProjection
+		}
+	}
+	return payload, nil
+}
+
+func totalSecretBytes(secret *v1.Secret) int {
+	totalSize := 0
+	for _, bytes := range secret.Data {
+		totalSize += len(bytes)
+	}
+
+	return totalSize
+}
+
+// secretVolumeUnmounter handles cleaning up secret volumes.
+type secretVolumeUnmounter struct {
+	*secretVolume
+}
+
+var _ volume.Unmounter = &secretVolumeUnmounter{}
+
+func (c *secretVolumeUnmounter) TearDown() error {
+	return c.TearDownAt(c.GetPath())
+}
+
+func (c *secretVolumeUnmounter) TearDownAt(dir string) error {
+	return volume.UnmountViaEmptyDir(dir, c.plugin.host, c.volName, wrappedVolumeSpec(), c.podUID)
+}
+
+func getVolumeSource(spec *volume.Spec) (*v1.SecretVolumeSource, bool) {
+	var readOnly bool
+	var volumeSource *v1.SecretVolumeSource
+
+	if spec.Volume != nil && spec.Volume.Secret != nil {
+		volumeSource = spec.Volume.Secret
+		readOnly = spec.ReadOnly
+	}
+
+	return volumeSource, readOnly
+}

vendor/k8s.io/kubernetes/pkg/volume/secret/secret_test.go

@@ -0,0 +1,631 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/pkg/volume/empty_dir"
+	volumetest "k8s.io/kubernetes/pkg/volume/testing"
+	"k8s.io/kubernetes/pkg/volume/util"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMakePayload(t *testing.T) {
+	caseMappingMode := int32(0400)
+	cases := []struct {
+		name     string
+		mappings []v1.KeyToPath
+		secret   *v1.Secret
+		mode     int32
+		optional bool
+		payload  map[string]util.FileProjection
+		success  bool
+	}{
+		{
+			name: "no overrides",
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"foo": {Data: []byte("foo"), Mode: 0644},
+				"bar": {Data: []byte("bar"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "basic 1",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "path/to/foo.txt",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"path/to/foo.txt": {Data: []byte("foo"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "subdirs",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "path/to/1/2/3/foo.txt",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"path/to/1/2/3/foo.txt": {Data: []byte("foo"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "subdirs 2",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "path/to/1/2/3/foo.txt",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"path/to/1/2/3/foo.txt": {Data: []byte("foo"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "subdirs 3",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "path/to/1/2/3/foo.txt",
+				},
+				{
+					Key:  "bar",
+					Path: "another/path/to/the/esteemed/bar.bin",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"path/to/1/2/3/foo.txt":                {Data: []byte("foo"), Mode: 0644},
+				"another/path/to/the/esteemed/bar.bin": {Data: []byte("bar"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "non existent key",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "zab",
+					Path: "path/to/foo.txt",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode:    0644,
+			success: false,
+		},
+		{
+			name: "mapping with Mode",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "foo.txt",
+					Mode: &caseMappingMode,
+				},
+				{
+					Key:  "bar",
+					Path: "bar.bin",
+					Mode: &caseMappingMode,
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"foo.txt": {Data: []byte("foo"), Mode: caseMappingMode},
+				"bar.bin": {Data: []byte("bar"), Mode: caseMappingMode},
+			},
+			success: true,
+		},
+		{
+			name: "mapping with defaultMode",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "foo",
+					Path: "foo.txt",
+				},
+				{
+					Key:  "bar",
+					Path: "bar.bin",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode: 0644,
+			payload: map[string]util.FileProjection{
+				"foo.txt": {Data: []byte("foo"), Mode: 0644},
+				"bar.bin": {Data: []byte("bar"), Mode: 0644},
+			},
+			success: true,
+		},
+		{
+			name: "optional non existent key",
+			mappings: []v1.KeyToPath{
+				{
+					Key:  "zab",
+					Path: "path/to/foo.txt",
+				},
+			},
+			secret: &v1.Secret{
+				Data: map[string][]byte{
+					"foo": []byte("foo"),
+					"bar": []byte("bar"),
+				},
+			},
+			mode:     0644,
+			optional: true,
+			payload:  map[string]util.FileProjection{},
+			success:  true,
+		},
+	}
+
+	for _, tc := range cases {
+		actualPayload, err := MakePayload(tc.mappings, tc.secret, &tc.mode, tc.optional)
+		if err != nil && tc.success {
+			t.Errorf("%v: unexpected failure making payload: %v", tc.name, err)
+			continue
+		}
+
+		if err == nil && !tc.success {
+			t.Errorf("%v: unexpected success making payload", tc.name)
+			continue
+		}
+
+		if !tc.success {
+			continue
+		}
+
+		if e, a := tc.payload, actualPayload; !reflect.DeepEqual(e, a) {
+			t.Errorf("%v: expected and actual payload do not match", tc.name)
+		}
+	}
+}
+
+func newTestHost(t *testing.T, clientset clientset.Interface) (string, volume.VolumeHost) {
+	tempDir, err := ioutil.TempDir("/tmp", "secret_volume_test.")
+	if err != nil {
+		t.Fatalf("can't make a temp rootdir: %v", err)
+	}
+
+	return tempDir, volumetest.NewFakeVolumeHost(tempDir, clientset, empty_dir.ProbeVolumePlugins())
+}
+
+func TestCanSupport(t *testing.T) {
+	pluginMgr := volume.VolumePluginMgr{}
+	tempDir, host := newTestHost(t, nil)
+	defer os.RemoveAll(tempDir)
+	pluginMgr.InitPlugins(ProbeVolumePlugins(), nil /* prober */, host)
+
+	plugin, err := pluginMgr.FindPluginByName(secretPluginName)
+	if err != nil {
+		t.Errorf("Can't find the plugin by name")
+	}
+	if plugin.GetPluginName() != secretPluginName {
+		t.Errorf("Wrong name: %s", plugin.GetPluginName())
+	}
+	if !plugin.CanSupport(&volume.Spec{Volume: &v1.Volume{VolumeSource: v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: ""}}}}) {
+		t.Errorf("Expected true")
+	}
+	if plugin.CanSupport(&volume.Spec{}) {
+		t.Errorf("Expected false")
+	}
+}
+
+func TestPlugin(t *testing.T) {
+	var (
+		testPodUID     = types.UID("test_pod_uid")
+		testVolumeName = "test_volume_name"
+		testNamespace  = "test_secret_namespace"
+		testName       = "test_secret_name"
+
+		volumeSpec    = volumeSpec(testVolumeName, testName, 0644)
+		secret        = secret(testNamespace, testName)
+		client        = fake.NewSimpleClientset(&secret)
+		pluginMgr     = volume.VolumePluginMgr{}
+		rootDir, host = newTestHost(t, client)
+	)
+	defer os.RemoveAll(rootDir)
+	pluginMgr.InitPlugins(ProbeVolumePlugins(), nil /* prober */, host)
+
+	plugin, err := pluginMgr.FindPluginByName(secretPluginName)
+	if err != nil {
+		t.Errorf("Can't find the plugin by name")
+	}
+
+	pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, UID: testPodUID}}
+	mounter, err := plugin.NewMounter(volume.NewSpecFromVolume(volumeSpec), pod, volume.VolumeOptions{})
+	if err != nil {
+		t.Errorf("Failed to make a new Mounter: %v", err)
+	}
+	if mounter == nil {
+		t.Fatalf("Got a nil Mounter")
+	}
+
+	volumePath := mounter.GetPath()
+	if !strings.HasSuffix(volumePath, fmt.Sprintf("pods/test_pod_uid/volumes/kubernetes.io~secret/test_volume_name")) {
+		t.Errorf("Got unexpected path: %s", volumePath)
+	}
+
+	err = mounter.SetUp(nil)
+	if err != nil {
+		t.Errorf("Failed to setup volume: %v", err)
+	}
+	if _, err := os.Stat(volumePath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, volume path not created: %s", volumePath)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+
+	// secret volume should create its own empty wrapper path
+	podWrapperMetadataDir := fmt.Sprintf("%v/pods/test_pod_uid/plugins/kubernetes.io~empty-dir/wrapped_test_volume_name", rootDir)
+
+	if _, err := os.Stat(podWrapperMetadataDir); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, empty-dir wrapper path is not created: %s", podWrapperMetadataDir)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+	doTestSecretDataInVolume(volumePath, secret, t)
+	defer doTestCleanAndTeardown(plugin, testPodUID, testVolumeName, volumePath, t)
+
+	// Metrics only supported on linux
+	metrics, err := mounter.GetMetrics()
+	if runtime.GOOS == "linux" {
+		assert.NotEmpty(t, metrics)
+		assert.NoError(t, err)
+	} else {
+		t.Skipf("Volume metrics not supported on %s", runtime.GOOS)
+	}
+}
+
+// Test the case where the plugin's ready file exists, but the volume dir is not a
+// mountpoint, which is the state the system will be in after reboot.  The dir
+// should be mounter and the secret data written to it.
+func TestPluginReboot(t *testing.T) {
+	var (
+		testPodUID     = types.UID("test_pod_uid3")
+		testVolumeName = "test_volume_name"
+		testNamespace  = "test_secret_namespace"
+		testName       = "test_secret_name"
+
+		volumeSpec    = volumeSpec(testVolumeName, testName, 0644)
+		secret        = secret(testNamespace, testName)
+		client        = fake.NewSimpleClientset(&secret)
+		pluginMgr     = volume.VolumePluginMgr{}
+		rootDir, host = newTestHost(t, client)
+	)
+	defer os.RemoveAll(rootDir)
+	pluginMgr.InitPlugins(ProbeVolumePlugins(), nil /* prober */, host)
+
+	plugin, err := pluginMgr.FindPluginByName(secretPluginName)
+	if err != nil {
+		t.Errorf("Can't find the plugin by name")
+	}
+
+	pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, UID: testPodUID}}
+	mounter, err := plugin.NewMounter(volume.NewSpecFromVolume(volumeSpec), pod, volume.VolumeOptions{})
+	if err != nil {
+		t.Errorf("Failed to make a new Mounter: %v", err)
+	}
+	if mounter == nil {
+		t.Fatalf("Got a nil Mounter")
+	}
+
+	podMetadataDir := fmt.Sprintf("%v/pods/test_pod_uid3/plugins/kubernetes.io~secret/test_volume_name", rootDir)
+	util.SetReady(podMetadataDir)
+	volumePath := mounter.GetPath()
+	if !strings.HasSuffix(volumePath, fmt.Sprintf("pods/test_pod_uid3/volumes/kubernetes.io~secret/test_volume_name")) {
+		t.Errorf("Got unexpected path: %s", volumePath)
+	}
+
+	err = mounter.SetUp(nil)
+	if err != nil {
+		t.Errorf("Failed to setup volume: %v", err)
+	}
+	if _, err := os.Stat(volumePath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, volume path not created: %s", volumePath)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+
+	doTestSecretDataInVolume(volumePath, secret, t)
+	doTestCleanAndTeardown(plugin, testPodUID, testVolumeName, volumePath, t)
+}
+
+func TestPluginOptional(t *testing.T) {
+	var (
+		testPodUID     = types.UID("test_pod_uid")
+		testVolumeName = "test_volume_name"
+		testNamespace  = "test_secret_namespace"
+		testName       = "test_secret_name"
+		trueVal        = true
+
+		volumeSpec    = volumeSpec(testVolumeName, testName, 0644)
+		client        = fake.NewSimpleClientset()
+		pluginMgr     = volume.VolumePluginMgr{}
+		rootDir, host = newTestHost(t, client)
+	)
+	volumeSpec.Secret.Optional = &trueVal
+	defer os.RemoveAll(rootDir)
+	pluginMgr.InitPlugins(ProbeVolumePlugins(), nil /* prober */, host)
+
+	plugin, err := pluginMgr.FindPluginByName(secretPluginName)
+	if err != nil {
+		t.Errorf("Can't find the plugin by name")
+	}
+
+	pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, UID: testPodUID}}
+	mounter, err := plugin.NewMounter(volume.NewSpecFromVolume(volumeSpec), pod, volume.VolumeOptions{})
+	if err != nil {
+		t.Errorf("Failed to make a new Mounter: %v", err)
+	}
+	if mounter == nil {
+		t.Errorf("Got a nil Mounter")
+	}
+
+	volumePath := mounter.GetPath()
+	if !strings.HasSuffix(volumePath, fmt.Sprintf("pods/test_pod_uid/volumes/kubernetes.io~secret/test_volume_name")) {
+		t.Errorf("Got unexpected path: %s", volumePath)
+	}
+
+	err = mounter.SetUp(nil)
+	if err != nil {
+		t.Errorf("Failed to setup volume: %v", err)
+	}
+	if _, err := os.Stat(volumePath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, volume path not created: %s", volumePath)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+
+	// secret volume should create its own empty wrapper path
+	podWrapperMetadataDir := fmt.Sprintf("%v/pods/test_pod_uid/plugins/kubernetes.io~empty-dir/wrapped_test_volume_name", rootDir)
+
+	if _, err := os.Stat(podWrapperMetadataDir); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, empty-dir wrapper path is not created: %s", podWrapperMetadataDir)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+
+	infos, err := ioutil.ReadDir(volumePath)
+	if err != nil {
+		t.Fatalf("couldn't find volume path, %s", volumePath)
+	}
+	if len(infos) != 0 {
+		t.Errorf("empty directory, %s, not found", volumePath)
+	}
+
+	defer doTestCleanAndTeardown(plugin, testPodUID, testVolumeName, volumePath, t)
+}
+
+func TestPluginOptionalKeys(t *testing.T) {
+	var (
+		testPodUID     = types.UID("test_pod_uid")
+		testVolumeName = "test_volume_name"
+		testNamespace  = "test_secret_namespace"
+		testName       = "test_secret_name"
+		trueVal        = true
+
+		volumeSpec    = volumeSpec(testVolumeName, testName, 0644)
+		secret        = secret(testNamespace, testName)
+		client        = fake.NewSimpleClientset(&secret)
+		pluginMgr     = volume.VolumePluginMgr{}
+		rootDir, host = newTestHost(t, client)
+	)
+	volumeSpec.VolumeSource.Secret.Items = []v1.KeyToPath{
+		{Key: "data-1", Path: "data-1"},
+		{Key: "data-2", Path: "data-2"},
+		{Key: "data-3", Path: "data-3"},
+		{Key: "missing", Path: "missing"},
+	}
+	volumeSpec.Secret.Optional = &trueVal
+	defer os.RemoveAll(rootDir)
+	pluginMgr.InitPlugins(ProbeVolumePlugins(), nil /* prober */, host)
+
+	plugin, err := pluginMgr.FindPluginByName(secretPluginName)
+	if err != nil {
+		t.Errorf("Can't find the plugin by name")
+	}
+
+	pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, UID: testPodUID}}
+	mounter, err := plugin.NewMounter(volume.NewSpecFromVolume(volumeSpec), pod, volume.VolumeOptions{})
+	if err != nil {
+		t.Errorf("Failed to make a new Mounter: %v", err)
+	}
+	if mounter == nil {
+		t.Errorf("Got a nil Mounter")
+	}
+
+	volumePath := mounter.GetPath()
+	if !strings.HasSuffix(volumePath, fmt.Sprintf("pods/test_pod_uid/volumes/kubernetes.io~secret/test_volume_name")) {
+		t.Errorf("Got unexpected path: %s", volumePath)
+	}
+
+	err = mounter.SetUp(nil)
+	if err != nil {
+		t.Errorf("Failed to setup volume: %v", err)
+	}
+	if _, err := os.Stat(volumePath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, volume path not created: %s", volumePath)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+
+	// secret volume should create its own empty wrapper path
+	podWrapperMetadataDir := fmt.Sprintf("%v/pods/test_pod_uid/plugins/kubernetes.io~empty-dir/wrapped_test_volume_name", rootDir)
+
+	if _, err := os.Stat(podWrapperMetadataDir); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("SetUp() failed, empty-dir wrapper path is not created: %s", podWrapperMetadataDir)
+		} else {
+			t.Errorf("SetUp() failed: %v", err)
+		}
+	}
+	doTestSecretDataInVolume(volumePath, secret, t)
+	defer doTestCleanAndTeardown(plugin, testPodUID, testVolumeName, volumePath, t)
+
+	// Metrics only supported on linux
+	metrics, err := mounter.GetMetrics()
+	if runtime.GOOS == "linux" {
+		assert.NotEmpty(t, metrics)
+		assert.NoError(t, err)
+	} else {
+		t.Skipf("Volume metrics not supported on %s", runtime.GOOS)
+	}
+}
+
+func volumeSpec(volumeName, secretName string, defaultMode int32) *v1.Volume {
+	return &v1.Volume{
+		Name: volumeName,
+		VolumeSource: v1.VolumeSource{
+			Secret: &v1.SecretVolumeSource{
+				SecretName:  secretName,
+				DefaultMode: &defaultMode,
+			},
+		},
+	}
+}
+
+func secret(namespace, name string) v1.Secret {
+	return v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Data: map[string][]byte{
+			"data-1": []byte("value-1"),
+			"data-2": []byte("value-2"),
+			"data-3": []byte("value-3"),
+		},
+	}
+}
+
+func doTestSecretDataInVolume(volumePath string, secret v1.Secret, t *testing.T) {
+	for key, value := range secret.Data {
+		secretDataHostPath := path.Join(volumePath, key)
+		if _, err := os.Stat(secretDataHostPath); err != nil {
+			t.Fatalf("SetUp() failed, couldn't find secret data on disk: %v", secretDataHostPath)
+		} else {
+			actualSecretBytes, err := ioutil.ReadFile(secretDataHostPath)
+			if err != nil {
+				t.Fatalf("Couldn't read secret data from: %v", secretDataHostPath)
+			}
+
+			actualSecretValue := string(actualSecretBytes)
+			if string(value) != actualSecretValue {
+				t.Errorf("Unexpected value; expected %q, got %q", value, actualSecretValue)
+			}
+		}
+	}
+}
+
+func doTestCleanAndTeardown(plugin volume.VolumePlugin, podUID types.UID, testVolumeName, volumePath string, t *testing.T) {
+	unmounter, err := plugin.NewUnmounter(testVolumeName, podUID)
+	if err != nil {
+		t.Errorf("Failed to make a new Unmounter: %v", err)
+	}
+	if unmounter == nil {
+		t.Fatalf("Got a nil Unmounter")
+	}
+
+	if err := unmounter.TearDown(); err != nil {
+		t.Errorf("Expected success, got: %v", err)
+	}
+	if _, err := os.Stat(volumePath); err == nil {
+		t.Errorf("TearDown() failed, volume path still exists: %s", volumePath)
+	} else if !os.IsNotExist(err) {
+		t.Errorf("TearDown() failed: %v", err)
+	}
+}