Add glide.yaml and vendor deps

vendor/k8s.io/kubernetes/federation/pkg/federation-controller/secret/BUILD

@@ -0,0 +1,58 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["secret_controller.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//federation/apis/federation/v1beta1:go_default_library",
+        "//federation/client/clientset_generated/federation_release_1_5:go_default_library",
+        "//federation/pkg/federation-controller/util:go_default_library",
+        "//federation/pkg/federation-controller/util/deletionhelper:go_default_library",
+        "//federation/pkg/federation-controller/util/eventsink:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/v1:go_default_library",
+        "//pkg/client/cache:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5:go_default_library",
+        "//pkg/client/record:go_default_library",
+        "//pkg/controller:go_default_library",
+        "//pkg/conversion:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/types:go_default_library",
+        "//pkg/util/flowcontrol:go_default_library",
+        "//pkg/watch:go_default_library",
+        "//vendor:github.com/golang/glog",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["secret_controller_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//federation/apis/federation/v1beta1:go_default_library",
+        "//federation/client/clientset_generated/federation_release_1_5/fake:go_default_library",
+        "//federation/pkg/federation-controller/util:go_default_library",
+        "//federation/pkg/federation-controller/util/deletionhelper:go_default_library",
+        "//federation/pkg/federation-controller/util/test:go_default_library",
+        "//pkg/api/v1:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5/fake:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/types:go_default_library",
+        "//pkg/util/wait:go_default_library",
+        "//vendor:github.com/stretchr/testify/assert",
+    ],
+)

vendor/k8s.io/kubernetes/federation/pkg/federation-controller/secret/secret_controller.go

@@ -0,0 +1,436 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+	"time"
+
+	federationapi "k8s.io/kubernetes/federation/apis/federation/v1beta1"
+	federationclientset "k8s.io/kubernetes/federation/client/clientset_generated/federation_release_1_5"
+	"k8s.io/kubernetes/federation/pkg/federation-controller/util"
+	"k8s.io/kubernetes/federation/pkg/federation-controller/util/deletionhelper"
+	"k8s.io/kubernetes/federation/pkg/federation-controller/util/eventsink"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	apiv1 "k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/client/cache"
+	kubeclientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5"
+	"k8s.io/kubernetes/pkg/client/record"
+	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/conversion"
+	pkgruntime "k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/types"
+	"k8s.io/kubernetes/pkg/util/flowcontrol"
+	"k8s.io/kubernetes/pkg/watch"
+
+	"github.com/golang/glog"
+)
+
+const (
+	allClustersKey = "ALL_CLUSTERS"
+)
+
+type SecretController struct {
+	// For triggering single secret reconciliation. This is used when there is an
+	// add/update/delete operation on a secret in either federated API server or
+	// in some member of the federation.
+	secretDeliverer *util.DelayingDeliverer
+
+	// For triggering all secrets reconciliation. This is used when
+	// a new cluster becomes available.
+	clusterDeliverer *util.DelayingDeliverer
+
+	// Contains secrets present in members of federation.
+	secretFederatedInformer util.FederatedInformer
+	// For updating members of federation.
+	federatedUpdater util.FederatedUpdater
+	// Definitions of secrets that should be federated.
+	secretInformerStore cache.Store
+	// Informer controller for secrets that should be federated.
+	secretInformerController cache.ControllerInterface
+
+	// Client to federated api server.
+	federatedApiClient federationclientset.Interface
+
+	// Backoff manager for secrets
+	secretBackoff *flowcontrol.Backoff
+
+	// For events
+	eventRecorder record.EventRecorder
+
+	deletionHelper *deletionhelper.DeletionHelper
+
+	secretReviewDelay     time.Duration
+	clusterAvailableDelay time.Duration
+	smallDelay            time.Duration
+	updateTimeout         time.Duration
+}
+
+// NewSecretController returns a new secret controller
+func NewSecretController(client federationclientset.Interface) *SecretController {
+	broadcaster := record.NewBroadcaster()
+	broadcaster.StartRecordingToSink(eventsink.NewFederatedEventSink(client))
+	recorder := broadcaster.NewRecorder(apiv1.EventSource{Component: "federated-secrets-controller"})
+
+	secretcontroller := &SecretController{
+		federatedApiClient:    client,
+		secretReviewDelay:     time.Second * 10,
+		clusterAvailableDelay: time.Second * 20,
+		smallDelay:            time.Second * 3,
+		updateTimeout:         time.Second * 30,
+		secretBackoff:         flowcontrol.NewBackOff(5*time.Second, time.Minute),
+		eventRecorder:         recorder,
+	}
+
+	// Build delivereres for triggering reconciliations.
+	secretcontroller.secretDeliverer = util.NewDelayingDeliverer()
+	secretcontroller.clusterDeliverer = util.NewDelayingDeliverer()
+
+	// Start informer in federated API servers on secrets that should be federated.
+	secretcontroller.secretInformerStore, secretcontroller.secretInformerController = cache.NewInformer(
+		&cache.ListWatch{
+			ListFunc: func(options apiv1.ListOptions) (pkgruntime.Object, error) {
+				return client.Core().Secrets(apiv1.NamespaceAll).List(options)
+			},
+			WatchFunc: func(options apiv1.ListOptions) (watch.Interface, error) {
+				return client.Core().Secrets(apiv1.NamespaceAll).Watch(options)
+			},
+		},
+		&apiv1.Secret{},
+		controller.NoResyncPeriodFunc(),
+		util.NewTriggerOnAllChanges(func(obj pkgruntime.Object) { secretcontroller.deliverSecretObj(obj, 0, false) }))
+
+	// Federated informer on secrets in members of federation.
+	secretcontroller.secretFederatedInformer = util.NewFederatedInformer(
+		client,
+		func(cluster *federationapi.Cluster, targetClient kubeclientset.Interface) (cache.Store, cache.ControllerInterface) {
+			return cache.NewInformer(
+				&cache.ListWatch{
+					ListFunc: func(options apiv1.ListOptions) (pkgruntime.Object, error) {
+						return targetClient.Core().Secrets(apiv1.NamespaceAll).List(options)
+					},
+					WatchFunc: func(options apiv1.ListOptions) (watch.Interface, error) {
+						return targetClient.Core().Secrets(apiv1.NamespaceAll).Watch(options)
+					},
+				},
+				&apiv1.Secret{},
+				controller.NoResyncPeriodFunc(),
+				// Trigger reconciliation whenever something in federated cluster is changed. In most cases it
+				// would be just confirmation that some secret opration succeeded.
+				util.NewTriggerOnAllChanges(
+					func(obj pkgruntime.Object) {
+						secretcontroller.deliverSecretObj(obj, secretcontroller.secretReviewDelay, false)
+					},
+				))
+		},
+
+		&util.ClusterLifecycleHandlerFuncs{
+			ClusterAvailable: func(cluster *federationapi.Cluster) {
+				// When new cluster becomes available process all the secrets again.
+				secretcontroller.clusterDeliverer.DeliverAt(allClustersKey, nil, time.Now().Add(secretcontroller.clusterAvailableDelay))
+			},
+		},
+	)
+
+	// Federated updeater along with Create/Update/Delete operations.
+	secretcontroller.federatedUpdater = util.NewFederatedUpdater(secretcontroller.secretFederatedInformer,
+		func(client kubeclientset.Interface, obj pkgruntime.Object) error {
+			secret := obj.(*apiv1.Secret)
+			_, err := client.Core().Secrets(secret.Namespace).Create(secret)
+			return err
+		},
+		func(client kubeclientset.Interface, obj pkgruntime.Object) error {
+			secret := obj.(*apiv1.Secret)
+			_, err := client.Core().Secrets(secret.Namespace).Update(secret)
+			return err
+		},
+		func(client kubeclientset.Interface, obj pkgruntime.Object) error {
+			secret := obj.(*apiv1.Secret)
+			err := client.Core().Secrets(secret.Namespace).Delete(secret.Name, &apiv1.DeleteOptions{})
+			return err
+		})
+
+	secretcontroller.deletionHelper = deletionhelper.NewDeletionHelper(
+		secretcontroller.hasFinalizerFunc,
+		secretcontroller.removeFinalizerFunc,
+		secretcontroller.addFinalizerFunc,
+		// objNameFunc
+		func(obj pkgruntime.Object) string {
+			secret := obj.(*apiv1.Secret)
+			return secret.Name
+		},
+		secretcontroller.updateTimeout,
+		secretcontroller.eventRecorder,
+		secretcontroller.secretFederatedInformer,
+		secretcontroller.federatedUpdater,
+	)
+
+	return secretcontroller
+}
+
+// Returns true if the given object has the given finalizer in its ObjectMeta.
+func (secretcontroller *SecretController) hasFinalizerFunc(obj pkgruntime.Object, finalizer string) bool {
+	secret := obj.(*apiv1.Secret)
+	for i := range secret.ObjectMeta.Finalizers {
+		if string(secret.ObjectMeta.Finalizers[i]) == finalizer {
+			return true
+		}
+	}
+	return false
+}
+
+// Removes the finalizer from the given objects ObjectMeta.
+// Assumes that the given object is a secret.
+func (secretcontroller *SecretController) removeFinalizerFunc(obj pkgruntime.Object, finalizer string) (pkgruntime.Object, error) {
+	secret := obj.(*apiv1.Secret)
+	newFinalizers := []string{}
+	hasFinalizer := false
+	for i := range secret.ObjectMeta.Finalizers {
+		if string(secret.ObjectMeta.Finalizers[i]) != finalizer {
+			newFinalizers = append(newFinalizers, secret.ObjectMeta.Finalizers[i])
+		} else {
+			hasFinalizer = true
+		}
+	}
+	if !hasFinalizer {
+		// Nothing to do.
+		return obj, nil
+	}
+	secret.ObjectMeta.Finalizers = newFinalizers
+	secret, err := secretcontroller.federatedApiClient.Core().Secrets(secret.Namespace).Update(secret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to remove finalizer %s from secret %s: %v", finalizer, secret.Name, err)
+	}
+	return secret, nil
+}
+
+// Adds the given finalizer to the given objects ObjectMeta.
+// Assumes that the given object is a secret.
+func (secretcontroller *SecretController) addFinalizerFunc(obj pkgruntime.Object, finalizer string) (pkgruntime.Object, error) {
+	secret := obj.(*apiv1.Secret)
+	secret.ObjectMeta.Finalizers = append(secret.ObjectMeta.Finalizers, finalizer)
+	secret, err := secretcontroller.federatedApiClient.Core().Secrets(secret.Namespace).Update(secret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add finalizer %s to secret %s: %v", finalizer, secret.Name, err)
+	}
+	return secret, nil
+}
+
+func (secretcontroller *SecretController) Run(stopChan <-chan struct{}) {
+	go secretcontroller.secretInformerController.Run(stopChan)
+	secretcontroller.secretFederatedInformer.Start()
+	go func() {
+		<-stopChan
+		secretcontroller.secretFederatedInformer.Stop()
+	}()
+	secretcontroller.secretDeliverer.StartWithHandler(func(item *util.DelayingDelivererItem) {
+		secret := item.Value.(*types.NamespacedName)
+		secretcontroller.reconcileSecret(*secret)
+	})
+	secretcontroller.clusterDeliverer.StartWithHandler(func(_ *util.DelayingDelivererItem) {
+		secretcontroller.reconcileSecretsOnClusterChange()
+	})
+	util.StartBackoffGC(secretcontroller.secretBackoff, stopChan)
+}
+
+func (secretcontroller *SecretController) deliverSecretObj(obj interface{}, delay time.Duration, failed bool) {
+	secret := obj.(*apiv1.Secret)
+	secretcontroller.deliverSecret(types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name}, delay, failed)
+}
+
+// Adds backoff to delay if this delivery is related to some failure. Resets backoff if there was no failure.
+func (secretcontroller *SecretController) deliverSecret(secret types.NamespacedName, delay time.Duration, failed bool) {
+	key := secret.String()
+	if failed {
+		secretcontroller.secretBackoff.Next(key, time.Now())
+		delay = delay + secretcontroller.secretBackoff.Get(key)
+	} else {
+		secretcontroller.secretBackoff.Reset(key)
+	}
+	secretcontroller.secretDeliverer.DeliverAfter(key, &secret, delay)
+}
+
+// Check whether all data stores are in sync. False is returned if any of the informer/stores is not yet
+// synced with the corresponding api server.
+func (secretcontroller *SecretController) isSynced() bool {
+	if !secretcontroller.secretFederatedInformer.ClustersSynced() {
+		glog.V(2).Infof("Cluster list not synced")
+		return false
+	}
+	clusters, err := secretcontroller.secretFederatedInformer.GetReadyClusters()
+	if err != nil {
+		glog.Errorf("Failed to get ready clusters: %v", err)
+		return false
+	}
+	if !secretcontroller.secretFederatedInformer.GetTargetStore().ClustersSynced(clusters) {
+		return false
+	}
+	return true
+}
+
+// The function triggers reconciliation of all federated secrets.
+func (secretcontroller *SecretController) reconcileSecretsOnClusterChange() {
+	if !secretcontroller.isSynced() {
+		secretcontroller.clusterDeliverer.DeliverAt(allClustersKey, nil, time.Now().Add(secretcontroller.clusterAvailableDelay))
+	}
+	for _, obj := range secretcontroller.secretInformerStore.List() {
+		secret := obj.(*apiv1.Secret)
+		secretcontroller.deliverSecret(types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name}, secretcontroller.smallDelay, false)
+	}
+}
+
+func (secretcontroller *SecretController) reconcileSecret(secret types.NamespacedName) {
+	if !secretcontroller.isSynced() {
+		secretcontroller.deliverSecret(secret, secretcontroller.clusterAvailableDelay, false)
+		return
+	}
+
+	key := secret.String()
+	baseSecretObjFromStore, exist, err := secretcontroller.secretInformerStore.GetByKey(key)
+	if err != nil {
+		glog.Errorf("Failed to query main secret store for %v: %v", key, err)
+		secretcontroller.deliverSecret(secret, 0, true)
+		return
+	}
+
+	if !exist {
+		// Not federated secret, ignoring.
+		return
+	}
+
+	// Create a copy before modifying the obj to prevent race condition with
+	// other readers of obj from store.
+	baseSecretObj, err := conversion.NewCloner().DeepCopy(baseSecretObjFromStore)
+	baseSecret, ok := baseSecretObj.(*apiv1.Secret)
+	if err != nil || !ok {
+		glog.Errorf("Error in retrieving obj from store: %v, %v", ok, err)
+		secretcontroller.deliverSecret(secret, 0, true)
+		return
+	}
+	if baseSecret.DeletionTimestamp != nil {
+		if err := secretcontroller.delete(baseSecret); err != nil {
+			glog.Errorf("Failed to delete %s: %v", secret, err)
+			secretcontroller.eventRecorder.Eventf(baseSecret, api.EventTypeNormal, "DeleteFailed",
+				"Secret delete failed: %v", err)
+			secretcontroller.deliverSecret(secret, 0, true)
+		}
+		return
+	}
+
+	glog.V(3).Infof("Ensuring delete object from underlying clusters finalizer for secret: %s",
+		baseSecret.Name)
+	// Add the required finalizers before creating a secret in underlying clusters.
+	updatedSecretObj, err := secretcontroller.deletionHelper.EnsureFinalizers(baseSecret)
+	if err != nil {
+		glog.Errorf("Failed to ensure delete object from underlying clusters finalizer in secret %s: %v",
+			baseSecret.Name, err)
+		secretcontroller.deliverSecret(secret, 0, false)
+		return
+	}
+	baseSecret = updatedSecretObj.(*apiv1.Secret)
+
+	glog.V(3).Infof("Syncing secret %s in underlying clusters", baseSecret.Name)
+
+	clusters, err := secretcontroller.secretFederatedInformer.GetReadyClusters()
+	if err != nil {
+		glog.Errorf("Failed to get cluster list: %v", err)
+		secretcontroller.deliverSecret(secret, secretcontroller.clusterAvailableDelay, false)
+		return
+	}
+
+	operations := make([]util.FederatedOperation, 0)
+	for _, cluster := range clusters {
+		clusterSecretObj, found, err := secretcontroller.secretFederatedInformer.GetTargetStore().GetByKey(cluster.Name, key)
+		if err != nil {
+			glog.Errorf("Failed to get %s from %s: %v", key, cluster.Name, err)
+			secretcontroller.deliverSecret(secret, 0, true)
+			return
+		}
+
+		// The data should not be modified.
+		desiredSecret := &apiv1.Secret{
+			ObjectMeta: util.DeepCopyRelevantObjectMeta(baseSecret.ObjectMeta),
+			Data:       baseSecret.Data,
+			Type:       baseSecret.Type,
+		}
+
+		if !found {
+			secretcontroller.eventRecorder.Eventf(baseSecret, api.EventTypeNormal, "CreateInCluster",
+				"Creating secret in cluster %s", cluster.Name)
+
+			operations = append(operations, util.FederatedOperation{
+				Type:        util.OperationTypeAdd,
+				Obj:         desiredSecret,
+				ClusterName: cluster.Name,
+			})
+		} else {
+			clusterSecret := clusterSecretObj.(*apiv1.Secret)
+
+			// Update existing secret, if needed.
+			if !util.SecretEquivalent(*desiredSecret, *clusterSecret) {
+
+				secretcontroller.eventRecorder.Eventf(baseSecret, api.EventTypeNormal, "UpdateInCluster",
+					"Updating secret in cluster %s", cluster.Name)
+				operations = append(operations, util.FederatedOperation{
+					Type:        util.OperationTypeUpdate,
+					Obj:         desiredSecret,
+					ClusterName: cluster.Name,
+				})
+			}
+		}
+	}
+
+	if len(operations) == 0 {
+		// Everything is in order
+		return
+	}
+	err = secretcontroller.federatedUpdater.UpdateWithOnError(operations, secretcontroller.updateTimeout,
+		func(op util.FederatedOperation, operror error) {
+			secretcontroller.eventRecorder.Eventf(baseSecret, api.EventTypeNormal, "UpdateInClusterFailed",
+				"Secret update in cluster %s failed: %v", op.ClusterName, operror)
+		})
+
+	if err != nil {
+		glog.Errorf("Failed to execute updates for %s: %v", key, err)
+		secretcontroller.deliverSecret(secret, 0, true)
+		return
+	}
+
+	// Evertyhing is in order but lets be double sure
+	secretcontroller.deliverSecret(secret, secretcontroller.secretReviewDelay, false)
+}
+
+// delete deletes the given secret or returns error if the deletion was not complete.
+func (secretcontroller *SecretController) delete(secret *apiv1.Secret) error {
+	glog.V(3).Infof("Handling deletion of secret: %v", *secret)
+	_, err := secretcontroller.deletionHelper.HandleObjectInUnderlyingClusters(secret)
+	if err != nil {
+		return err
+	}
+
+	err = secretcontroller.federatedApiClient.Core().Secrets(secret.Namespace).Delete(secret.Name, nil)
+	if err != nil {
+		// Its all good if the error is not found error. That means it is deleted already and we do not have to do anything.
+		// This is expected when we are processing an update as a result of secret finalizer deletion.
+		// The process that deleted the last finalizer is also going to delete the secret and we do not have to do anything.
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("failed to delete secret: %v", err)
+		}
+	}
+	return nil
+}

vendor/k8s.io/kubernetes/federation/pkg/federation-controller/secret/secret_controller_test.go

@@ -0,0 +1,196 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secret
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+	"time"
+
+	federationapi "k8s.io/kubernetes/federation/apis/federation/v1beta1"
+	fakefedclientset "k8s.io/kubernetes/federation/client/clientset_generated/federation_release_1_5/fake"
+	"k8s.io/kubernetes/federation/pkg/federation-controller/util"
+	"k8s.io/kubernetes/federation/pkg/federation-controller/util/deletionhelper"
+	. "k8s.io/kubernetes/federation/pkg/federation-controller/util/test"
+	apiv1 "k8s.io/kubernetes/pkg/api/v1"
+	kubeclientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5"
+	fakekubeclientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/fake"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/types"
+	"k8s.io/kubernetes/pkg/util/wait"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSecretController(t *testing.T) {
+	cluster1 := NewCluster("cluster1", apiv1.ConditionTrue)
+	cluster2 := NewCluster("cluster2", apiv1.ConditionTrue)
+
+	fakeClient := &fakefedclientset.Clientset{}
+	RegisterFakeList("clusters", &fakeClient.Fake, &federationapi.ClusterList{Items: []federationapi.Cluster{*cluster1}})
+	RegisterFakeList("secrets", &fakeClient.Fake, &apiv1.SecretList{Items: []apiv1.Secret{}})
+	secretWatch := RegisterFakeWatch("secrets", &fakeClient.Fake)
+	secretUpdateChan := RegisterFakeCopyOnUpdate("secrets", &fakeClient.Fake, secretWatch)
+	clusterWatch := RegisterFakeWatch("clusters", &fakeClient.Fake)
+
+	cluster1Client := &fakekubeclientset.Clientset{}
+	cluster1Watch := RegisterFakeWatch("secrets", &cluster1Client.Fake)
+	RegisterFakeList("secrets", &cluster1Client.Fake, &apiv1.SecretList{Items: []apiv1.Secret{}})
+	cluster1CreateChan := RegisterFakeCopyOnCreate("secrets", &cluster1Client.Fake, cluster1Watch)
+	//	cluster1UpdateChan := RegisterFakeCopyOnUpdate("secrets", &cluster1Client.Fake, cluster1Watch)
+
+	cluster2Client := &fakekubeclientset.Clientset{}
+	cluster2Watch := RegisterFakeWatch("secrets", &cluster2Client.Fake)
+	RegisterFakeList("secrets", &cluster2Client.Fake, &apiv1.SecretList{Items: []apiv1.Secret{}})
+	cluster2CreateChan := RegisterFakeCopyOnCreate("secrets", &cluster2Client.Fake, cluster2Watch)
+
+	secretController := NewSecretController(fakeClient)
+	informerClientFactory := func(cluster *federationapi.Cluster) (kubeclientset.Interface, error) {
+		switch cluster.Name {
+		case cluster1.Name:
+			return cluster1Client, nil
+		case cluster2.Name:
+			return cluster2Client, nil
+		default:
+			return nil, fmt.Errorf("Unknown cluster")
+		}
+	}
+	setClientFactory(secretController.secretFederatedInformer, informerClientFactory)
+
+	secretController.clusterAvailableDelay = time.Second
+	secretController.secretReviewDelay = 50 * time.Millisecond
+	secretController.smallDelay = 20 * time.Millisecond
+	secretController.updateTimeout = 5 * time.Second
+
+	stop := make(chan struct{})
+	secretController.Run(stop)
+
+	secret1 := apiv1.Secret{
+		ObjectMeta: apiv1.ObjectMeta{
+			Name:      "test-secret",
+			Namespace: "ns",
+			SelfLink:  "/api/v1/namespaces/ns/secrets/test-secret",
+		},
+		Data: map[string][]byte{
+			"A": []byte("ala ma kota"),
+			"B": []byte("quick brown fox"),
+		},
+		Type: apiv1.SecretTypeOpaque,
+	}
+
+	// Test add federated secret.
+	secretWatch.Add(&secret1)
+	// There should be 2 updates to add both the finalizers.
+	updatedSecret := GetSecretFromChan(secretUpdateChan)
+	assert.True(t, secretController.hasFinalizerFunc(updatedSecret, deletionhelper.FinalizerDeleteFromUnderlyingClusters))
+	updatedSecret = GetSecretFromChan(secretUpdateChan)
+	assert.True(t, secretController.hasFinalizerFunc(updatedSecret, apiv1.FinalizerOrphan))
+	secret1 = *updatedSecret
+
+	// Verify that the secret is created in underlying cluster1.
+	createdSecret := GetSecretFromChan(cluster1CreateChan)
+	assert.NotNil(t, createdSecret)
+	assert.Equal(t, secret1.Namespace, createdSecret.Namespace)
+	assert.Equal(t, secret1.Name, createdSecret.Name)
+	assert.True(t, secretsEqual(secret1, *createdSecret),
+		fmt.Sprintf("expected: %v, actual: %v", secret1, *createdSecret))
+
+	// Wait for the secret to appear in the informer store
+	err := WaitForStoreUpdate(
+		secretController.secretFederatedInformer.GetTargetStore(),
+		cluster1.Name, types.NamespacedName{Namespace: secret1.Namespace, Name: secret1.Name}.String(), wait.ForeverTestTimeout)
+	assert.Nil(t, err, "secret should have appeared in the informer store")
+
+	/*
+		        // TODO: Uncomment this once we have figured out why this is flaky.
+			// Test update federated secret.
+			secret1.Annotations = map[string]string{
+				"A": "B",
+			}
+			secretWatch.Modify(&secret1)
+			updatedSecret = GetSecretFromChan(cluster1UpdateChan)
+			assert.NotNil(t, updatedSecret)
+			assert.Equal(t, secret1.Name, updatedSecret.Name)
+			assert.Equal(t, secret1.Namespace, updatedSecret.Namespace)
+			assert.True(t, secretsEqual(secret1, *updatedSecret),
+				fmt.Sprintf("expected: %v, actual: %v", secret1, *updatedSecret))
+			// Wait for the secret to be updated in the informer store.
+			err = WaitForSecretStoreUpdate(
+				secretController.secretFederatedInformer.GetTargetStore(),
+				cluster1.Name, types.NamespacedName{Namespace: secret1.Namespace, Name: secret1.Name}.String(),
+				updatedSecret, wait.ForeverTestTimeout)
+			assert.Nil(t, err, "secret should have been updated in the informer store")
+
+				// Test update federated secret.
+				secret1.Data = map[string][]byte{
+					"config": []byte("myconfigurationfile"),
+				}
+				secretWatch.Modify(&secret1)
+				updatedSecret2 := GetSecretFromChan(cluster1UpdateChan)
+				assert.NotNil(t, updatedSecret2)
+				assert.Equal(t, secret1.Name, updatedSecret2.Name)
+				assert.Equal(t, secret1.Namespace, updatedSecret.Namespace)
+				assert.True(t, secretsEqual(secret1, *updatedSecret2),
+					fmt.Sprintf("expected: %v, actual: %v", secret1, *updatedSecret2))
+	*/
+
+	// Test add cluster
+	clusterWatch.Add(cluster2)
+	createdSecret2 := GetSecretFromChan(cluster2CreateChan)
+	assert.NotNil(t, createdSecret2)
+	assert.Equal(t, secret1.Name, createdSecret2.Name)
+	assert.Equal(t, secret1.Namespace, createdSecret2.Namespace)
+	assert.True(t, secretsEqual(secret1, *createdSecret2),
+		fmt.Sprintf("expected: %v, actual: %v", secret1, *createdSecret2))
+
+	close(stop)
+}
+
+func setClientFactory(informer util.FederatedInformer, informerClientFactory func(*federationapi.Cluster) (kubeclientset.Interface, error)) {
+	testInformer := ToFederatedInformerForTestOnly(informer)
+	testInformer.SetClientFactory(informerClientFactory)
+}
+
+func secretsEqual(a, b apiv1.Secret) bool {
+	// Clear the SelfLink and ObjectMeta.Finalizers since they will be different
+	// in resoure in federation control plane and resource in underlying cluster.
+	a.SelfLink = ""
+	b.SelfLink = ""
+	a.ObjectMeta.Finalizers = []string{}
+	b.ObjectMeta.Finalizers = []string{}
+	return reflect.DeepEqual(a, b)
+}
+
+func GetSecretFromChan(c chan runtime.Object) *apiv1.Secret {
+	secret := GetObjectFromChan(c).(*apiv1.Secret)
+	return secret
+}
+
+// Wait till the store is updated with latest secret.
+func WaitForSecretStoreUpdate(store util.FederatedReadOnlyStore, clusterName, key string, desiredSecret *apiv1.Secret, timeout time.Duration) error {
+	retryInterval := 100 * time.Millisecond
+	err := wait.PollImmediate(retryInterval, timeout, func() (bool, error) {
+		obj, found, err := store.GetByKey(clusterName, key)
+		if !found || err != nil {
+			return false, err
+		}
+		equal := secretsEqual(*obj.(*apiv1.Secret), *desiredSecret)
+		return equal, err
+	})
+	return err
+}