From 220cfdff913da71e7dcdda5736eadef0fd3a5d6b Mon Sep 17 00:00:00 2001
From: Wojciech Tyczynski <wojtekt@google.com>
Date: Tue, 24 Jan 2017 15:24:24 +0100
Subject: [PATCH] Optimize secret manager to refresh secrets from apiserver
 cache

---
 pkg/kubelet/secret/BUILD             |  1 +
 pkg/kubelet/secret/secret_manager.go | 10 +++++++++-
 pkg/kubelet/util/BUILD               |  6 +++++-
 pkg/kubelet/util/util.go             | 27 +++++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 pkg/kubelet/util/util.go

diff --git a/pkg/kubelet/secret/BUILD b/pkg/kubelet/secret/BUILD
index 0f5ee43320e..3dd7ee097e1 100644
--- a/pkg/kubelet/secret/BUILD
+++ b/pkg/kubelet/secret/BUILD
@@ -32,6 +32,7 @@ go_library(
     deps = [
         "//pkg/api/v1:go_default_library",
         "//pkg/client/clientset_generated/clientset:go_default_library",
+        "//pkg/kubelet/util:go_default_library",
         "//pkg/storage/etcd:go_default_library",
         "//vendor:k8s.io/apimachinery/pkg/api/errors",
         "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
diff --git a/pkg/kubelet/secret/secret_manager.go b/pkg/kubelet/secret/secret_manager.go
index be84d6f4f1a..2fb933da76b 100644
--- a/pkg/kubelet/secret/secret_manager.go
+++ b/pkg/kubelet/secret/secret_manager.go
@@ -23,6 +23,7 @@ import (
 
 	"k8s.io/kubernetes/pkg/api/v1"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
+	"k8s.io/kubernetes/pkg/kubelet/util"
 	storageetcd "k8s.io/kubernetes/pkg/storage/etcd"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -169,7 +170,14 @@ func (s *secretStore) Get(namespace, name string) (*v1.Secret, error) {
 	data.Lock()
 	defer data.Unlock()
 	if data.err != nil || !s.clock.Now().Before(data.lastUpdateTime.Add(s.ttl)) {
-		secret, err := s.kubeClient.Core().Secrets(namespace).Get(name, metav1.GetOptions{})
+		opts := metav1.GetOptions{}
+		if data.secret != nil && data.err == nil {
+			// This is just a periodic refresh of a secret we successfully fetched previously.
+			// In this case, server data from apiserver cache to reduce the load on both
+			// etcd and apiserver (the cache is eventually consistent).
+			util.FromApiserverCache(&opts)
+		}
+		secret, err := s.kubeClient.Core().Secrets(namespace).Get(name, opts)
 		// Update state, unless we got error different than "not-found".
 		if err == nil || apierrors.IsNotFound(err) {
 			// Ignore the update to the older version of a secret.
diff --git a/pkg/kubelet/util/BUILD b/pkg/kubelet/util/BUILD
index 45afd212aa4..9bb03c34afe 100644
--- a/pkg/kubelet/util/BUILD
+++ b/pkg/kubelet/util/BUILD
@@ -9,8 +9,12 @@ load(
 
 go_library(
     name = "go_default_library",
-    srcs = ["doc.go"],
+    srcs = [
+        "doc.go",
+        "util.go",
+    ],
     tags = ["automanaged"],
+    deps = ["//vendor:k8s.io/apimachinery/pkg/apis/meta/v1"],
 )
 
 filegroup(
diff --git a/pkg/kubelet/util/util.go b/pkg/kubelet/util/util.go
new file mode 100644
index 00000000000..ba52058a10b
--- /dev/null
+++ b/pkg/kubelet/util/util.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// FromApiserverCache modifies <opts> so that the GET request will
+// be served from apiserver cache instead of from etcd.
+func FromApiserverCache(opts *metav1.GetOptions) {
+	opts.ResourceVersion = "0"
+}