steps: []step{
				{"add", "ns1", "secret1", "pod1"},
				{"add", "ns1", "secret1", "pod1"},
				{"delete", "ns1", "secret1", "pod1"},
				{"delete", "ns1", "secret1", "pod1"},
			},
			expects: []expect{
				{"ns1", "secret1", "pod1", 1},
				{"ns1", "secret1", "pod1", 2},
				{"ns1", "secret1", "pod1", 1},
				{"ns1", "secret1", "pod1", 0},
			},
		},
		{

	fakeClient.PrependReactor("get", "secrets", func(action core.Action) (bool, runtime.Object, error) {
		return true, &v1.Secret{}, apierrors.NewNotFound(v1.Resource("secret"), "name")
	})
	secret, err = store.Get("ns", "name")
	if err == nil || !apierrors.IsNotFound(err) {
		t.Errorf("Unexpected error: %v", err)
	}
	if !reflect.DeepEqual(secret, &v1.Secret{}) {
		t.Errorf("Unexpected secret: %v", secret)
	}
}

		// only set one of these per step. The others should be nil.
		add    *v1.Secret
		update *v1.Secret
		delete *v1.Secret

		want []result
	}{
		{
			name: "Create secret s0 and add kubeconfig for cluster c0, which will add remote cluster c0",
			add:  secret0,
			want: []result{{"config", 1}, {"c0", 2}},
		},
		{
			name:   "Update secret s0 and update the kubeconfig of cluster c0, which will update remote cluster c0",

	}
	pod := &api.Pod{
		Spec: api.PodSpec{
			HostAliases: []api.HostAlias{
				{IP: "1.1.1.1"},
				{IP: "1.1.1.1"},
			},
			ImagePullSecrets: []api.LocalObjectReference{
				{Name: "secret1"},
				{Name: "secret1"},
				{Name: ""},
			},
			InitContainers: []api.Container{
				{Name: "init1", Env: env, Resources: api.ResourceRequirements{Requests: resources, Limits: resources}},

				Data: map[string][]byte{
					"token": []byte("secret data"),
				},
			},
			// Columns: Name, Type, Data, Age
			expected: []metav1.TableRow{{Cells: []interface{}{"secret1", "kubernetes.io/service-account-token", int64(1), "0s"}}},
		},
		// Basic namespace with type and age; no data.
		{
			secret: api.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Name:              "secret1",

	secrets := kclient.NewFiltered[*v1.Secret](kc, kclient.Filter{
		FieldSelector: fieldSelector,
	})

	for _, h := range handlers {
		h := h
		// register handler before informer starts
		secrets.AddEventHandler(controllers.ObjectHandler(func(o controllers.Object) {
			h(o.GetName(), o.GetNamespace())
		}))
	}

	return &CredentialsController{
		secrets:            secrets,

			if cn == "" {
				continue
			}

			secret := ctx.Find(gvk.Secret, resource.NewShortOrFullName(gwNs, cn))
			if secret == nil {
				m := msg.NewReferencedResourceNotFound(r, "credentialName", cn)

				if line, ok := util.ErrorLine(r, fmt.Sprintf(util.CredentialName, i)); ok {
					m.Line = line
				}

				ctx.Report(gvk.Gateway, m)
				continue
			}
			if !isValidSecret(secret) {

}

// GetRootCAFromSecretConfigDump retrieves root CA from a secret config dump wrapper
func (w *Wrapper) GetRootCAFromSecretConfigDump(anySec *anypb.Any) (string, error) {
	var secret extapi.Secret
	if err := anySec.UnmarshalTo(&secret); err != nil {
		return "", fmt.Errorf("failed to unmarshall ROOTCA secret: %v", err)
	}
	var returnStr string
	var returnErr error
	rCASecret := secret.GetValidationContext()
	if rCASecret != nil {

See the License for the specific language governing permissions and
limitations under the License.
*/

package secrets

import (
	"encoding/json"

	v1 "k8s.io/api/core/v1"
	"k8s.io/kubernetes/pkg/credentialprovider"
)

// MakeDockerKeyring inspects the passedSecrets to see if they contain any DockerConfig secrets.  If they do,
// then a DockerKeyring is built based on every hit and unioned with the defaultKeyring.

		return err
	}

	optional := b.source.Optional != nil && *b.source.Optional
	secret, err := b.getSecret(b.pod.Namespace, b.source.SecretName)
	if err != nil {
		if !(errors.IsNotFound(err) && optional) {
			klog.Errorf("Couldn't get secret %v/%v: %v", b.pod.Namespace, b.source.SecretName, err)
			return err
		}
		secret = &v1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Namespace: b.pod.Namespace,