sbueringer
diff --git a/‎bootstrap/kubeadm/controllers/alias.go‎
Lines changed: 7 additions & 5 deletions b/‎bootstrap/kubeadm/controllers/alias.go‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go‎
Lines changed: 13 additions & 8 deletions b/‎bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go‎
Lines changed: 13 additions & 8 deletions
diff --git a/‎bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_reconciler_test.go‎
Lines changed: 2 additions & 1 deletion b/‎bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_reconciler_test.go‎
Lines changed: 2 additions & 1 deletion
@@ -38,7 +38,8 @@ const (
 
 // KubeadmConfigReconciler reconciles a KubeadmConfig object.
 type KubeadmConfigReconciler struct {
-	Client client.Client
+	Client              client.Client
+	SecretCachingClient client.Client
 
 	Tracker *remote.ClusterCacheTracker
 
@@ -52,9 +53,10 @@ type KubeadmConfigReconciler struct {
 // SetupWithManager sets up the reconciler with the Manager.
 func (r *KubeadmConfigReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error {
 	return (&kubeadmbootstrapcontrollers.KubeadmConfigReconciler{
-		Client:           r.Client,
-		Tracker:          r.Tracker,
-		WatchFilterValue: r.WatchFilterValue,
-		TokenTTL:         r.TokenTTL,
+		Client:              r.Client,
+		SecretCachingClient: r.SecretCachingClient,
+		Tracker:             r.Tracker,
+		WatchFilterValue:    r.WatchFilterValue,
+		TokenTTL:            r.TokenTTL,
 	}).SetupWithManager(ctx, mgr, options)
 }
@@ -76,9 +76,10 @@ type InitLocker interface {
 
 // KubeadmConfigReconciler reconciles a KubeadmConfig object.
 type KubeadmConfigReconciler struct {
-	Client          client.Client
-	Tracker         *remote.ClusterCacheTracker
-	KubeadmInitLock InitLocker
+	Client              client.Client
+	SecretCachingClient client.Client
+	Tracker             *remote.ClusterCacheTracker
+	KubeadmInitLock     InitLocker
 
 	// WatchFilterValue is the label value used to filter events prior to reconciliation.
 	WatchFilterValue string
@@ -453,13 +454,15 @@ func (r *KubeadmConfigReconciler) handleClusterNotInitialized(ctx context.Contex
 	// Otherwise rely on certificates generated by the ControlPlane controller.
 	// Note: A cluster does not have a ControlPlane reference when using standalone CP machines.
 	if scope.Cluster.Spec.ControlPlaneRef == nil {
-		err = certificates.LookupOrGenerate(
+		err = certificates.LookupOrGenerateCached(
 			ctx,
+			r.SecretCachingClient,
 			r.Client,
 			util.ObjectKey(scope.Cluster),
 			*metav1.NewControllerRef(scope.Config, bootstrapv1.GroupVersion.WithKind("KubeadmConfig")))
 	} else {
-		err = certificates.Lookup(ctx,
+		err = certificates.LookupCached(ctx,
+			r.SecretCachingClient,
 			r.Client,
 			util.ObjectKey(scope.Cluster))
 	}
@@ -531,8 +534,9 @@ func (r *KubeadmConfigReconciler) joinWorker(ctx context.Context, scope *Scope)
 	scope.Info("Creating BootstrapData for the worker node")
 
 	certificates := secret.NewCertificatesForWorker(scope.Config.Spec.JoinConfiguration.CACertPath)
-	err := certificates.Lookup(
+	err := certificates.LookupCached(
 		ctx,
+		r.SecretCachingClient,
 		r.Client,
 		util.ObjectKey(scope.Cluster),
 	)
@@ -645,8 +649,9 @@ func (r *KubeadmConfigReconciler) joinControlplane(ctx context.Context, scope *S
 	}
 
 	certificates := secret.NewControlPlaneJoinCerts(scope.Config.Spec.ClusterConfiguration)
-	err := certificates.Lookup(
+	err := certificates.LookupCached(
 		ctx,
+		r.SecretCachingClient,
 		r.Client,
 		util.ObjectKey(scope.Cluster),
 	)
@@ -1055,7 +1060,7 @@ func (r *KubeadmConfigReconciler) storeBootstrapData(ctx context.Context, scope
 // Ensure the bootstrap secret has the KubeadmConfig as a controller OwnerReference.
 func (r *KubeadmConfigReconciler) ensureBootstrapSecretOwnersRef(ctx context.Context, scope *Scope) error {
 	secret := &corev1.Secret{}
-	err := r.Client.Get(ctx, client.ObjectKey{Namespace: scope.Config.Namespace, Name: scope.Config.Name}, secret)
+	err := r.SecretCachingClient.Get(ctx, client.ObjectKey{Namespace: scope.Config.Namespace, Name: scope.Config.Name}, secret)
 	if err != nil {
 		// If the secret has not been created yet return early.
 		if apierrors.IsNotFound(err) {
 
@@ -47,7 +47,8 @@ func TestKubeadmConfigReconciler(t *testing.T) {
 			}(cluster, machine, config, ns)
 
 			reconciler := KubeadmConfigReconciler{
-				Client: env,
+				Client:              env,
+				SecretCachingClient: secretCachingClient,
 			}
 			t.Log("Calling reconcile should requeue")
 			result, err := reconciler.Reconcile(ctx, ctrl.Request{
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,8 @@ func TestKubeadmConfigReconciler(t *testing.T) {`
`47`	`47`	`}(cluster, machine, config, ns)`
`48`	`48`
`49`	`49`	`reconciler := KubeadmConfigReconciler{`
`50`		`- Client: env,`
	`50`	`+ Client: env,`
	`51`	`+ SecretCachingClient: secretCachingClient,`
`51`	`52`	`}`
`52`	`53`	`t.Log("Calling reconcile should requeue")`
`53`	`54`	`result, err := reconciler.Reconcile(ctx, ctrl.Request{`