addressed review comments. 11/8/2019

Signed-off-by: Chao Li <chaol@vmware.com>
2019-11-08 13:53:02 +08:00 · 2019-11-08 13:53:02 +08:00 · a26aa3a417
parent 8bf02125f9
commit a26aa3a417
18 changed files with 109 additions and 91 deletions
--- a/atc/api/resourceserver/check_webhook.go
+++ b/atc/api/resourceserver/check_webhook.go
@ -39,8 +39,7 @@ func (s *Server) CheckResourceWebHook(dbPipeline db.Pipeline) http.Handler {
 			return
 		}

-		globalVariables := creds.NewVariables(s.secretManager, dbPipeline.TeamName(), dbPipeline.Name(), false)
-		variables, err := dbPipeline.Variables(logger, globalVariables, s.varSourcePool)
+		variables, err := dbPipeline.Variables(logger, s.secretManager, s.varSourcePool)
 		if err != nil {
 			logger.Error("failed-to-create-var-sources", err)
 			w.WriteHeader(http.StatusInternalServerError)
--- a/atc/atccmd/command.go
+++ b/atc/atccmd/command.go
@ -86,7 +86,8 @@ type ATCCommand struct {

 type RunCommand struct {
 	Logger flag.Lager
-	VarSourcePool creds.VarSourcePool
+
+	varSourcePool creds.VarSourcePool

 	BindIP   flag.IP `long:"bind-ip"   default:"0.0.0.0" description:"IP address on which to listen for web traffic."`
 	BindPort uint16  `long:"bind-port" default:"8080"    description:"Port on which to listen for HTTP traffic."`
@ -451,7 +452,7 @@ func (cmd *RunCommand) Runner(positionalArguments []string) (ifrit.Runner, error
 		return nil, err
 	}

-	cmd.VarSourcePool = creds.NewVarSourcePool(5 * time.Minute)
+	cmd.varSourcePool = creds.NewVarSourcePool(5 * time.Minute, clock.NewClock())

 	members, err := cmd.constructMembers(logger, reconfigurableSink, apiConn, backendConn, gcConn, storage, lockFactory, secretManager)
 	if err != nil {
@ -613,7 +614,7 @@ func (cmd *RunCommand) constructAPIMembers(
 	dbContainerRepository := db.NewContainerRepository(dbConn)
 	gcContainerDestroyer := gc.NewDestroyer(logger, dbContainerRepository, dbVolumeRepository)
 	dbBuildFactory := db.NewBuildFactory(dbConn, lockFactory, cmd.GC.OneOffBuildGracePeriod)
-	dbCheckFactory := db.NewCheckFactory(dbConn, lockFactory, secretManager, cmd.VarSourcePool, cmd.GlobalResourceCheckTimeout)
+	dbCheckFactory := db.NewCheckFactory(dbConn, lockFactory, secretManager, cmd.varSourcePool, cmd.GlobalResourceCheckTimeout)

 	accessFactory := accessor.NewAccessFactory(authHandler.PublicKey())
 	customActionRoleMap := accessor.CustomActionRoleMap{}
@ -818,7 +819,7 @@ func (cmd *RunCommand) constructBackendMembers(
 	)

 	dbBuildFactory := db.NewBuildFactory(dbConn, lockFactory, cmd.GC.OneOffBuildGracePeriod)
-	dbCheckFactory := db.NewCheckFactory(dbConn, lockFactory, secretManager, cmd.VarSourcePool, cmd.GlobalResourceCheckTimeout)
+	dbCheckFactory := db.NewCheckFactory(dbConn, lockFactory, secretManager, cmd.varSourcePool, cmd.GlobalResourceCheckTimeout)
 	dbPipelineFactory := db.NewPipelineFactory(dbConn, lockFactory)
 	componentFactory := db.NewComponentFactory(dbConn)

@ -1018,7 +1019,7 @@ func (cmd *RunCommand) constructGCMember(
 		atc.ComponentCollectorVolumes:           gc.NewVolumeCollector(dbVolumeRepository, cmd.GC.MissingGracePeriod),
 		atc.ComponentCollectorContainers:        gc.NewContainerCollector(dbContainerRepository, jobRunner, cmd.GC.MissingGracePeriod),
 		atc.ComponentCollectorCheckSessions:     gc.NewResourceConfigCheckSessionCollector(resourceConfigCheckSessionLifecycle),
-		atc.ComponentCollectorVarSources:        gc.NewCollectorTask(cmd.VarSourcePool.(gc.Collector)),
+		atc.ComponentCollectorVarSources:        gc.NewCollectorTask(cmd.varSourcePool.(gc.Collector)),
 	}

 	for collectorName, collector := range collectors {
@ -1478,7 +1479,7 @@ func (cmd *RunCommand) constructEngine(
 		builder.NewDelegateFactory(),
 		cmd.ExternalURL.String(),
 		secretManager,
-		cmd.VarSourcePool,
+		cmd.varSourcePool,
 		cmd.EnableRedactSecrets,
 	)

@ -1598,7 +1599,7 @@ func (cmd *RunCommand) constructAPIHandler(
 		concourse.Version,
 		concourse.WorkerVersion,
 		secretManager,
-		cmd.VarSourcePool,
+		cmd.varSourcePool,
 		credsManagers,
 		containerserver.NewInterceptTimeoutFactory(cmd.InterceptIdleTimeout),
 	)
@ -1638,7 +1639,6 @@ func (cmd *RunCommand) constructPipelineSyncer(
 		pipelineFactory,
 		componentFactory,
 		func(pipeline db.Pipeline) ifrit.Runner {
-			variables := creds.NewVariables(secretManager, pipeline.TeamName(), pipeline.Name(), false)
 			return grouper.NewParallel(os.Interrupt, grouper.Members{
 				{
 					Name: fmt.Sprintf("radar:%d", pipeline.ID()),
@ -1648,7 +1648,7 @@ func (cmd *RunCommand) constructPipelineSyncer(
 							"pipeline": pipeline.Name(),
 						}),
 						(cmd.Developer.Noop || cmd.EnableLidar),
-						radarSchedulerFactory.BuildScanRunnerFactory(pipeline, cmd.ExternalURL.String(), variables, cmd.VarSourcePool, bus),
+						radarSchedulerFactory.BuildScanRunnerFactory(pipeline, cmd.ExternalURL.String(), secretManager, cmd.varSourcePool, bus),
 						pipeline,
 						1*time.Minute,
 					),
--- a/atc/creds/pool.go
+++ b/atc/creds/pool.go
@ -4,6 +4,7 @@ import (
 	"sync"
 	"time"

+	"code.cloudfoundry.org/clock"
 	"code.cloudfoundry.org/lager"
 	"encoding/json"
 )
@ -19,6 +20,7 @@ type inPoolManager struct {
 	manager        Manager
 	secretsFactory SecretsFactory
 	lastUseTime    time.Time
+	clock          clock.Clock
 }

 func (m *inPoolManager) Close(logger lager.Logger) {
@ -26,14 +28,15 @@ func (m *inPoolManager) Close(logger lager.Logger) {
 }

 func (m *inPoolManager) NewSecrets() Secrets {
-	m.lastUseTime = time.Now()
+	m.lastUseTime = m.clock.Now()
 	return m.secretsFactory.NewSecrets()
 }

 type varSourcePool struct {
-	pool map[string]*inPoolManager
-	lock sync.Mutex
-	ttl  time.Duration
+	pool  map[string]*inPoolManager
+	lock  sync.Mutex
+	ttl   time.Duration
+	clock clock.Clock
 }

 func (pool *varSourcePool) Size() int {
@ -66,6 +69,7 @@ func (pool *varSourcePool) FindOrCreate(logger lager.Logger, config map[string]i
 		}

 		pool.pool[key] = &inPoolManager{
+			clock:          pool.clock,
 			manager:        manager,
 			secretsFactory: secretsFactory,
 		}
@ -84,7 +88,7 @@ func (pool *varSourcePool) Collect(logger lager.Logger) error {

 	toDeleteKeys := []string{}
 	for key, manager := range pool.pool {
-		if manager.lastUseTime.Add(pool.ttl).Before(time.Now()) {
+		if manager.lastUseTime.Add(pool.ttl).Before(pool.clock.Now()) {
 			toDeleteKeys = append(toDeleteKeys, key)
 			manager.Close(logger)
 		}
@ -99,10 +103,11 @@ func (pool *varSourcePool) Collect(logger lager.Logger) error {
 	return nil
 }

-func NewVarSourcePool(ttl time.Duration) VarSourcePool {
+func NewVarSourcePool(ttl time.Duration, clock clock.Clock) VarSourcePool {
 	return &varSourcePool{
-		pool: map[string]*inPoolManager{},
-		lock: sync.Mutex{},
-		ttl:  ttl,
+		pool:  map[string]*inPoolManager{},
+		lock:  sync.Mutex{},
+		ttl:   ttl,
+		clock: clock,
 	}
 }
--- a/atc/creds/pool_test.go
+++ b/atc/creds/pool_test.go
@ -1,6 +1,7 @@
 package creds_test

 import (
+	"code.cloudfoundry.org/clock/fakeclock"
 	"code.cloudfoundry.org/lager"
 	"code.cloudfoundry.org/lager/lagertest"
 	"github.com/concourse/concourse/atc/creds"
@ -20,6 +21,7 @@ var _ = Context("pool", func() {
 		factory          creds.ManagerFactory
 		varSourcePool    creds.VarSourcePool
 		config1, config2 map[string]interface{}
+		fakeClock        *fakeclock.FakeClock
 	)

 	BeforeEach(func() {
@ -33,17 +35,19 @@ var _ = Context("pool", func() {
 		config2 = map[string]interface{}{
 			"vars": map[string]interface{}{"k2": "v2"},
 		}
+
+		fakeClock = fakeclock.NewFakeClock(time.Now())
 	})

 	Context("FindOrCreate", func() {
 		BeforeEach(func() {
-			varSourcePool = creds.NewVarSourcePool(5 * time.Minute)
+			varSourcePool = creds.NewVarSourcePool(5*time.Minute, fakeClock)
 		})

 		Context("add 1 config", func() {
 			var (
 				secrets creds.Secrets
-				err error
+				err     error
 			)

 			JustBeforeEach(func() {
@ -72,7 +76,7 @@ var _ = Context("pool", func() {
 		Context("add 2 configs", func() {
 			var (
 				secrets1, secrets2 creds.Secrets
-				err error
+				err                error
 			)
 			JustBeforeEach(func() {
 				secrets1, err = varSourcePool.FindOrCreate(logger, config1, factory)
@ -113,7 +117,7 @@ var _ = Context("pool", func() {
 		Context("add same config for multiple times", func() {
 			var (
 				secrets1, secrets2 creds.Secrets
-				err error
+				err                error
 			)
 			JustBeforeEach(func() {
 				secrets1, err = varSourcePool.FindOrCreate(logger, config1, factory)
@ -164,24 +168,24 @@ var _ = Context("pool", func() {
 		var err error

 		BeforeEach(func() {
-			varSourcePool = creds.NewVarSourcePool(4 * time.Second)
+			varSourcePool = creds.NewVarSourcePool(7*time.Second, fakeClock)
 		})
 		It("should clean up once ttl expires", func() {
 			_, err = varSourcePool.FindOrCreate(logger, config1, factory)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(varSourcePool.Size()).To(Equal(1))

-			time.Sleep(2*time.Second)
+			fakeClock.IncrementBySeconds(4)
 			_, err = varSourcePool.FindOrCreate(logger, config2, factory)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(varSourcePool.Size()).To(Equal(2))

-			time.Sleep(2*time.Second)
+			fakeClock.IncrementBySeconds(4)
 			err = varSourcePool.(gc.Collector).Collect(logger)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(varSourcePool.Size()).To(Equal(1))

-			time.Sleep(2*time.Second)
+			fakeClock.IncrementBySeconds(4)
 			err = varSourcePool.(gc.Collector).Collect(logger)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(varSourcePool.Size()).To(Equal(0))
--- a/atc/db/check_factory.go
+++ b/atc/db/check_factory.go
@ -151,13 +151,6 @@ func (c *checkFactory) TryCreateCheck(logger lager.Logger, checkable Checkable,
 		}
 	}

-	globalVars := creds.NewVariables(
-		c.secrets,
-		checkable.TeamName(),
-		checkable.PipelineName(),
-		false,
-	)
-
 	pp, found, err := checkable.Pipeline()
 	if err != nil {
 		return nil, false, fmt.Errorf("failed to reload pipeline: %s", err.Error())
@ -166,7 +159,7 @@ func (c *checkFactory) TryCreateCheck(logger lager.Logger, checkable Checkable,
 		return nil, false, fmt.Errorf("pipeline not found")
 	}

-	varss, err := pp.Variables(logger, globalVars, c.varSourcePool)
+	varss, err := pp.Variables(logger, c.secrets, c.varSourcePool)
 	if err != nil {
 		return nil, false, err
 	}
--- a/atc/db/dbfakes/fake_pipeline.go
+++ b/atc/db/dbfakes/fake_pipeline.go
@ -475,11 +475,11 @@ type FakePipeline struct {
 	varSourcesReturnsOnCall map[int]struct {
 		result1 atc.VarSourceConfigs
 	}
-	VariablesStub        func(lager.Logger, vars.Variables, creds.VarSourcePool) (vars.Variables, error)
+	VariablesStub        func(lager.Logger, creds.Secrets, creds.VarSourcePool) (vars.Variables, error)
 	variablesMutex       sync.RWMutex
 	variablesArgsForCall []struct {
 		arg1 lager.Logger
-		arg2 vars.Variables
+		arg2 creds.Secrets
 		arg3 creds.VarSourcePool
 	}
 	variablesReturns struct {
@ -2691,12 +2691,12 @@ func (fake *FakePipeline) VarSourcesReturnsOnCall(i int, result1 atc.VarSourceCo
 	}{result1}
 }

-func (fake *FakePipeline) Variables(arg1 lager.Logger, arg2 vars.Variables, arg3 creds.VarSourcePool) (vars.Variables, error) {
+func (fake *FakePipeline) Variables(arg1 lager.Logger, arg2 creds.Secrets, arg3 creds.VarSourcePool) (vars.Variables, error) {
 	fake.variablesMutex.Lock()
 	ret, specificReturn := fake.variablesReturnsOnCall[len(fake.variablesArgsForCall)]
 	fake.variablesArgsForCall = append(fake.variablesArgsForCall, struct {
 		arg1 lager.Logger
-		arg2 vars.Variables
+		arg2 creds.Secrets
 		arg3 creds.VarSourcePool
 	}{arg1, arg2, arg3})
 	fake.recordInvocation("Variables", []interface{}{arg1, arg2, arg3})
@ -2717,13 +2717,13 @@ func (fake *FakePipeline) VariablesCallCount() int {
 	return len(fake.variablesArgsForCall)
 }

-func (fake *FakePipeline) VariablesCalls(stub func(lager.Logger, vars.Variables, creds.VarSourcePool) (vars.Variables, error)) {
+func (fake *FakePipeline) VariablesCalls(stub func(lager.Logger, creds.Secrets, creds.VarSourcePool) (vars.Variables, error)) {
 	fake.variablesMutex.Lock()
 	defer fake.variablesMutex.Unlock()
 	fake.VariablesStub = stub
 }

-func (fake *FakePipeline) VariablesArgsForCall(i int) (lager.Logger, vars.Variables, creds.VarSourcePool) {
+func (fake *FakePipeline) VariablesArgsForCall(i int) (lager.Logger, creds.Secrets, creds.VarSourcePool) {
 	fake.variablesMutex.RLock()
 	defer fake.variablesMutex.RUnlock()
 	argsForCall := fake.variablesArgsForCall[i]
--- a/atc/db/pipeline.go
+++ b/atc/db/pipeline.go
@ -87,7 +87,7 @@ type Pipeline interface {
 	Destroy() error
 	Rename(string) error

-	Variables(lager.Logger, vars.Variables, creds.VarSourcePool) (vars.Variables, error)
+	Variables(lager.Logger, creds.Secrets, creds.VarSourcePool) (vars.Variables, error)
 }

 type pipeline struct {
@ -1106,7 +1106,8 @@ func (p *pipeline) getBuildsFrom(tx Tx, col string) (map[string]Build, error) {
 // Variables creates variables for this pipeline. If this pipeline has its own
 // var_sources, a vars.MultiVars containing all pipeline specific var_sources
 // plug the global variables, otherwise just return the global variables.
-func (p *pipeline) Variables(logger lager.Logger, globalVars vars.Variables, varSourcePool creds.VarSourcePool) (vars.Variables, error) {
+func (p *pipeline) Variables(logger lager.Logger, globalSecrets creds.Secrets, varSourcePool creds.VarSourcePool) (vars.Variables, error) {
+	globalVars := creds.NewVariables(globalSecrets, p.TeamName(), p.Name(), false)
 	varss := []vars.Variables{}
 	for _, cm := range p.varSources {
 		factory := creds.ManagerFactories()[cm.Type]
--- a/atc/db/pipeline_test.go
+++ b/atc/db/pipeline_test.go
@ -1,7 +1,9 @@
 package db_test

 import (
+	"code.cloudfoundry.org/clock"
 	"github.com/concourse/concourse/atc/creds"
+	"github.com/concourse/concourse/atc/creds/credsfakes"
 	"github.com/concourse/concourse/vars"
 	"strconv"
 	"time"
@ -2272,9 +2274,15 @@ var _ = Describe("Pipeline", func() {
 			err error
 		)
 		BeforeEach(func() {
-			globalVars := vars.StaticVariables{"gk": "gv"}
-			varSourcePool := creds.NewVarSourcePool(1*time.Minute)
-			pvars, err = pipeline.Variables(logger, globalVars, varSourcePool)
+			fakeSecrets = new(credsfakes.FakeSecrets)
+			fakeSecrets.GetStub = func(key string)(interface{}, *time.Time, bool, error) {
+				if key == "gk" {
+					return "gv", nil, true, nil
+				}
+				return nil, nil, false, nil
+			}
+			varSourcePool := creds.NewVarSourcePool(1*time.Minute, clock.NewClock())
+			pvars, err = pipeline.Variables(logger, fakeSecrets, varSourcePool)
 			Expect(err).NotTo(HaveOccurred())
 		})

--- a/atc/db/team.go
+++ b/atc/db/team.go
@ -800,8 +800,7 @@ func (t *team) FindCheckContainers(logger lager.Logger, pipelineName string, res
 		return nil, nil, err
 	}

-	globalVariables := creds.NewVariables(secretManager, t.name, pipeline.Name(), false)
-	variables, err := pipeline.Variables(logger, globalVariables, varSourcePool)
+	variables, err := pipeline.Variables(logger, secretManager, varSourcePool)
 	if err != nil {
 		return nil, nil, err
 	}
--- a/atc/engine/builder/builder.go
+++ b/atc/engine/builder/builder.go
@ -75,9 +75,9 @@ func (builder *stepBuilder) BuildStep(logger lager.Logger, build db.Build) (exec

 	var credVarsTracker vars.CredVarsTracker

-	globalVars := creds.NewVariables(builder.globalSecrets, build.TeamName(), build.PipelineName(), false)
 	// "fly execute" generated build will have no pipeline.
 	if build.PipelineID() == 0 {
+		globalVars := creds.NewVariables(builder.globalSecrets, build.TeamName(), build.PipelineName(), false)
 		credVarsTracker = vars.NewCredVarsTracker(globalVars, builder.redactSecrets)
 	} else {
 		pipeline, found, err := build.Pipeline()
@ -88,7 +88,7 @@ func (builder *stepBuilder) BuildStep(logger lager.Logger, build db.Build) (exec
 			return exec.IdentityStep{}, errors.New("pipeline not found")
 		}

-		varss, err := pipeline.Variables(logger, globalVars, builder.varSourcePool)
+		varss, err := pipeline.Variables(logger, builder.globalSecrets, builder.varSourcePool)
 		if err != nil {
 			return exec.IdentityStep{}, err
 		}
@ -120,8 +120,7 @@ func (builder *stepBuilder) CheckStep(logger lager.Logger, check db.Check) (exec
 		return exec.IdentityStep{}, errors.New("pipeline not found")
 	}

-	globalVars := creds.NewVariables(builder.globalSecrets, check.TeamName(), check.PipelineName(), false)
-	varss, err := pipeline.Variables(logger, globalVars, builder.varSourcePool)
+	varss, err := pipeline.Variables(logger, builder.globalSecrets, builder.varSourcePool)
 	if err != nil {
 		return exec.IdentityStep{}, fmt.Errorf("failed to create pipeline variables: %s", err.Error())
 	}
--- a/atc/pipelines/pipelinesfakes/fake_radar_scheduler_factory.go
+++ b/atc/pipelines/pipelinesfakes/fake_radar_scheduler_factory.go
@ -9,16 +9,15 @@ import (
 	"github.com/concourse/concourse/atc/pipelines"
 	"github.com/concourse/concourse/atc/radar"
 	"github.com/concourse/concourse/atc/scheduler"
-	"github.com/concourse/concourse/vars"
 )

 type FakeRadarSchedulerFactory struct {
-	BuildScanRunnerFactoryStub        func(db.Pipeline, string, vars.Variables, creds.VarSourcePool, radar.Notifications) radar.ScanRunnerFactory
+	BuildScanRunnerFactoryStub        func(db.Pipeline, string, creds.Secrets, creds.VarSourcePool, radar.Notifications) radar.ScanRunnerFactory
 	buildScanRunnerFactoryMutex       sync.RWMutex
 	buildScanRunnerFactoryArgsForCall []struct {
 		arg1 db.Pipeline
 		arg2 string
-		arg3 vars.Variables
+		arg3 creds.Secrets
 		arg4 creds.VarSourcePool
 		arg5 radar.Notifications
 	}
@ -43,13 +42,13 @@ type FakeRadarSchedulerFactory struct {
 	invocationsMutex sync.RWMutex
 }

-func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactory(arg1 db.Pipeline, arg2 string, arg3 vars.Variables, arg4 creds.VarSourcePool, arg5 radar.Notifications) radar.ScanRunnerFactory {
+func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactory(arg1 db.Pipeline, arg2 string, arg3 creds.Secrets, arg4 creds.VarSourcePool, arg5 radar.Notifications) radar.ScanRunnerFactory {
 	fake.buildScanRunnerFactoryMutex.Lock()
 	ret, specificReturn := fake.buildScanRunnerFactoryReturnsOnCall[len(fake.buildScanRunnerFactoryArgsForCall)]
 	fake.buildScanRunnerFactoryArgsForCall = append(fake.buildScanRunnerFactoryArgsForCall, struct {
 		arg1 db.Pipeline
 		arg2 string
-		arg3 vars.Variables
+		arg3 creds.Secrets
 		arg4 creds.VarSourcePool
 		arg5 radar.Notifications
 	}{arg1, arg2, arg3, arg4, arg5})
@ -71,13 +70,13 @@ func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactoryCallCount() int {
 	return len(fake.buildScanRunnerFactoryArgsForCall)
 }

-func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactoryCalls(stub func(db.Pipeline, string, vars.Variables, creds.VarSourcePool, radar.Notifications) radar.ScanRunnerFactory) {
+func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactoryCalls(stub func(db.Pipeline, string, creds.Secrets, creds.VarSourcePool, radar.Notifications) radar.ScanRunnerFactory) {
 	fake.buildScanRunnerFactoryMutex.Lock()
 	defer fake.buildScanRunnerFactoryMutex.Unlock()
 	fake.BuildScanRunnerFactoryStub = stub
 }

-func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactoryArgsForCall(i int) (db.Pipeline, string, vars.Variables, creds.VarSourcePool, radar.Notifications) {
+func (fake *FakeRadarSchedulerFactory) BuildScanRunnerFactoryArgsForCall(i int) (db.Pipeline, string, creds.Secrets, creds.VarSourcePool, radar.Notifications) {
 	fake.buildScanRunnerFactoryMutex.RLock()
 	defer fake.buildScanRunnerFactoryMutex.RUnlock()
 	argsForCall := fake.buildScanRunnerFactoryArgsForCall[i]
--- a/atc/pipelines/radar_scheduler_factory.go
+++ b/atc/pipelines/radar_scheduler_factory.go
@ -15,14 +15,13 @@ import (
 	"github.com/concourse/concourse/atc/scheduler/inputmapper/inputconfig"
 	"github.com/concourse/concourse/atc/scheduler/maxinflight"
 	"github.com/concourse/concourse/atc/worker"
-	"github.com/concourse/concourse/vars"
 )

 //go:generate counterfeiter . RadarSchedulerFactory

 type RadarSchedulerFactory interface {
-	BuildScanRunnerFactory(dbPipeline db.Pipeline, externalURL string, variables vars.Variables, pool creds.VarSourcePool, notifications radar.Notifications) radar.ScanRunnerFactory
-	BuildScheduler(pipeline db.Pipeline) scheduler.BuildScheduler
+	BuildScanRunnerFactory(db.Pipeline, string, creds.Secrets, creds.VarSourcePool, radar.Notifications) radar.ScanRunnerFactory
+	BuildScheduler(db.Pipeline) scheduler.BuildScheduler
 }

 type radarSchedulerFactory struct {
@ -52,7 +51,7 @@ func NewRadarSchedulerFactory(
 	}
 }

-func (rsf *radarSchedulerFactory) BuildScanRunnerFactory(dbPipeline db.Pipeline, externalURL string, variables vars.Variables, varSourcePool creds.VarSourcePool, notifications radar.Notifications) radar.ScanRunnerFactory {
+func (rsf *radarSchedulerFactory) BuildScanRunnerFactory(dbPipeline db.Pipeline, externalURL string, secrets creds.Secrets, varSourcePool creds.VarSourcePool, notifications radar.Notifications) radar.ScanRunnerFactory {
 	return radar.NewScanRunnerFactory(
 		rsf.pool,
 		rsf.resourceFactory,
@ -62,7 +61,7 @@ func (rsf *radarSchedulerFactory) BuildScanRunnerFactory(dbPipeline db.Pipeline,
 		dbPipeline,
 		clock.NewClock(),
 		externalURL,
-		variables,
+		secrets,
 		varSourcePool,
 		rsf.strategy,
 		notifications,
--- a/atc/radar/resource_scanner.go
+++ b/atc/radar/resource_scanner.go
@ -15,7 +15,6 @@ import (
 	"github.com/concourse/concourse/atc/metric"
 	"github.com/concourse/concourse/atc/resource"
 	"github.com/concourse/concourse/atc/worker"
-	"github.com/concourse/concourse/vars"
 )

 var GlobalResourceCheckTimeout time.Duration
@ -28,7 +27,7 @@ type resourceScanner struct {
 	defaultInterval       time.Duration
 	dbPipeline            db.Pipeline
 	externalURL           string
-	variables             vars.Variables
+	secrets               creds.Secrets
 	varSourcePool         creds.VarSourcePool
 	strategy              worker.ContainerPlacementStrategy
 }
@ -41,7 +40,7 @@ func NewResourceScanner(
 	defaultInterval time.Duration,
 	dbPipeline db.Pipeline,
 	externalURL string,
-	variables vars.Variables,
+	secrets creds.Secrets,
 	varSourcePool creds.VarSourcePool,
 	strategy worker.ContainerPlacementStrategy,
 ) Scanner {
@ -53,7 +52,7 @@ func NewResourceScanner(
 		defaultInterval:       defaultInterval,
 		dbPipeline:            dbPipeline,
 		externalURL:           externalURL,
-		variables:             variables,
+		secrets:               secrets,
 		varSourcePool:         varSourcePool,
 		strategy:              strategy,
 	}
@ -167,7 +166,7 @@ func (scanner *resourceScanner) scan(logger lager.Logger, resourceID int, fromVe
 	}

 	// Combine pipeline specific var_sources with the global credential manager.
-	varss, err := scanner.dbPipeline.Variables(logger, scanner.variables, scanner.varSourcePool)
+	varss, err := scanner.dbPipeline.Variables(logger, scanner.secrets, scanner.varSourcePool)
 	if err != nil {
 		return 0, err
 	}
--- a/atc/radar/resource_scanner_test.go
+++ b/atc/radar/resource_scanner_test.go
@ -40,6 +40,7 @@ var _ = Describe("ResourceScanner", func() {
 		fakeDBPipeline            *dbfakes.FakePipeline
 		fakeClock                 *fakeclock.FakeClock
 		fakeVarSourcePool         *credsfakes.FakeVarSourcePool
+		fakeSecrets               *credsfakes.FakeSecrets
 		interval                  time.Duration
 		variables                 vars.Variables

@ -63,6 +64,15 @@ var _ = Describe("ResourceScanner", func() {
 		fakeLock = &lockfakes.FakeLock{}
 		interval = 1 * time.Minute
 		GlobalResourceCheckTimeout = 1 * time.Hour
+
+		fakeSecrets = new(credsfakes.FakeSecrets)
+		fakeSecrets.GetStub = func(key string) (interface{}, *time.Time, bool, error) {
+			if key == "source-params" {
+				return "some-secret-sauce", nil, true, nil
+			}
+			return nil, nil, false, nil
+		}
+
 		variables = vars.StaticVariables{
 			"source-params": "some-secret-sauce",
 		}
@ -134,7 +144,7 @@ var _ = Describe("ResourceScanner", func() {
 			interval,
 			fakeDBPipeline,
 			"https://www.example.com",
-			variables,
+			fakeSecrets,
 			fakeVarSourcePool,
 			fakeStrategy,
 		)
--- a/atc/radar/resource_type_scanner.go
+++ b/atc/radar/resource_type_scanner.go
@ -13,7 +13,6 @@ import (
 	"github.com/concourse/concourse/atc/db"
 	"github.com/concourse/concourse/atc/resource"
 	"github.com/concourse/concourse/atc/worker"
-	"github.com/concourse/concourse/vars"
 )

 type resourceTypeScanner struct {
@ -24,7 +23,7 @@ type resourceTypeScanner struct {
 	defaultInterval       time.Duration
 	dbPipeline            db.Pipeline
 	externalURL           string
-	variables             vars.Variables
+	secrets               creds.Secrets
 	varSourcePool         creds.VarSourcePool
 	strategy              worker.ContainerPlacementStrategy
 }
@ -37,7 +36,7 @@ func NewResourceTypeScanner(
 	defaultInterval time.Duration,
 	dbPipeline db.Pipeline,
 	externalURL string,
-	variables vars.Variables,
+	secrets creds.Secrets,
 	varSourcePool creds.VarSourcePool,
 	strategy worker.ContainerPlacementStrategy,
 ) Scanner {
@ -49,7 +48,7 @@ func NewResourceTypeScanner(
 		defaultInterval:       defaultInterval,
 		dbPipeline:            dbPipeline,
 		externalURL:           externalURL,
-		variables:             variables,
+		secrets:               secrets,
 		varSourcePool:         varSourcePool,
 		strategy:              strategy,
 	}
@ -128,7 +127,7 @@ func (scanner *resourceTypeScanner) scan(logger lager.Logger, resourceTypeID int
 		return 0, err
 	}

-	varss, err := scanner.dbPipeline.Variables(logger, scanner.variables, scanner.varSourcePool)
+	varss, err := scanner.dbPipeline.Variables(logger, scanner.secrets, scanner.varSourcePool)
 	if err != nil {
 		return 0, err
 	}
@ -143,7 +142,7 @@ func (scanner *resourceTypeScanner) scan(logger lager.Logger, resourceTypeID int
 		return 0, err
 	}

-	source, err := creds.NewSource(scanner.variables, savedResourceType.Source()).Evaluate()
+	source, err := creds.NewSource(varss, savedResourceType.Source()).Evaluate()
 	if err != nil {
 		logger.Error("failed-to-evaluate-resource-type-source", err)
 		scanner.setCheckError(logger, savedResourceType, err)
--- a/atc/radar/resource_type_scanner_test.go
+++ b/atc/radar/resource_type_scanner_test.go
@ -40,6 +40,7 @@ var _ = Describe("ResourceTypeScanner", func() {
 		fakeResourceConfigScope   *dbfakes.FakeResourceConfigScope
 		fakeClock                 *fakeclock.FakeClock
 		fakeVarSourcePool         *credsfakes.FakeVarSourcePool
+		fakeSecrets               *credsfakes.FakeSecrets
 		interval                  time.Duration
 		variables                 vars.Variables
 		metadata                  db.ContainerMetadata
@ -56,6 +57,15 @@ var _ = Describe("ResourceTypeScanner", func() {
 	BeforeEach(func() {
 		fakeLock = &lockfakes.FakeLock{}
 		interval = 1 * time.Minute
+
+		fakeSecrets = new(credsfakes.FakeSecrets)
+		fakeSecrets.GetStub = func(key string) (interface{}, *time.Time, bool, error) {
+			if key == "source-params" {
+				return "some-secret-sauce", nil, true, nil
+			}
+			return nil, nil, false, nil
+		}
+
 		variables = vars.StaticVariables{
 			"source-params": "some-secret-sauce",
 		}
@ -113,7 +123,7 @@ var _ = Describe("ResourceTypeScanner", func() {
 			interval,
 			fakeDBPipeline,
 			"https://www.example.com",
-			variables,
+			fakeSecrets,
 			fakeVarSourcePool,
 			fakeStrategy,
 		)
--- a/atc/radar/scan_runner_factory.go
+++ b/atc/radar/scan_runner_factory.go
@ -4,13 +4,11 @@ import (
 	"github.com/concourse/concourse/atc/creds"
 	"time"

+	"code.cloudfoundry.org/clock"
+	"code.cloudfoundry.org/lager"
 	"github.com/concourse/concourse/atc/db"
 	"github.com/concourse/concourse/atc/resource"
 	"github.com/concourse/concourse/atc/worker"
-	"github.com/concourse/concourse/vars"
-
-	"code.cloudfoundry.org/clock"
-	"code.cloudfoundry.org/lager"
 )

 //go:generate counterfeiter . ScanRunnerFactory
@ -36,7 +34,7 @@ func NewScanRunnerFactory(
 	dbPipeline db.Pipeline,
 	clock clock.Clock,
 	externalURL string,
-	variables vars.Variables,
+	secrets creds.Secrets,
 	varSourcePool creds.VarSourcePool,
 	strategy worker.ContainerPlacementStrategy,
 	notifications Notifications,
@ -49,7 +47,7 @@ func NewScanRunnerFactory(
 		resourceTypeCheckingInterval,
 		dbPipeline,
 		externalURL,
-		variables,
+		secrets,
 		varSourcePool,
 		strategy,
 	)
@ -62,7 +60,7 @@ func NewScanRunnerFactory(
 		resourceCheckingInterval,
 		dbPipeline,
 		externalURL,
-		variables,
+		secrets,
 		varSourcePool,
 		strategy,
 	)
--- a/atc/radar/scanner_factory.go
+++ b/atc/radar/scanner_factory.go
@ -62,8 +62,6 @@ func NewScannerFactory(
 }

 func (f *scannerFactory) NewResourceScanner(logger lager.Logger, dbPipeline db.Pipeline) Scanner {
-	globalVariables := creds.NewVariables(f.secretManager, dbPipeline.TeamName(), dbPipeline.Name(), false)
-
 	return NewResourceScanner(
 		clock.NewClock(),
 		f.pool,
@ -72,15 +70,13 @@ func (f *scannerFactory) NewResourceScanner(logger lager.Logger, dbPipeline db.P
 		f.resourceCheckingInterval,
 		dbPipeline,
 		f.externalURL,
-		globalVariables,
+		f.secretManager,
 		f.varSourcePool,
 		f.strategy,
 	)
 }

 func (f *scannerFactory) NewResourceTypeScanner(logger lager.Logger, dbPipeline db.Pipeline) Scanner {
-	globalVariables := creds.NewVariables(f.secretManager, dbPipeline.TeamName(), dbPipeline.Name(), false)
-
 	return NewResourceTypeScanner(
 		clock.NewClock(),
 		f.pool,
@ -89,7 +85,7 @@ func (f *scannerFactory) NewResourceTypeScanner(logger lager.Logger, dbPipeline
 		f.resourceTypeCheckingInterval,
 		dbPipeline,
 		f.externalURL,
-		globalVariables,
+		f.secretManager,
 		f.varSourcePool,
 		f.strategy,
 	)