Remove cache-based short-circuit of token cleanup

pkg/controller/serviceaccount/tokens_controller.go

@@ -415,11 +415,6 @@ func (e *TokensController) deleteSecret(secret *api.Secret) error {
 // removeSecretReferenceIfNeeded updates the given ServiceAccount to remove a reference to the given secretName if needed.
 // Returns whether an update was performed, and any error that occurred
 func (e *TokensController) removeSecretReferenceIfNeeded(serviceAccount *api.ServiceAccount, secretName string) error {
-	// See if the account even referenced the secret
-	if !getSecretReferences(serviceAccount).Has(secretName) {
-		return nil
-	}
-
 	// We don't want to update the cache's copy of the service account
 	// so remove the secret from a freshly retrieved copy of the service account
 	serviceAccounts := e.client.Core().ServiceAccounts(serviceAccount.Namespace)

pkg/controller/serviceaccount/tokens_controller_test.go

@@ -492,8 +492,10 @@ func TestTokenCreation(t *testing.T) {
 		"deleted secret with serviceaccount without reference": {
 			ExistingServiceAccount: serviceAccount(emptySecretReferences()),
 
-			DeletedSecret:   serviceAccountTokenSecret(),
-			ExpectedActions: []core.Action{},
+			DeletedSecret: serviceAccountTokenSecret(),
+			ExpectedActions: []core.Action{
+				core.NewGetAction("serviceaccounts", api.NamespaceDefault, "default"),
+			},
 		},
 	}