From d64941ece90e29317b7a9527841e9314116bda8b Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Tue, 7 Jun 2022 10:25:30 +0200 Subject: [PATCH 1/8] Once the AWS session is created first time, it can be reused --- pkg/provider/aws/auth/auth.go | 55 ++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 436b2b031..0a9c04414 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -44,7 +44,11 @@ type Config struct { APIRetries int } -var log = ctrl.Log.WithName("provider").WithName("aws") +var ( + log = ctrl.Log.WithName("provider").WithName("aws") + sess *session.Session + savedSession *session.Session +) const ( roleARNAnnotation = "eks.amazonaws.com/role-arn" @@ -95,16 +99,24 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, if prov.Region != "" { config.WithRegion(prov.Region) } - handlers := defaults.Handlers() - handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) - sess, err := session.NewSessionWithOptions(session.Options{ - Config: *config, - Handlers: handlers, - SharedConfigState: session.SharedConfigDisable, - }) - if err != nil { - return nil, err + + if savedSession != nil { + sess = savedSession + } else { + + handlers := defaults.Handlers() + handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) + sess, err = session.NewSessionWithOptions(session.Options{ + Config: *config, + Handlers: handlers, + SharedConfigState: session.SharedConfigDisable, + }) + if err != nil { + return nil, err + } + savedSession = sess } + if prov.Role != "" { stsclient := assumeRoler(sess) sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role)) @@ -209,14 +221,23 @@ func DefaultJWTProvider(name, namespace, roleArn, region string) (credentials.Pr if region != "" { awscfg.WithRegion(region) } - sess, err := session.NewSessionWithOptions(session.Options{ - Config: *awscfg, - SharedConfigState: session.SharedConfigDisable, - Handlers: handlers, - }) - if err != nil { - return nil, err + + if savedSession != nil { + sess = savedSession + } else { + + sess, err = session.NewSessionWithOptions(session.Options{ + Config: *awscfg, + SharedConfigState: session.SharedConfigDisable, + Handlers: handlers, + }) + + if err != nil { + return nil, err + } + savedSession = sess } + tokenFetcher := &authTokenFetcher{ Namespace: namespace, ServiceAccount: name, From cb6f66b5ac7a2b9c803dff99d3cc0a0f9898d010 Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Mon, 13 Jun 2022 20:24:25 +0200 Subject: [PATCH 2/8] Fix aws session logic --- pkg/provider/aws/auth/auth.go | 52 +++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 0a9c04414..6f52d6101 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -44,10 +44,16 @@ type Config struct { APIRetries int } +type SessionCache struct { + Name string + Namespace string + Kind string + ResourceVersion string +} + var ( - log = ctrl.Log.WithName("provider").WithName("aws") - sess *session.Session - savedSession *session.Session + log = ctrl.Log.WithName("provider").WithName("aws") + sessions = make(map[SessionCache]*session.Session) ) const ( @@ -100,10 +106,21 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, config.WithRegion(prov.Region) } - if savedSession != nil { - sess = savedSession - } else { + var sess *session.Session + // check if session can be reused + tmpSession := SessionCache{ + Name: store.GetObjectMeta().Name, + Namespace: namespace, + Kind: store.GetTypeMeta().Kind, + ResourceVersion: store.GetObjectMeta().ResourceVersion, + } + + _, ok := sessions[tmpSession] + if ok { + log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion) + sess = sessions[tmpSession] + } else { handlers := defaults.Handlers() handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) sess, err = session.NewSessionWithOptions(session.Options{ @@ -114,7 +131,7 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, if err != nil { return nil, err } - savedSession = sess + sessions[tmpSession] = sess } if prov.Role != "" { @@ -221,21 +238,14 @@ func DefaultJWTProvider(name, namespace, roleArn, region string) (credentials.Pr if region != "" { awscfg.WithRegion(region) } + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awscfg, + SharedConfigState: session.SharedConfigDisable, + Handlers: handlers, + }) - if savedSession != nil { - sess = savedSession - } else { - - sess, err = session.NewSessionWithOptions(session.Options{ - Config: *awscfg, - SharedConfigState: session.SharedConfigDisable, - Handlers: handlers, - }) - - if err != nil { - return nil, err - } - savedSession = sess + if err != nil { + return nil, err } tokenFetcher := &authTokenFetcher{ From 909d137a83cd47eea4cac8c9a16ad52459276f6d Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Mon, 13 Jun 2022 20:36:58 +0200 Subject: [PATCH 3/8] Removing newlines --- pkg/provider/aws/auth/auth.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 6f52d6101..5bebcb0c5 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -243,11 +243,9 @@ func DefaultJWTProvider(name, namespace, roleArn, region string) (credentials.Pr SharedConfigState: session.SharedConfigDisable, Handlers: handlers, }) - if err != nil { return nil, err } - tokenFetcher := &authTokenFetcher{ Namespace: namespace, ServiceAccount: name, From ad63b74c9f3ab712fe80ca6843416f888af1dcdc Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Sat, 18 Jun 2022 10:54:47 +0200 Subject: [PATCH 4/8] Reuse AWS session as feature gate that a user has to opt-in in order to use it --- .../v1beta1/secretstore_aws_types.go | 5 ++ ...ternal-secrets.io_clustersecretstores.yaml | 5 ++ .../external-secrets.io_secretstores.yaml | 5 ++ deploy/crds/bundle.yaml | 6 ++ pkg/provider/aws/auth/auth.go | 81 +++++++++++++------ 5 files changed, 76 insertions(+), 26 deletions(-) diff --git a/apis/externalsecrets/v1beta1/secretstore_aws_types.go b/apis/externalsecrets/v1beta1/secretstore_aws_types.go index 5acefda69..b00a497e3 100644 --- a/apis/externalsecrets/v1beta1/secretstore_aws_types.go +++ b/apis/externalsecrets/v1beta1/secretstore_aws_types.go @@ -73,4 +73,9 @@ type AWSProvider struct { // AWS Region to be used for the provider Region string `json:"region"` + + // SessionCache defines if the AWS session should be reused, + // if not set the operator will issues a fresh session for each request. + // +optional + SessionCache bool `json:"sessionCache,omitempty"` } diff --git a/config/crds/bases/external-secrets.io_clustersecretstores.yaml b/config/crds/bases/external-secrets.io_clustersecretstores.yaml index c2b2b8e40..30c1ce143 100644 --- a/config/crds/bases/external-secrets.io_clustersecretstores.yaml +++ b/config/crds/bases/external-secrets.io_clustersecretstores.yaml @@ -1665,6 +1665,11 @@ spec: - SecretsManager - ParameterStore type: string + sessionCache: + description: SessionCache defines if the AWS session should + be reused, if not set the operator will issues a fresh session + for each request. + type: boolean required: - region - service diff --git a/config/crds/bases/external-secrets.io_secretstores.yaml b/config/crds/bases/external-secrets.io_secretstores.yaml index 1dedf26a0..c6c805019 100644 --- a/config/crds/bases/external-secrets.io_secretstores.yaml +++ b/config/crds/bases/external-secrets.io_secretstores.yaml @@ -1668,6 +1668,11 @@ spec: - SecretsManager - ParameterStore type: string + sessionCache: + description: SessionCache defines if the AWS session should + be reused, if not set the operator will issues a fresh session + for each request. + type: boolean required: - region - service diff --git a/deploy/crds/bundle.yaml b/deploy/crds/bundle.yaml index be1bd4c19..f95422a56 100644 --- a/deploy/crds/bundle.yaml +++ b/deploy/crds/bundle.yaml @@ -1557,6 +1557,9 @@ spec: - SecretsManager - ParameterStore type: string + sessionCache: + description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request. + type: boolean required: - region - service @@ -4229,6 +4232,9 @@ spec: - SecretsManager - ParameterStore type: string + sessionCache: + description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request. + type: boolean required: - region - service diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 5bebcb0c5..0ebf152f3 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -106,32 +106,9 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, config.WithRegion(prov.Region) } - var sess *session.Session - - // check if session can be reused - tmpSession := SessionCache{ - Name: store.GetObjectMeta().Name, - Namespace: namespace, - Kind: store.GetTypeMeta().Kind, - ResourceVersion: store.GetObjectMeta().ResourceVersion, - } - - _, ok := sessions[tmpSession] - if ok { - log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion) - sess = sessions[tmpSession] - } else { - handlers := defaults.Handlers() - handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) - sess, err = session.NewSessionWithOptions(session.Options{ - Config: *config, - Handlers: handlers, - SharedConfigState: session.SharedConfigDisable, - }) - if err != nil { - return nil, err - } - sessions[tmpSession] = sess + sess, err := getAWSSession(config, prov, store, namespace) + if err != nil { + return nil, err } if prov.Role != "" { @@ -261,3 +238,55 @@ type STSProvider func(*session.Session) stsiface.STSAPI func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI { return sts.New(sess) } + +// getAWSSession check if an AWS session should be reused +// it returns the aws session or an error. +func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { + + sessionCache := prov.SessionCache + + if sessionCache { + + tmpSession := SessionCache{ + Name: store.GetObjectMeta().Name, + Namespace: namespace, + Kind: store.GetTypeMeta().Kind, + ResourceVersion: store.GetObjectMeta().ResourceVersion, + } + + _, ok := sessions[tmpSession] + + if ok { + log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion) + return sessions[tmpSession], nil + } else { + handlers := defaults.Handlers() + handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *config, + Handlers: handlers, + SharedConfigState: session.SharedConfigDisable, + }) + + if err != nil { + return nil, err + } + sessions[tmpSession] = sess + return sess, nil + } + + } else { + handlers := defaults.Handlers() + handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *config, + Handlers: handlers, + SharedConfigState: session.SharedConfigDisable, + }) + + if err != nil { + return nil, err + } + return sess, nil + } +} From c3335907ac191ce2e12f73d616a5e0f6df5bd5a4 Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Sat, 18 Jun 2022 13:05:47 +0200 Subject: [PATCH 5/8] Fix recommendations from go-lint --- pkg/provider/aws/auth/auth.go | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 0ebf152f3..7608c8f21 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -242,11 +242,9 @@ func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI { // getAWSSession check if an AWS session should be reused // it returns the aws session or an error. func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { - sessionCache := prov.SessionCache if sessionCache { - tmpSession := SessionCache{ Name: store.GetObjectMeta().Name, Namespace: namespace, @@ -258,24 +256,9 @@ func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1be if ok { log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion) - return sessions[tmpSession], nil - } else { - handlers := defaults.Handlers() - handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) - sess, err := session.NewSessionWithOptions(session.Options{ - Config: *config, - Handlers: handlers, - SharedConfigState: session.SharedConfigDisable, - }) - - if err != nil { - return nil, err - } - sessions[tmpSession] = sess + sess := sessions[tmpSession] return sess, nil } - - } else { handlers := defaults.Handlers() handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) sess, err := session.NewSessionWithOptions(session.Options{ @@ -283,10 +266,21 @@ func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1be Handlers: handlers, SharedConfigState: session.SharedConfigDisable, }) - if err != nil { return nil, err } + sessions[tmpSession] = sess return sess, nil } + handlers := defaults.Handlers() + handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *config, + Handlers: handlers, + SharedConfigState: session.SharedConfigDisable, + }) + if err != nil { + return nil, err + } + return sess, nil } From 5ec222dfd0d3fc55a155c6fe2e817f0033840a96 Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Tue, 21 Jun 2022 11:52:01 +0200 Subject: [PATCH 6/8] update --- apis/externalsecrets/v1beta1/secretstore_aws_types.go | 5 ----- cmd/root.go | 6 ++++++ .../bases/external-secrets.io_clustersecretstores.yaml | 5 ----- config/crds/bases/external-secrets.io_secretstores.yaml | 5 ----- deploy/charts/external-secrets/templates/deployment.yaml | 3 +++ deploy/charts/external-secrets/values.yaml | 3 +++ deploy/crds/bundle.yaml | 6 ------ pkg/provider/aws/auth/auth.go | 9 ++++----- 8 files changed, 16 insertions(+), 26 deletions(-) diff --git a/apis/externalsecrets/v1beta1/secretstore_aws_types.go b/apis/externalsecrets/v1beta1/secretstore_aws_types.go index b00a497e3..5acefda69 100644 --- a/apis/externalsecrets/v1beta1/secretstore_aws_types.go +++ b/apis/externalsecrets/v1beta1/secretstore_aws_types.go @@ -73,9 +73,4 @@ type AWSProvider struct { // AWS Region to be used for the provider Region string `json:"region"` - - // SessionCache defines if the AWS session should be reused, - // if not set the operator will issues a fresh session for each request. - // +optional - SessionCache bool `json:"sessionCache,omitempty"` } diff --git a/cmd/root.go b/cmd/root.go index fbbaede7b..71186416e 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -38,6 +38,7 @@ import ( "github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret" "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret" "github.com/external-secrets/external-secrets/pkg/controllers/secretstore" + awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth" ) var ( @@ -61,6 +62,7 @@ var ( secretName, secretNamespace string crdRequeueInterval time.Duration certCheckInterval time.Duration + enableAWSSession bool ) const ( @@ -159,6 +161,9 @@ var rootCmd = &cobra.Command{ os.Exit(1) } } + if enableAWSSession { + awsauth.EnableCache = true + } setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { setupLog.Error(err, "problem running manager") @@ -185,4 +190,5 @@ func init() { rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.") rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Default Time duration between reconciling (Cluster)SecretStores") rootCmd.Flags().BoolVar(&enableFloodGate, "enable-flood-gate", true, "Enable flood gate. External secret will be reconciled only if the ClusterStore or Store have an healthy or unknown state.") + rootCmd.Flags().BoolVar(&enableAWSSession, "experimental-enable-aws-session-cache", false, "Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request.") } diff --git a/config/crds/bases/external-secrets.io_clustersecretstores.yaml b/config/crds/bases/external-secrets.io_clustersecretstores.yaml index 30c1ce143..c2b2b8e40 100644 --- a/config/crds/bases/external-secrets.io_clustersecretstores.yaml +++ b/config/crds/bases/external-secrets.io_clustersecretstores.yaml @@ -1665,11 +1665,6 @@ spec: - SecretsManager - ParameterStore type: string - sessionCache: - description: SessionCache defines if the AWS session should - be reused, if not set the operator will issues a fresh session - for each request. - type: boolean required: - region - service diff --git a/config/crds/bases/external-secrets.io_secretstores.yaml b/config/crds/bases/external-secrets.io_secretstores.yaml index c6c805019..1dedf26a0 100644 --- a/config/crds/bases/external-secrets.io_secretstores.yaml +++ b/config/crds/bases/external-secrets.io_secretstores.yaml @@ -1668,11 +1668,6 @@ spec: - SecretsManager - ParameterStore type: string - sessionCache: - description: SessionCache defines if the AWS session should - be reused, if not set the operator will issues a fresh session - for each request. - type: boolean required: - region - service diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml index 4ee8eaaac..432958ae6 100644 --- a/deploy/charts/external-secrets/templates/deployment.yaml +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -69,6 +69,9 @@ spec: {{- if .Values.concurrent }} - --concurrent={{ .Values.concurrent }} {{- end }} + {{- if .Values.enableAWSSession }} + - --experimental-enable-aws-session-cache={{ .Values.enableAWSSession }} + {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml index 455551b6e..1be5db1d3 100644 --- a/deploy/charts/external-secrets/values.yaml +++ b/deploy/charts/external-secrets/values.yaml @@ -48,6 +48,9 @@ createOperator: true # a time. concurrent: 1 +# -- If set External secret will reuse the AWS session without creating a new one on each request. +enableAWSSession: false + serviceAccount: # -- Specifies whether a service account should be created. create: true diff --git a/deploy/crds/bundle.yaml b/deploy/crds/bundle.yaml index f95422a56..be1bd4c19 100644 --- a/deploy/crds/bundle.yaml +++ b/deploy/crds/bundle.yaml @@ -1557,9 +1557,6 @@ spec: - SecretsManager - ParameterStore type: string - sessionCache: - description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request. - type: boolean required: - region - service @@ -4232,9 +4229,6 @@ spec: - SecretsManager - ParameterStore type: string - sessionCache: - description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request. - type: boolean required: - region - service diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 7608c8f21..58d42d9ee 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -52,8 +52,9 @@ type SessionCache struct { } var ( - log = ctrl.Log.WithName("provider").WithName("aws") - sessions = make(map[SessionCache]*session.Session) + log = ctrl.Log.WithName("provider").WithName("aws") + sessions = make(map[SessionCache]*session.Session) + EnableCache bool ) const ( @@ -242,9 +243,7 @@ func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI { // getAWSSession check if an AWS session should be reused // it returns the aws session or an error. func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { - sessionCache := prov.SessionCache - - if sessionCache { + if EnableCache { tmpSession := SessionCache{ Name: store.GetObjectMeta().Name, Namespace: namespace, From 629d2f391ccb5701f2d9a7843af6f9f6a99c9426 Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Tue, 21 Jun 2022 12:14:36 +0200 Subject: [PATCH 7/8] fix --- pkg/provider/aws/auth/auth.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index 58d42d9ee..ca0fe2b9d 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -107,7 +107,7 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, config.WithRegion(prov.Region) } - sess, err := getAWSSession(config, prov, store, namespace) + sess, err := getAWSSession(config, store, namespace) if err != nil { return nil, err } @@ -242,7 +242,7 @@ func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI { // getAWSSession check if an AWS session should be reused // it returns the aws session or an error. -func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { +func getAWSSession(config *aws.Config, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { if EnableCache { tmpSession := SessionCache{ Name: store.GetObjectMeta().Name, From e31a408e1d1b7ab94bc53f0aa185fd52017e1630 Mon Sep 17 00:00:00 2001 From: Alberto Llamas Date: Wed, 22 Jun 2022 07:24:26 +0200 Subject: [PATCH 8/8] update --- .../templates/deployment.yaml | 3 -- deploy/charts/external-secrets/values.yaml | 3 -- pkg/provider/aws/auth/auth.go | 35 +++++++------------ 3 files changed, 13 insertions(+), 28 deletions(-) diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml index 432958ae6..4ee8eaaac 100644 --- a/deploy/charts/external-secrets/templates/deployment.yaml +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -69,9 +69,6 @@ spec: {{- if .Values.concurrent }} - --concurrent={{ .Values.concurrent }} {{- end }} - {{- if .Values.enableAWSSession }} - - --experimental-enable-aws-session-cache={{ .Values.enableAWSSession }} - {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml index 1be5db1d3..455551b6e 100644 --- a/deploy/charts/external-secrets/values.yaml +++ b/deploy/charts/external-secrets/values.yaml @@ -48,9 +48,6 @@ createOperator: true # a time. concurrent: 1 -# -- If set External secret will reuse the AWS session without creating a new one on each request. -enableAWSSession: false - serviceAccount: # -- Specifies whether a service account should be created. create: true diff --git a/pkg/provider/aws/auth/auth.go b/pkg/provider/aws/auth/auth.go index ca0fe2b9d..d3c8a2472 100644 --- a/pkg/provider/aws/auth/auth.go +++ b/pkg/provider/aws/auth/auth.go @@ -243,34 +243,21 @@ func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI { // getAWSSession check if an AWS session should be reused // it returns the aws session or an error. func getAWSSession(config *aws.Config, store esv1beta1.GenericStore, namespace string) (*session.Session, error) { + tmpSession := SessionCache{ + Name: store.GetObjectMeta().Name, + Namespace: namespace, + Kind: store.GetTypeMeta().Kind, + ResourceVersion: store.GetObjectMeta().ResourceVersion, + } + if EnableCache { - tmpSession := SessionCache{ - Name: store.GetObjectMeta().Name, - Namespace: namespace, - Kind: store.GetTypeMeta().Kind, - ResourceVersion: store.GetObjectMeta().ResourceVersion, - } - - _, ok := sessions[tmpSession] - + sess, ok := sessions[tmpSession] if ok { log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion) - sess := sessions[tmpSession] return sess, nil } - handlers := defaults.Handlers() - handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) - sess, err := session.NewSessionWithOptions(session.Options{ - Config: *config, - Handlers: handlers, - SharedConfigState: session.SharedConfigDisable, - }) - if err != nil { - return nil, err - } - sessions[tmpSession] = sess - return sess, nil } + handlers := defaults.Handlers() handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets")) sess, err := session.NewSessionWithOptions(session.Options{ @@ -281,5 +268,9 @@ func getAWSSession(config *aws.Config, store esv1beta1.GenericStore, namespace s if err != nil { return nil, err } + + if EnableCache { + sessions[tmpSession] = sess + } return sess, nil }