update

apis/externalsecrets/v1beta1/secretstore_aws_types.go

@@ -73,9 +73,4 @@ type AWSProvider struct {
 
 	// AWS Region to be used for the provider
 	Region string `json:"region"`
-
-	// SessionCache defines if the AWS session should be reused,
-	// if not set the operator will issues a fresh session for each request.
-	// +optional
-	SessionCache bool `json:"sessionCache,omitempty"`
 }

cmd/root.go

@@ -38,6 +38,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 )
 
 var (
@@ -61,6 +62,7 @@ var (
 	secretName, secretNamespace           string
 	crdRequeueInterval                    time.Duration
 	certCheckInterval                     time.Duration
+	enableAWSSession                      bool
 )
 
 const (
@@ -159,6 +161,9 @@ var rootCmd = &cobra.Command{
 				os.Exit(1)
 			}
 		}
+		if enableAWSSession {
+			awsauth.EnableCache = true
+		}
 		setupLog.Info("starting manager")
 		if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 			setupLog.Error(err, "problem running manager")
@@ -185,4 +190,5 @@ func init() {
 	rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.")
 	rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Default Time duration between reconciling (Cluster)SecretStores")
 	rootCmd.Flags().BoolVar(&enableFloodGate, "enable-flood-gate", true, "Enable flood gate. External secret will be reconciled only if the ClusterStore or Store have an healthy or unknown state.")
+	rootCmd.Flags().BoolVar(&enableAWSSession, "experimental-enable-aws-session-cache", false, "Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request.")
 }

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1665,11 +1665,6 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
-                      sessionCache:
-                        description: SessionCache defines if the AWS session should
-                          be reused, if not set the operator will issues a fresh session
-                          for each request.
-                        type: boolean
                     required:
                     - region
                     - service

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1668,11 +1668,6 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
-                      sessionCache:
-                        description: SessionCache defines if the AWS session should
-                          be reused, if not set the operator will issues a fresh session
-                          for each request.
-                        type: boolean
                     required:
                     - region
                     - service

deploy/charts/external-secrets/templates/deployment.yaml

@@ -69,6 +69,9 @@ spec:
           {{- if .Values.concurrent }}
           - --concurrent={{ .Values.concurrent }}
           {{- end }}
+          {{- if .Values.enableAWSSession }}
+          - --experimental-enable-aws-session-cache={{ .Values.enableAWSSession }}
+          {{- end }}
           {{- range $key, $value := .Values.extraArgs }}
             {{- if $value }}
           - --{{ $key }}={{ $value }}

deploy/charts/external-secrets/values.yaml

@@ -48,6 +48,9 @@ createOperator: true
 # a time.
 concurrent: 1
 
+# -- If set External secret will reuse the AWS session without creating a new one on each request.
+enableAWSSession: false
+
 serviceAccount:
   # -- Specifies whether a service account should be created.
   create: true

deploy/crds/bundle.yaml

@@ -1557,9 +1557,6 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
-                        sessionCache:
-                          description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request.
-                          type: boolean
                       required:
                         - region
                         - service
@@ -4232,9 +4229,6 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
-                        sessionCache:
-                          description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request.
-                          type: boolean
                       required:
                         - region
                         - service

pkg/provider/aws/auth/auth.go

@@ -52,8 +52,9 @@ type SessionCache struct {
 }
 
 var (
-	log      = ctrl.Log.WithName("provider").WithName("aws")
-	sessions = make(map[SessionCache]*session.Session)
+	log         = ctrl.Log.WithName("provider").WithName("aws")
+	sessions    = make(map[SessionCache]*session.Session)
+	EnableCache bool
 )
 
 const (
@@ -242,9 +243,7 @@ func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI {
 // getAWSSession check if an AWS session should be reused
 // it returns the aws session or an error.
 func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) {
-	sessionCache := prov.SessionCache
-
-	if sessionCache {
+	if EnableCache {
 		tmpSession := SessionCache{
 			Name:            store.GetObjectMeta().Name,
 			Namespace:       namespace,