Reuse AWS session as feature gate that a user has to opt-in in order to use it

apis/externalsecrets/v1beta1/secretstore_aws_types.go

@@ -73,4 +73,9 @@ type AWSProvider struct {
 
 	// AWS Region to be used for the provider
 	Region string `json:"region"`
+
+	// SessionCache defines if the AWS session should be reused,
+	// if not set the operator will issues a fresh session for each request.
+	// +optional
+	SessionCache bool `json:"sessionCache,omitempty"`
 }

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1665,6 +1665,11 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
+                      sessionCache:
+                        description: SessionCache defines if the AWS session should
+                          be reused, if not set the operator will issues a fresh session
+                          for each request.
+                        type: boolean
                     required:
                     - region
                     - service

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1668,6 +1668,11 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
+                      sessionCache:
+                        description: SessionCache defines if the AWS session should
+                          be reused, if not set the operator will issues a fresh session
+                          for each request.
+                        type: boolean
                     required:
                     - region
                     - service

deploy/crds/bundle.yaml

@@ -1557,6 +1557,9 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
+                        sessionCache:
+                          description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request.
+                          type: boolean
                       required:
                         - region
                         - service
@@ -4229,6 +4232,9 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
+                        sessionCache:
+                          description: SessionCache defines if the AWS session should be reused, if not set the operator will issues a fresh session for each request.
+                          type: boolean
                       required:
                         - region
                         - service

pkg/provider/aws/auth/auth.go

@@ -106,32 +106,9 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client,
 		config.WithRegion(prov.Region)
 	}
 
-	var sess *session.Session
-
-	// check if session can be reused
-	tmpSession := SessionCache{
-		Name:            store.GetObjectMeta().Name,
-		Namespace:       namespace,
-		Kind:            store.GetTypeMeta().Kind,
-		ResourceVersion: store.GetObjectMeta().ResourceVersion,
-	}
-
-	_, ok := sessions[tmpSession]
-	if ok {
-		log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion)
-		sess = sessions[tmpSession]
-	} else {
-		handlers := defaults.Handlers()
-		handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
-		sess, err = session.NewSessionWithOptions(session.Options{
-			Config:            *config,
-			Handlers:          handlers,
-			SharedConfigState: session.SharedConfigDisable,
-		})
-		if err != nil {
-			return nil, err
-		}
-		sessions[tmpSession] = sess
+	sess, err := getAWSSession(config, prov, store, namespace)
+	if err != nil {
+		return nil, err
 	}
 
 	if prov.Role != "" {
@@ -261,3 +238,55 @@ type STSProvider func(*session.Session) stsiface.STSAPI
 func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI {
 	return sts.New(sess)
 }
+
+// getAWSSession check if an AWS session should be reused
+// it returns the aws session or an error.
+func getAWSSession(config *aws.Config, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, namespace string) (*session.Session, error) {
+
+	sessionCache := prov.SessionCache
+
+	if sessionCache {
+
+		tmpSession := SessionCache{
+			Name:            store.GetObjectMeta().Name,
+			Namespace:       namespace,
+			Kind:            store.GetTypeMeta().Kind,
+			ResourceVersion: store.GetObjectMeta().ResourceVersion,
+		}
+
+		_, ok := sessions[tmpSession]
+
+		if ok {
+			log.Info("reusing aws session", "SecretStore", tmpSession.Name, "namespace", tmpSession.Namespace, "kind", tmpSession.Kind, "resourceversion", tmpSession.ResourceVersion)
+			return sessions[tmpSession], nil
+		} else {
+			handlers := defaults.Handlers()
+			handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
+			sess, err := session.NewSessionWithOptions(session.Options{
+				Config:            *config,
+				Handlers:          handlers,
+				SharedConfigState: session.SharedConfigDisable,
+			})
+
+			if err != nil {
+				return nil, err
+			}
+			sessions[tmpSession] = sess
+			return sess, nil
+		}
+
+	} else {
+		handlers := defaults.Handlers()
+		handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
+		sess, err := session.NewSessionWithOptions(session.Options{
+			Config:            *config,
+			Handlers:          handlers,
+			SharedConfigState: session.SharedConfigDisable,
+		})
+
+		if err != nil {
+			return nil, err
+		}
+		return sess, nil
+	}
+}