Remove deprecated proxy fields from Provider API

cappyzawa · cappyzawa · commit bc217dc7c18b · 2025-10-07T01:04:06.000+09:00
The spec.proxy field and 'proxy' key in secrets are no longer
supported. These fields were deprecated in v2.7 with the introduction
of spec.proxySecretRef as the recommended approach.

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/api/v1beta3/provider_types.go b/api/v1beta3/provider_types.go
@@ -98,14 +98,6 @@ type ProviderSpec struct {
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
-	// Proxy the HTTP/S address of the proxy server.
-	// Deprecated: Use ProxySecretRef instead. Will be removed in v1.
-	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
-	// +kubebuilder:validation:MaxLength:=2048
-	// +kubebuilder:validation:Optional
-	// +optional
-	Proxy string `json:"proxy,omitempty"`
-
 	// ProxySecretRef specifies the Secret containing the proxy configuration
 	// for this Provider. The Secret should contain an 'address' key with the
 	// HTTP/S address of the proxy server. Optional 'username' and 'password'
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
@@ -297,13 +297,6 @@ spec:
                   Deprecated and not used in v1beta3.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
-              proxy:
-                description: |-
-                  Proxy the HTTP/S address of the proxy server.
-                  Deprecated: Use ProxySecretRef instead. Will be removed in v1.
-                maxLength: 2048
-                pattern: ^(http|https)://.*$
-                type: string
               proxySecretRef:
                 description: |-
                   ProxySecretRef specifies the Secret containing the proxy configuration
diff --git a/docs/api/v1beta3/notification.md b/docs/api/v1beta3/notification.md
@@ -323,19 +323,6 @@ Kubernetes meta/v1.Duration
 </tr>
 <tr>
 <td>
-<code>proxy</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>proxySecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -671,19 +658,6 @@ Kubernetes meta/v1.Duration
 </tr>
 <tr>
 <td>
-<code>proxy</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>proxySecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
diff --git a/docs/spec/v1beta3/providers.md b/docs/spec/v1beta3/providers.md
@@ -1253,7 +1253,6 @@ credentials for the provider API.
 The Kubernetes secret can have any of the following keys:
 
 - `address` - overrides `.spec.address`
-- `proxy` - overrides `.spec.proxy` (deprecated, use `.spec.proxySecretRef` instead. **Support for this key will be removed in v1**)
 - `token` - used for authentication
 - `username` - overrides `.spec.username`
 - `password` - used for authentication, often in combination with `username` (or `.spec.username`)
@@ -1312,7 +1311,7 @@ stringData:
 #### Proxy auth example
 
 Some networks need to use an authenticated proxy to access external services.
-The recommended approach is to use `.spec.proxySecretRef` with a dedicated Secret:
+Use `.spec.proxySecretRef` with a dedicated Secret:
 
 ```yaml
 ---
@@ -1327,20 +1326,6 @@ stringData:
   password: "proxy_password"
 ```
 
-**Legacy approach (deprecated):**
-The proxy address can also be stored in the main secret to hide parameters like the username and password:
-
-```yaml
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: my-provider-proxy-legacy
-  namespace: default
-stringData:
-  proxy: "http://username:password@proxy_url:proxy_port"
-```
-
 ### Certificate secret reference
 
 `.spec.certSecretRef` is an optional field to specify a name reference to a
@@ -1466,19 +1451,11 @@ the controller will log a deprecation warning.
 
 ### HTTP/S proxy
 
-`.spec.proxy` is an optional field to specify an HTTP/S proxy address.
-**Warning:** This field is deprecated, use `.spec.proxySecretRef` instead. **Support for this field will be removed in v1.**
-
 `.spec.proxySecretRef` is an optional field to specify a name reference to a
 Secret in the same namespace as the Provider, containing the proxy configuration.
 The Secret should contain an `address` key with the HTTP/S address of the proxy server.
 Optional `username` and `password` keys can be provided for proxy authentication.
 
-If the proxy address contains sensitive information such as basic auth credentials, it is
-recommended to use `.spec.proxySecretRef` instead of `.spec.proxy`.
-When `.spec.proxySecretRef` is specified, both `.spec.proxy` and the `proxy` key from
-`.spec.secretRef` are ignored.
-
 ### Timeout
 
 `.spec.timeout` is an optional field to specify the timeout for the
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@@ -317,13 +316,10 @@ func extractAuthFromSecret(ctx context.Context, secret *corev1.Secret) ([]notifi
 		}
 	}
 
-	if val, ok := secret.Data["proxy"]; ok {
-		deprecatedProxy := strings.TrimSpace(string(val))
-		if _, err := url.Parse(deprecatedProxy); err != nil {
-			return nil, nil, fmt.Errorf("invalid 'proxy' in secret '%s/%s'", secret.Namespace, secret.Name)
-		}
-		log.FromContext(ctx).Error(nil, "warning: specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key will be removed in v1.")
-		options = append(options, notifier.WithProxyURL(deprecatedProxy))
+	if _, ok := secret.Data["proxy"]; ok {
+		err := errors.New("specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key is removed in v1")
+		log.FromContext(ctx).Error(err, "no longer supported.")
+		return nil, nil, err
 	}
 
 	if h, ok := secret.Data["headers"]; ok {
@@ -380,12 +376,6 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 		options = append(options, notifier.WithTokenCache(tokenCache))
 	}
 
-	// TODO: Remove deprecated proxy handling when Provider v1 is released.
-	if provider.Spec.Proxy != "" {
-		log.FromContext(ctx).Error(nil, "warning: spec.proxy is deprecated, please use spec.proxySecretRef instead. Support for this field will be removed in v1.")
-		options = append(options, notifier.WithProxyURL(provider.Spec.Proxy))
-	}
-
 	webhook := provider.Spec.Address
 	var token string
 	var secretData map[string][]byte
diff --git a/internal/server/event_handlers_test.go b/internal/server/event_handlers_test.go
@@ -600,7 +600,6 @@ func TestCreateNotifier(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		// TODO: Remove deprecated secret proxy key tests when Provider v1 is released.
 		{
 			name: "reference to secret with valid address, proxy, headers",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -612,17 +611,6 @@ func TestCreateNotifier(t *testing.T) {
 				"proxy":   []byte("https://exampleproxy.com"),
 				"headers": []byte(`foo: bar`),
 			},
-		},
-		{
-			name: "reference to secret with invalid proxy",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:      "slack",
-				SecretRef: &meta.LocalObjectReference{Name: secretName},
-			},
-			secretData: map[string][]byte{
-				"address": []byte("https://example.com"),
-				"proxy":   []byte("https://exampleproxy.com|"),
-			},
 			wantErr: true,
 		},
 		{
@@ -648,19 +636,6 @@ func TestCreateNotifier(t *testing.T) {
 				"address": []byte("https://example.com"),
 			},
 		},
-		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
-		{
-			name: "invalid spec proxy overridden by valid secret ref proxy",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:      "slack",
-				SecretRef: &meta.LocalObjectReference{Name: secretName},
-				Proxy:     "https://example.com|",
-			},
-			secretData: map[string][]byte{
-				"address": []byte("https://example.com"),
-				"proxy":   []byte("https://example.com"),
-			},
-		},
 		{
 			name: "reference to unsupported cert secret type",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -870,15 +845,6 @@ Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
 			},
 			wantErr: true,
 		},
-		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
-		{
-			name: "deprecated spec.proxy field",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:    "generic",
-				Address: "https://example.com",
-				Proxy:   "http://proxy.example.com:8080",
-			},
-		},
 		{
 			name: "provider type that does not require address field",
 			providerSpec: &apiv1beta3.ProviderSpec{
