diff --git a/api/v1beta3/provider_types.go b/api/v1beta3/provider_types.go
index 7a83896db..0504e8ea7 100644
--- a/api/v1beta3/provider_types.go
+++ b/api/v1beta3/provider_types.go
@@ -98,14 +98,6 @@ type ProviderSpec struct {
// +optional
Timeout *metav1.Duration `json:"timeout,omitempty"`
- // Proxy the HTTP/S address of the proxy server.
- // Deprecated: Use ProxySecretRef instead. Will be removed in v1.
- // +kubebuilder:validation:Pattern="^(http|https)://.*$"
- // +kubebuilder:validation:MaxLength:=2048
- // +kubebuilder:validation:Optional
- // +optional
- Proxy string `json:"proxy,omitempty"`
-
// ProxySecretRef specifies the Secret containing the proxy configuration
// for this Provider. The Secret should contain an 'address' key with the
// HTTP/S address of the proxy server. Optional 'username' and 'password'
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
index 00a581dda..b75eec649 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
@@ -297,13 +297,6 @@ spec:
Deprecated and not used in v1beta3.
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
type: string
- proxy:
- description: |-
- Proxy the HTTP/S address of the proxy server.
- Deprecated: Use ProxySecretRef instead. Will be removed in v1.
- maxLength: 2048
- pattern: ^(http|https)://.*$
- type: string
proxySecretRef:
description: |-
ProxySecretRef specifies the Secret containing the proxy configuration
diff --git a/docs/api/v1beta3/notification.md b/docs/api/v1beta3/notification.md
index d26ccefc4..22243ac66 100644
--- a/docs/api/v1beta3/notification.md
+++ b/docs/api/v1beta3/notification.md
@@ -323,19 +323,6 @@ Kubernetes meta/v1.Duration
-proxy
-
-string
-
- |
-
-(Optional)
- Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.
- |
-
-
-
proxySecretRef
@@ -671,19 +658,6 @@ Kubernetes meta/v1.Duration
|
-proxy
-
-string
-
- |
-
-(Optional)
- Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.
- |
-
-
-
proxySecretRef
diff --git a/docs/spec/v1beta3/providers.md b/docs/spec/v1beta3/providers.md
index 99f01f814..a0feecd61 100644
--- a/docs/spec/v1beta3/providers.md
+++ b/docs/spec/v1beta3/providers.md
@@ -1253,7 +1253,6 @@ credentials for the provider API.
The Kubernetes secret can have any of the following keys:
- `address` - overrides `.spec.address`
-- `proxy` - overrides `.spec.proxy` (deprecated, use `.spec.proxySecretRef` instead. **Support for this key will be removed in v1**)
- `token` - used for authentication
- `username` - overrides `.spec.username`
- `password` - used for authentication, often in combination with `username` (or `.spec.username`)
@@ -1312,7 +1311,7 @@ stringData:
#### Proxy auth example
Some networks need to use an authenticated proxy to access external services.
-The recommended approach is to use `.spec.proxySecretRef` with a dedicated Secret:
+Use `.spec.proxySecretRef` with a dedicated Secret:
```yaml
---
@@ -1327,20 +1326,6 @@ stringData:
password: "proxy_password"
```
-**Legacy approach (deprecated):**
-The proxy address can also be stored in the main secret to hide parameters like the username and password:
-
-```yaml
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: my-provider-proxy-legacy
- namespace: default
-stringData:
- proxy: "http://username:password@proxy_url:proxy_port"
-```
-
### Certificate secret reference
`.spec.certSecretRef` is an optional field to specify a name reference to a
@@ -1466,19 +1451,11 @@ the controller will log a deprecation warning.
### HTTP/S proxy
-`.spec.proxy` is an optional field to specify an HTTP/S proxy address.
-**Warning:** This field is deprecated, use `.spec.proxySecretRef` instead. **Support for this field will be removed in v1.**
-
`.spec.proxySecretRef` is an optional field to specify a name reference to a
Secret in the same namespace as the Provider, containing the proxy configuration.
The Secret should contain an `address` key with the HTTP/S address of the proxy server.
Optional `username` and `password` keys can be provided for proxy authentication.
-If the proxy address contains sensitive information such as basic auth credentials, it is
-recommended to use `.spec.proxySecretRef` instead of `.spec.proxy`.
-When `.spec.proxySecretRef` is specified, both `.spec.proxy` and the `proxy` key from
-`.spec.secretRef` are ignored.
-
### Timeout
`.spec.timeout` is an optional field to specify the timeout for the
diff --git a/go.mod b/go.mod
index a4a35c5a2..1cd6d9c26 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
github.com/fluxcd/pkg/cache v0.11.0
github.com/fluxcd/pkg/git v0.36.0
github.com/fluxcd/pkg/masktoken v0.8.0
- github.com/fluxcd/pkg/runtime v0.86.0
+ github.com/fluxcd/pkg/runtime v0.87.0
github.com/fluxcd/pkg/ssa v0.56.0
github.com/fluxcd/pkg/ssh v0.21.0
github.com/getsentry/sentry-go v0.35.3
diff --git a/go.sum b/go.sum
index fb36534cc..26ea1f6b0 100644
--- a/go.sum
+++ b/go.sum
@@ -148,8 +148,8 @@ github.com/fluxcd/pkg/git v0.36.0 h1:oakFKxTX5yiLcFzCS1SaV+mMXaODaF1Ic6/oCLfIe7I
github.com/fluxcd/pkg/git v0.36.0/go.mod h1:4TgfjcoM3B2sGsO5VbfBSwJQYzNCONGihcTOW8P3Jxw=
github.com/fluxcd/pkg/masktoken v0.8.0 h1:Dm5xIVNbg0s6zNttjDvimaG38bKsXwxBVo5b+D7ThVU=
github.com/fluxcd/pkg/masktoken v0.8.0/go.mod h1:Gc73ALOqIe+5Gj2V3JggMNiYcBiZ9bNNDYBE9R5XTTg=
-github.com/fluxcd/pkg/runtime v0.86.0 h1:q7aBSerJwt0N9hpurPVElG+HWpVhZcs6t96bcNQj43w=
-github.com/fluxcd/pkg/runtime v0.86.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
+github.com/fluxcd/pkg/runtime v0.87.0 h1:Zxr657m2V012WmFUWW0Zh+axO87UHxtL3o7XfyBet4Y=
+github.com/fluxcd/pkg/runtime v0.87.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
github.com/fluxcd/pkg/ssa v0.56.0 h1:OuWTPr0kI0alQYX1B3byJmUQol4BrpnrsXOoBmaTCPY=
github.com/fluxcd/pkg/ssa v0.56.0/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
github.com/fluxcd/pkg/ssh v0.21.0 h1:ZmyF0n9je0cTTkOpvFVgIhmdx9qtswnVE60TK4IzJh0=
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
index d41b291eb..565951d36 100644
--- a/internal/server/event_handlers.go
+++ b/internal/server/event_handlers.go
@@ -22,7 +22,6 @@ import (
"errors"
"fmt"
"net/http"
- "net/url"
"regexp"
"slices"
"strings"
@@ -317,13 +316,10 @@ func extractAuthFromSecret(ctx context.Context, secret *corev1.Secret) ([]notifi
}
}
- if val, ok := secret.Data["proxy"]; ok {
- deprecatedProxy := strings.TrimSpace(string(val))
- if _, err := url.Parse(deprecatedProxy); err != nil {
- return nil, nil, fmt.Errorf("invalid 'proxy' in secret '%s/%s'", secret.Namespace, secret.Name)
- }
- log.FromContext(ctx).Error(nil, "warning: specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key will be removed in v1.")
- options = append(options, notifier.WithProxyURL(deprecatedProxy))
+ if _, ok := secret.Data["proxy"]; ok {
+ err := errors.New("specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key is removed in v1")
+ log.FromContext(ctx).Error(err, "no longer supported.")
+ return nil, nil, err
}
if h, ok := secret.Data["headers"]; ok {
@@ -380,12 +376,6 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
options = append(options, notifier.WithTokenCache(tokenCache))
}
- // TODO: Remove deprecated proxy handling when Provider v1 is released.
- if provider.Spec.Proxy != "" {
- log.FromContext(ctx).Error(nil, "warning: spec.proxy is deprecated, please use spec.proxySecretRef instead. Support for this field will be removed in v1.")
- options = append(options, notifier.WithProxyURL(provider.Spec.Proxy))
- }
-
webhook := provider.Spec.Address
var token string
var secretData map[string][]byte
diff --git a/internal/server/event_handlers_test.go b/internal/server/event_handlers_test.go
index c57f12760..ea684eefb 100644
--- a/internal/server/event_handlers_test.go
+++ b/internal/server/event_handlers_test.go
@@ -600,7 +600,6 @@ func TestCreateNotifier(t *testing.T) {
},
wantErr: true,
},
- // TODO: Remove deprecated secret proxy key tests when Provider v1 is released.
{
name: "reference to secret with valid address, proxy, headers",
providerSpec: &apiv1beta3.ProviderSpec{
@@ -612,17 +611,6 @@ func TestCreateNotifier(t *testing.T) {
"proxy": []byte("https://exampleproxy.com"),
"headers": []byte(`foo: bar`),
},
- },
- {
- name: "reference to secret with invalid proxy",
- providerSpec: &apiv1beta3.ProviderSpec{
- Type: "slack",
- SecretRef: &meta.LocalObjectReference{Name: secretName},
- },
- secretData: map[string][]byte{
- "address": []byte("https://example.com"),
- "proxy": []byte("https://exampleproxy.com|"),
- },
wantErr: true,
},
{
@@ -648,19 +636,6 @@ func TestCreateNotifier(t *testing.T) {
"address": []byte("https://example.com"),
},
},
- // TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
- {
- name: "invalid spec proxy overridden by valid secret ref proxy",
- providerSpec: &apiv1beta3.ProviderSpec{
- Type: "slack",
- SecretRef: &meta.LocalObjectReference{Name: secretName},
- Proxy: "https://example.com|",
- },
- secretData: map[string][]byte{
- "address": []byte("https://example.com"),
- "proxy": []byte("https://example.com"),
- },
- },
{
name: "reference to unsupported cert secret type",
providerSpec: &apiv1beta3.ProviderSpec{
@@ -870,15 +845,6 @@ Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
},
wantErr: true,
},
- // TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
- {
- name: "deprecated spec.proxy field",
- providerSpec: &apiv1beta3.ProviderSpec{
- Type: "generic",
- Address: "https://example.com",
- Proxy: "http://proxy.example.com:8080",
- },
- },
{
name: "provider type that does not require address field",
providerSpec: &apiv1beta3.ProviderSpec{
|