From 59f2038f66ac4b9f7f24e0dc13c1d7ad853bd017 Mon Sep 17 00:00:00 2001
From: cappyzawa <cappyzawa@gmail.com>
Date: Tue, 7 Oct 2025 01:04:06 +0900
Subject: [PATCH] Remove deprecated proxy fields from Provider API

The spec.proxy field and 'proxy' key in secrets are no longer
supported. These fields were deprecated in v2.7 with the introduction
of spec.proxySecretRef as the recommended approach.

Signed-off-by: cappyzawa <cappyzawa@gmail.com>
---
 api/v1beta3/provider_types.go                 |  8 -----
 ...ification.toolkit.fluxcd.io_providers.yaml |  7 ----
 docs/api/v1beta3/notification.md              | 26 --------------
 docs/spec/v1beta3/providers.md                | 25 +-------------
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 internal/server/event_handlers.go             | 18 +++-------
 internal/server/event_handlers_test.go        | 34 -------------------
 8 files changed, 8 insertions(+), 116 deletions(-)

diff --git a/api/v1beta3/provider_types.go b/api/v1beta3/provider_types.go
index 7a83896db..0504e8ea7 100644
--- a/api/v1beta3/provider_types.go
+++ b/api/v1beta3/provider_types.go
@@ -98,14 +98,6 @@ type ProviderSpec struct {
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
-	// Proxy the HTTP/S address of the proxy server.
-	// Deprecated: Use ProxySecretRef instead. Will be removed in v1.
-	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
-	// +kubebuilder:validation:MaxLength:=2048
-	// +kubebuilder:validation:Optional
-	// +optional
-	Proxy string `json:"proxy,omitempty"`
-
 	// ProxySecretRef specifies the Secret containing the proxy configuration
 	// for this Provider. The Secret should contain an 'address' key with the
 	// HTTP/S address of the proxy server. Optional 'username' and 'password'
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
index 00a581dda..b75eec649 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
@@ -297,13 +297,6 @@ spec:
                   Deprecated and not used in v1beta3.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
-              proxy:
-                description: |-
-                  Proxy the HTTP/S address of the proxy server.
-                  Deprecated: Use ProxySecretRef instead. Will be removed in v1.
-                maxLength: 2048
-                pattern: ^(http|https)://.*$
-                type: string
               proxySecretRef:
                 description: |-
                   ProxySecretRef specifies the Secret containing the proxy configuration
diff --git a/docs/api/v1beta3/notification.md b/docs/api/v1beta3/notification.md
index d26ccefc4..22243ac66 100644
--- a/docs/api/v1beta3/notification.md
+++ b/docs/api/v1beta3/notification.md
@@ -323,19 +323,6 @@ Kubernetes meta/v1.Duration
 </tr>
 <tr>
 <td>
-<code>proxy</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>proxySecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -671,19 +658,6 @@ Kubernetes meta/v1.Duration
 </tr>
 <tr>
 <td>
-<code>proxy</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.
-Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>proxySecretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
diff --git a/docs/spec/v1beta3/providers.md b/docs/spec/v1beta3/providers.md
index 99f01f814..a0feecd61 100644
--- a/docs/spec/v1beta3/providers.md
+++ b/docs/spec/v1beta3/providers.md
@@ -1253,7 +1253,6 @@ credentials for the provider API.
 The Kubernetes secret can have any of the following keys:
 
 - `address` - overrides `.spec.address`
-- `proxy` - overrides `.spec.proxy` (deprecated, use `.spec.proxySecretRef` instead. **Support for this key will be removed in v1**)
 - `token` - used for authentication
 - `username` - overrides `.spec.username`
 - `password` - used for authentication, often in combination with `username` (or `.spec.username`)
@@ -1312,7 +1311,7 @@ stringData:
 #### Proxy auth example
 
 Some networks need to use an authenticated proxy to access external services.
-The recommended approach is to use `.spec.proxySecretRef` with a dedicated Secret:
+Use `.spec.proxySecretRef` with a dedicated Secret:
 
 ```yaml
 ---
@@ -1327,20 +1326,6 @@ stringData:
   password: "proxy_password"
 ```
 
-**Legacy approach (deprecated):**
-The proxy address can also be stored in the main secret to hide parameters like the username and password:
-
-```yaml
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: my-provider-proxy-legacy
-  namespace: default
-stringData:
-  proxy: "http://username:password@proxy_url:proxy_port"
-```
-
 ### Certificate secret reference
 
 `.spec.certSecretRef` is an optional field to specify a name reference to a
@@ -1466,19 +1451,11 @@ the controller will log a deprecation warning.
 
 ### HTTP/S proxy
 
-`.spec.proxy` is an optional field to specify an HTTP/S proxy address.
-**Warning:** This field is deprecated, use `.spec.proxySecretRef` instead. **Support for this field will be removed in v1.**
-
 `.spec.proxySecretRef` is an optional field to specify a name reference to a
 Secret in the same namespace as the Provider, containing the proxy configuration.
 The Secret should contain an `address` key with the HTTP/S address of the proxy server.
 Optional `username` and `password` keys can be provided for proxy authentication.
 
-If the proxy address contains sensitive information such as basic auth credentials, it is
-recommended to use `.spec.proxySecretRef` instead of `.spec.proxy`.
-When `.spec.proxySecretRef` is specified, both `.spec.proxy` and the `proxy` key from
-`.spec.secretRef` are ignored.
-
 ### Timeout
 
 `.spec.timeout` is an optional field to specify the timeout for the
diff --git a/go.mod b/go.mod
index a4a35c5a2..1cd6d9c26 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.11.0
 	github.com/fluxcd/pkg/git v0.36.0
 	github.com/fluxcd/pkg/masktoken v0.8.0
-	github.com/fluxcd/pkg/runtime v0.86.0
+	github.com/fluxcd/pkg/runtime v0.87.0
 	github.com/fluxcd/pkg/ssa v0.56.0
 	github.com/fluxcd/pkg/ssh v0.21.0
 	github.com/getsentry/sentry-go v0.35.3
diff --git a/go.sum b/go.sum
index fb36534cc..26ea1f6b0 100644
--- a/go.sum
+++ b/go.sum
@@ -148,8 +148,8 @@ github.com/fluxcd/pkg/git v0.36.0 h1:oakFKxTX5yiLcFzCS1SaV+mMXaODaF1Ic6/oCLfIe7I
 github.com/fluxcd/pkg/git v0.36.0/go.mod h1:4TgfjcoM3B2sGsO5VbfBSwJQYzNCONGihcTOW8P3Jxw=
 github.com/fluxcd/pkg/masktoken v0.8.0 h1:Dm5xIVNbg0s6zNttjDvimaG38bKsXwxBVo5b+D7ThVU=
 github.com/fluxcd/pkg/masktoken v0.8.0/go.mod h1:Gc73ALOqIe+5Gj2V3JggMNiYcBiZ9bNNDYBE9R5XTTg=
-github.com/fluxcd/pkg/runtime v0.86.0 h1:q7aBSerJwt0N9hpurPVElG+HWpVhZcs6t96bcNQj43w=
-github.com/fluxcd/pkg/runtime v0.86.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
+github.com/fluxcd/pkg/runtime v0.87.0 h1:Zxr657m2V012WmFUWW0Zh+axO87UHxtL3o7XfyBet4Y=
+github.com/fluxcd/pkg/runtime v0.87.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
 github.com/fluxcd/pkg/ssa v0.56.0 h1:OuWTPr0kI0alQYX1B3byJmUQol4BrpnrsXOoBmaTCPY=
 github.com/fluxcd/pkg/ssa v0.56.0/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
 github.com/fluxcd/pkg/ssh v0.21.0 h1:ZmyF0n9je0cTTkOpvFVgIhmdx9qtswnVE60TK4IzJh0=
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
index d41b291eb..565951d36 100644
--- a/internal/server/event_handlers.go
+++ b/internal/server/event_handlers.go
@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@@ -317,13 +316,10 @@ func extractAuthFromSecret(ctx context.Context, secret *corev1.Secret) ([]notifi
 		}
 	}
 
-	if val, ok := secret.Data["proxy"]; ok {
-		deprecatedProxy := strings.TrimSpace(string(val))
-		if _, err := url.Parse(deprecatedProxy); err != nil {
-			return nil, nil, fmt.Errorf("invalid 'proxy' in secret '%s/%s'", secret.Namespace, secret.Name)
-		}
-		log.FromContext(ctx).Error(nil, "warning: specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key will be removed in v1.")
-		options = append(options, notifier.WithProxyURL(deprecatedProxy))
+	if _, ok := secret.Data["proxy"]; ok {
+		err := errors.New("specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key is removed in v1")
+		log.FromContext(ctx).Error(err, "no longer supported.")
+		return nil, nil, err
 	}
 
 	if h, ok := secret.Data["headers"]; ok {
@@ -380,12 +376,6 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 		options = append(options, notifier.WithTokenCache(tokenCache))
 	}
 
-	// TODO: Remove deprecated proxy handling when Provider v1 is released.
-	if provider.Spec.Proxy != "" {
-		log.FromContext(ctx).Error(nil, "warning: spec.proxy is deprecated, please use spec.proxySecretRef instead. Support for this field will be removed in v1.")
-		options = append(options, notifier.WithProxyURL(provider.Spec.Proxy))
-	}
-
 	webhook := provider.Spec.Address
 	var token string
 	var secretData map[string][]byte
diff --git a/internal/server/event_handlers_test.go b/internal/server/event_handlers_test.go
index c57f12760..ea684eefb 100644
--- a/internal/server/event_handlers_test.go
+++ b/internal/server/event_handlers_test.go
@@ -600,7 +600,6 @@ func TestCreateNotifier(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		// TODO: Remove deprecated secret proxy key tests when Provider v1 is released.
 		{
 			name: "reference to secret with valid address, proxy, headers",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -612,17 +611,6 @@ func TestCreateNotifier(t *testing.T) {
 				"proxy":   []byte("https://exampleproxy.com"),
 				"headers": []byte(`foo: bar`),
 			},
-		},
-		{
-			name: "reference to secret with invalid proxy",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:      "slack",
-				SecretRef: &meta.LocalObjectReference{Name: secretName},
-			},
-			secretData: map[string][]byte{
-				"address": []byte("https://example.com"),
-				"proxy":   []byte("https://exampleproxy.com|"),
-			},
 			wantErr: true,
 		},
 		{
@@ -648,19 +636,6 @@ func TestCreateNotifier(t *testing.T) {
 				"address": []byte("https://example.com"),
 			},
 		},
-		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
-		{
-			name: "invalid spec proxy overridden by valid secret ref proxy",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:      "slack",
-				SecretRef: &meta.LocalObjectReference{Name: secretName},
-				Proxy:     "https://example.com|",
-			},
-			secretData: map[string][]byte{
-				"address": []byte("https://example.com"),
-				"proxy":   []byte("https://example.com"),
-			},
-		},
 		{
 			name: "reference to unsupported cert secret type",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -870,15 +845,6 @@ Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
 			},
 			wantErr: true,
 		},
-		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
-		{
-			name: "deprecated spec.proxy field",
-			providerSpec: &apiv1beta3.ProviderSpec{
-				Type:    "generic",
-				Address: "https://example.com",
-				Proxy:   "http://proxy.example.com:8080",
-			},
-		},
 		{
 			name: "provider type that does not require address field",
 			providerSpec: &apiv1beta3.ProviderSpec{