fluxcd
diff --git a/‎api/v1beta3/provider_types.go‎
Lines changed: 10 additions & 5 deletions b/‎api/v1beta3/provider_types.go‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml‎
Lines changed: 8 additions & 4 deletions b/‎config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎docs/api/v1beta3/notification.md‎
Lines changed: 14 additions & 8 deletions b/‎docs/api/v1beta3/notification.md‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎docs/spec/v1beta3/providers.md‎
Lines changed: 41 additions & 16 deletions b/‎docs/spec/v1beta3/providers.md‎
Lines changed: 41 additions & 16 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/notifier/alertmanager.go‎
Lines changed: 12 additions & 12 deletions b/‎internal/notifier/alertmanager.go‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎internal/notifier/alertmanager_fuzz_test.go‎
Lines changed: 4 additions & 4 deletions b/‎internal/notifier/alertmanager_fuzz_test.go‎
Lines changed: 4 additions & 4 deletions
@@ -123,12 +123,17 @@ type ProviderSpec struct {
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
-	// CertSecretRef specifies the Secret containing
-	// a PEM-encoded CA certificate (in the `ca.crt` key).
-	// +optional
+	// CertSecretRef specifies the Secret containing TLS certificates
+	// for secure communication.
+	//
+	// Supported configurations:
+	// - CA-only: Server authentication (provide ca.crt only)
+	// - mTLS: Mutual authentication (provide ca.crt + tls.crt + tls.key)
+	// - Client-only: Client authentication with system CA (provide tls.crt + tls.key only)
 	//
-	// Note: Support for the `caFile` key has
-	// been deprecated.
+	// Legacy keys "caFile", "certFile", "keyFile" are supported but deprecated. Use "ca.crt", "tls.crt", "tls.key" instead.
+	//
+	// +optional
 	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
 
 	// Suspend tells the controller to suspend subsequent
 
@@ -443,11 +443,15 @@ spec:
                 type: string
               certSecretRef:
                 description: |-
-                  CertSecretRef specifies the Secret containing
-                  a PEM-encoded CA certificate (in the `ca.crt` key).
+                  CertSecretRef specifies the Secret containing TLS certificates
+                  for secure communication.
 
-                  Note: Support for the `caFile` key has
-                  been deprecated.
+                  Supported configurations:
+                  - CA-only: Server authentication (provide ca.crt only)
+                  - mTLS: Mutual authentication (provide ca.crt + tls.crt + tls.key)
+                  - Client-only: Client authentication with system CA (provide tls.crt + tls.key only)
+
+                  Legacy keys "caFile", "certFile", "keyFile" are supported but deprecated. Use "ca.crt", "tls.crt", "tls.key" instead.
                 properties:
                   name:
                     description: Name of the referent.
 
@@ -392,10 +392,13 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </td>
 <td>
 <em>(Optional)</em>
-<p>CertSecretRef specifies the Secret containing
-a PEM-encoded CA certificate (in the <code>ca.crt</code> key).</p>
-<p>Note: Support for the <code>caFile</code> key has
-been deprecated.</p>
+<p>CertSecretRef specifies the Secret containing TLS certificates
+for secure communication.</p>
+<p>Supported configurations:
+- CA-only: Server authentication (provide ca.crt only)
+- mTLS: Mutual authentication (provide ca.crt + tls.crt + tls.key)
+- Client-only: Client authentication with system CA (provide tls.crt + tls.key only)</p>
+<p>Legacy keys &ldquo;caFile&rdquo;, &ldquo;certFile&rdquo;, &ldquo;keyFile&rdquo; are supported but deprecated. Use &ldquo;ca.crt&rdquo;, &ldquo;tls.crt&rdquo;, &ldquo;tls.key&rdquo; instead.</p>
 </td>
 </tr>
 <tr>
@@ -730,10 +733,13 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </td>
 <td>
 <em>(Optional)</em>
-<p>CertSecretRef specifies the Secret containing
-a PEM-encoded CA certificate (in the <code>ca.crt</code> key).</p>
-<p>Note: Support for the <code>caFile</code> key has
-been deprecated.</p>
+<p>CertSecretRef specifies the Secret containing TLS certificates
+for secure communication.</p>
+<p>Supported configurations:
+- CA-only: Server authentication (provide ca.crt only)
+- mTLS: Mutual authentication (provide ca.crt + tls.crt + tls.key)
+- Client-only: Client authentication with system CA (provide tls.crt + tls.key only)</p>
+<p>Legacy keys &ldquo;caFile&rdquo;, &ldquo;certFile&rdquo;, &ldquo;keyFile&rdquo; are supported but deprecated. Use &ldquo;ca.crt&rdquo;, &ldquo;tls.crt&rdquo;, &ldquo;tls.key&rdquo; instead.</p>
 </td>
 </tr>
 <tr>
 
@@ -284,7 +284,7 @@ field](https://api.slack.com/methods/chat.postMessage#arg_username) to the
 payload, defaulting to the name of the reporting controller.
 
 This Provider type supports the configuration of a [proxy URL](#https-proxy)
-and/or [TLS certificates](#tls-certificates).
+and/or [certificate secret reference](#certificate-secret-reference).
 
 ###### Slack example
 
@@ -363,7 +363,7 @@ In both cases the Event metadata is attached as facts, and the involved object a
 The severity of the Event is used to set the color of the message.
 
 This Provider type supports the configuration of a [proxy URL](#https-proxy)
-and/or [TLS certificates](#tls-certificates), but lacks support for
+and/or [certificate secret reference](#certificate-secret-reference), but lacks support for
 configuring a [Channel](#channel). This can be configured during the
 creation of the Incoming Webhook Workflow in Microsoft Teams.
 
@@ -403,7 +403,7 @@ The Event will be formatted into a [DataDog Event](https://docs.datadoghq.com/ap
 API endpoint of the provided DataDog [Address](#address).
 
 This Provider type supports the configuration of a [proxy URL](#https-proxy)
-and/or [TLS certificates](#tls-certificates).
+and/or [certificate secret reference](#certificate-secret-reference).
 
 The metadata of the Event is included in the DataDog event as extra tags.
 
@@ -459,7 +459,7 @@ The Event will be formatted into a [Slack message](#slack) and send to the
 `/slack` endpoint of the provided Discord [Address](#address).
 
 This Provider type supports the configuration of a [proxy URL](#https-proxy)
-and/or [TLS certificates](#tls-certificates), but lacks support for
+and/or [certificate secret reference](#certificate-secret-reference), but lacks support for
 configuring a [Channel](#channel). This can be configured [during the creation
 of the address](https://discord.com/developers/docs/resources/webhook#create-webhook)
 
@@ -507,7 +507,7 @@ The Provider's [Channel](#channel) is used to set the `environment` on the
 Sentry client.
 
 This Provider type supports the configuration of
-[TLS certificates](#tls-certificates).
+[certificate secret reference](#certificate-secret-reference).
 
 ###### Sentry example
 
@@ -555,7 +555,7 @@ a unique identifier with the topic identifier (`-1234567890:1`) for the forum ch
 or the username (`@username`) of the target channel.
 
 This Provider type does not support the configuration of a [proxy URL](#https-proxy)
-or [TLS certificates](#tls-certificates).
+or [certificate secret reference](#certificate-secret-reference).
 
 ###### Telegram example
 
@@ -623,7 +623,7 @@ The Event will be formatted into a [Lark Message card](https://open.larksuite.co
 with the metadata written to the message string.
 
 This Provider type does not support the configuration of a [proxy URL](#https-proxy)
-or [TLS certificates](#tls-certificates).
+or [certificate secret reference](#certificate-secret-reference).
 
 ###### Lark example
 
@@ -660,7 +660,7 @@ The Event will be formatted into a [Slack message](#slack) and send as a
 payload the provided Rocket [Address](#address).
 
 This Provider type does support the configuration of a [proxy URL](#https-proxy)
-and [TLS certificates](#tls-certificates).
+and [certificate secret reference](#certificate-secret-reference).
 
 ###### Rocket example
 
@@ -742,7 +742,7 @@ You can optionally add [attributes](https://cloud.google.com/pubsub/docs/samples
 to the Pub/Sub message using a [`headers` key in the referenced Secret](#http-headers-example).
 
 This Provider type does not support the configuration of a [proxy URL](#https-proxy)
-or [TLS certificates](#tls-certificates).
+or [certificate secret reference](#certificate-secret-reference).
 
 ###### Google Pub/Sub with JSON Credentials and Custom Headers Example
 
@@ -788,7 +788,7 @@ with the metadata added to the [`details` field](https://docs.opsgenie.com/docs/
 as a list of key-value pairs.
 
 This Provider type does support the configuration of a [proxy URL](#https-proxy)
-and [TLS certificates](#tls-certificates).
+and [certificate secret reference](#certificate-secret-reference).
 
 ###### Opsgenie example
 
@@ -831,7 +831,7 @@ The provider will also send [Change Events](https://developer.pagerduty.com/api-
 for `info` level `Severity`, which will be displayed in the PagerDuty service's timeline to track changes.
 
 This Provider type supports the configuration of a [proxy URL](#https-proxy)
-and [TLS certificates](#tls-certificates).
+and [certificate secret reference](#certificate-secret-reference).
 
 The [Channel](#channel) is used to set the routing key to send the event to the appropriate integration.
 
@@ -916,7 +916,7 @@ global:
 ```
 
 This Provider type does support the configuration of a [proxy URL](#https-proxy)
-and [TLS certificates](#tls-certificates).
+and [certificate secret reference](#certificate-secret-reference).
 
 ###### Prometheus Alertmanager example
 
@@ -988,7 +988,7 @@ The [Channel](#channel) is used to set the ID of the room to send the message
 to.
 
 This Provider type does support the configuration of a [proxy URL](#https-proxy)
-and [TLS certificates](#tls-certificates).
+and [certificate secret reference](#certificate-secret-reference).
 
 ###### Webex example
 
@@ -1184,11 +1184,36 @@ stringData:
   proxy: "http://username:password@proxy_url:proxy_port"
 ```
 
-### TLS certificates
+### Certificate secret reference
 
 `.spec.certSecretRef` is an optional field to specify a name reference to a
-Secret in the same namespace as the Provider, containing the TLS CA certificate.
-The secret must be of type `kubernetes.io/tls` or `Opaque`.
+Secret in the same namespace as the Provider, containing TLS certificates for
+secure communication. The secret must be of type `kubernetes.io/tls` or `Opaque`.
+
+#### Supported configurations
+
+- **CA-only**: Server authentication (provide `ca.crt` only)
+- **mTLS**: Client certificate authentication (provide `tls.crt` + `tls.key`, optionally with `ca.crt`)
+
+#### Providers supporting client certificate authentication
+
+The following webhook-based providers support client certificate authentication:
+
+| Provider Type        | Description                    |
+|---------------------|--------------------------------|
+| `alertmanager`      | Prometheus Alertmanager        |
+| `discord`           | Discord webhooks               |
+| `forwarder`         | Generic forwarder              |
+| `grafana`           | Grafana annotations API        |
+| `matrix`            | Matrix rooms                   |
+| `msteams`           | Microsoft Teams                |
+| `opsgenie`          | Opsgenie alerts                |
+| `pagerduty`         | PagerDuty events               |
+| `rocket`            | Rocket.Chat                    |
+| `slack`             | Slack API                      |
+| `webex`             | Webex messages                 |
+
+Support for client certificate authentication is being expanded to additional providers over time.
 
 #### Example
 
 
@@ -24,7 +24,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.9.0
 	github.com/fluxcd/pkg/git v0.31.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
-	github.com/fluxcd/pkg/runtime v0.61.0
+	github.com/fluxcd/pkg/runtime v0.63.0
 	github.com/fluxcd/pkg/ssa v0.48.0
 	github.com/fluxcd/pkg/ssh v0.18.0
 	github.com/getsentry/sentry-go v0.32.0
 
@@ -168,8 +168,8 @@ github.com/fluxcd/pkg/git v0.31.0 h1:hVUJcRujNa+GA5zrjrMpuVcgHbCBjfq0CZIZJqJl22I
 github.com/fluxcd/pkg/git v0.31.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs=
 github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3sz6bM=
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
-github.com/fluxcd/pkg/runtime v0.61.0 h1:63OCvVoJd3RbmAl7UBUzOeNtaY5V1iVL+SaaqiNMM74=
-github.com/fluxcd/pkg/runtime v0.61.0/go.mod h1:UeU0/eZLErYC/1bTmgzBfNXhiHy9fuQzjfLK0HxRgxY=
+github.com/fluxcd/pkg/runtime v0.63.0 h1:55J7ascGmXyTXWGwhD21N9fU7jC1l5rhdzjgNXs6aZg=
+github.com/fluxcd/pkg/runtime v0.63.0/go.mod h1:7pxGvaU0Yy1cDIUhiHAHhCx2yCLnkcVsplbYZG6j4JY=
 github.com/fluxcd/pkg/ssa v0.48.0 h1:DW+4DG8L/yZEi30UltOEXPB1d/ZFn4HfVhpJQp5oc2o=
 github.com/fluxcd/pkg/ssa v0.48.0/go.mod h1:T50TO0U2obLodZnrFgOrxollfBEy4V673OkM2aTUF1c=
 github.com/fluxcd/pkg/ssh v0.18.0 h1:SB0RrZ/YZIla3chTUulsfVmiCzJv5pEWfHM3dHMC8AU=
 
@@ -18,7 +18,7 @@ package notifier
 
 import (
 	"context"
-	"crypto/x509"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/url"
@@ -32,10 +32,10 @@ import (
 )
 
 type Alertmanager struct {
-	URL      string
-	ProxyURL string
-	CertPool *x509.CertPool
-	Token    string
+	URL       string
+	ProxyURL  string
+	TLSConfig *tls.Config
+	Token     string
 }
 
 type AlertManagerAlert struct {
@@ -74,17 +74,17 @@ func (a *AlertManagerTime) UnmarshalJSON(jsonRepr []byte) error {
 	return nil
 }
 
-func NewAlertmanager(hookURL string, proxyURL string, certPool *x509.CertPool, token string) (*Alertmanager, error) {
+func NewAlertmanager(hookURL string, proxyURL string, tlsConfig *tls.Config, token string) (*Alertmanager, error) {
 	_, err := url.ParseRequestURI(hookURL)
 	if err != nil {
 		return nil, fmt.Errorf("invalid Alertmanager URL %s: '%w'", hookURL, err)
 	}
 
 	return &Alertmanager{
-		URL:      hookURL,
-		ProxyURL: proxyURL,
-		CertPool: certPool,
-		Token:    token,
+		URL:       hookURL,
+		ProxyURL:  proxyURL,
+		Token:     token,
+		TLSConfig: tlsConfig,
 	}, nil
 }
 
@@ -141,8 +141,8 @@ func (s *Alertmanager) Post(ctx context.Context, event eventv1.Event) error {
 	if s.ProxyURL != "" {
 		opts = append(opts, withProxy(s.ProxyURL))
 	}
-	if s.CertPool != nil {
-		opts = append(opts, withCertPool(s.CertPool))
+	if s.TLSConfig != nil {
+		opts = append(opts, withTLSConfig(s.TLSConfig))
 	}
 	if s.Token != "" {
 		opts = append(opts, withRequestModifier(func(request *retryablehttp.Request) {
 
@@ -18,7 +18,7 @@ package notifier
 
 import (
 	"context"
-	"crypto/x509"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
@@ -43,10 +43,10 @@ func Fuzz_AlertManager(f *testing.F) {
 		}))
 		defer ts.Close()
 
-		var cert x509.CertPool
-		_ = fuzz.NewConsumer(seed).GenerateStruct(&cert)
+		var tlsConfig tls.Config
+		_ = fuzz.NewConsumer(seed).GenerateStruct(&tlsConfig)
 
-		alertmanager, err := NewAlertmanager(fmt.Sprintf("%s/%s", ts.URL, urlSuffix), "", &cert, "")
+		alertmanager, err := NewAlertmanager(fmt.Sprintf("%s/%s", ts.URL, urlSuffix), "", &tlsConfig, "")
 		if err != nil {
 			return
 		}