Add ProxySecretRef field to Provider API

Introduce spec.proxySecretRef to enable secure proxy configuration
through dedicated Secrets. This provides a more secure alternative
to the deprecated spec.proxy field and secret proxy key.

The new field integrates with runtime/secrets for unified proxy
handling and maintains backward compatibility. Deprecation warnings
are implemented for existing proxy configuration methods.

Proxy priority: ProxySecretRef > secret proxy key > spec.proxy

Signed-off-by: cappyzawa <[email protected]>

Author: cappyzawa

api/v1beta3/provider_types.go

@@ -97,12 +97,20 @@ type ProviderSpec struct {
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
 	// Proxy the HTTP/S address of the proxy server.
+	// Deprecated: Use ProxySecretRef instead. Will be removed in v1.
 	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
 	// +kubebuilder:validation:MaxLength:=2048
 	// +kubebuilder:validation:Optional
 	// +optional
 	Proxy string `json:"proxy,omitempty"`
 
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// for this Provider. The Secret should contain an 'address' key with the
+	// HTTP/S address of the proxy server. Optional 'username' and 'password'
+	// keys can be provided for proxy authentication.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
 	// SecretRef specifies the Secret containing the authentication
 	// credentials for this Provider.
 	// +optional

api/v1beta3/zz_generated.deepcopy.go

@@ -475,10 +475,25 @@ spec:
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               proxy:
-                description: Proxy the HTTP/S address of the proxy server.
+                description: |-
+                  Proxy the HTTP/S address of the proxy server.
+                  Deprecated: Use ProxySecretRef instead. Will be removed in v1.
                 maxLength: 2048
                 pattern: ^(http|https)://.*$
                 type: string
+              proxySecretRef:
+                description: |-
+                  ProxySecretRef specifies the Secret containing the proxy configuration
+                  for this Provider. The Secret should contain an 'address' key with the
+                  HTTP/S address of the proxy server. Optional 'username' and 'password'
+                  keys can be provided for proxy authentication.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
               secretRef:
                 description: |-
                   SecretRef specifies the Secret containing the authentication

config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml

@@ -330,7 +330,25 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.</p>
+<p>Proxy the HTTP/S address of the proxy server.
+Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+for this Provider. The Secret should contain an &lsquo;address&rsquo; key with the
+HTTP/S address of the proxy server. Optional &lsquo;username&rsquo; and &lsquo;password&rsquo;
+keys can be provided for proxy authentication.</p>
 </td>
 </tr>
 <tr>
@@ -650,7 +668,25 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>Proxy the HTTP/S address of the proxy server.</p>
+<p>Proxy the HTTP/S address of the proxy server.
+Deprecated: Use ProxySecretRef instead. Will be removed in v1.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+for this Provider. The Secret should contain an &lsquo;address&rsquo; key with the
+HTTP/S address of the proxy server. Optional &lsquo;username&rsquo; and &lsquo;password&rsquo;
+keys can be provided for proxy authentication.</p>
 </td>
 </tr>
 <tr>

docs/api/v1beta3/notification.md

@@ -1097,7 +1097,7 @@ credentials for the provider API.
 The Kubernetes secret can have any of the following keys:
 
 - `address` - overrides `.spec.address`
-- `proxy` - overrides `.spec.proxy`
+- `proxy` - overrides `.spec.proxy` (deprecated, use `.spec.proxySecretRef` instead. **Support for this key will be removed in v1**)
 - `token` - used for authentication
 - `username` - overrides `.spec.username`
 - `headers` - HTTP headers values included in the POST request
@@ -1155,7 +1155,7 @@ stringData:
 #### Proxy auth example
 
 Some networks need to use an authenticated proxy to access external services.
-Therefore, the proxy address can be stored as a secret to hide parameters like the username and password:
+The recommended approach is to use `.spec.proxySecretRef` with a dedicated Secret:
 
 ```yaml
 ---
@@ -1164,6 +1164,22 @@ kind: Secret
 metadata:
   name: my-provider-proxy
   namespace: default
+stringData:
+  address: "http://proxy_url:proxy_port"
+  username: "proxy_username"
+  password: "proxy_password"
+```
+
+**Legacy approach (deprecated):**
+The proxy address can also be stored in the main secret to hide parameters like the username and password:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-provider-proxy-legacy
+  namespace: default
 stringData:
   proxy: "http://username:password@proxy_url:proxy_port"
 ```
@@ -1210,10 +1226,17 @@ the controller will log a deprecation warning.
 ### HTTP/S proxy
 
 `.spec.proxy` is an optional field to specify an HTTP/S proxy address.
+**Warning:** This field is deprecated, use `.spec.proxySecretRef` instead. **Support for this field will be removed in v1.**
+
+`.spec.proxySecretRef` is an optional field to specify a name reference to a
+Secret in the same namespace as the Provider, containing the proxy configuration.
+The Secret should contain an `address` key with the HTTP/S address of the proxy server.
+Optional `username` and `password` keys can be provided for proxy authentication.
 
 If the proxy address contains sensitive information such as basic auth credentials, it is
-recommended to store the proxy in the Kubernetes secret referenced by `.spec.secretRef.name`.
-When the referenced Secret contains a `proxy` key, the `.spec.proxy` value is ignored.
+recommended to use `.spec.proxySecretRef` instead of `.spec.proxy`.
+When `.spec.proxySecretRef` is specified, both `.spec.proxy` and the `proxy` key from
+`.spec.secretRef` are ignored.
 
 ### Timeout
 

docs/spec/v1beta3/providers.md

@@ -24,7 +24,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.9.0
 	github.com/fluxcd/pkg/git v0.31.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
-	github.com/fluxcd/pkg/runtime v0.60.0
+	github.com/fluxcd/pkg/runtime v0.61.0
 	github.com/fluxcd/pkg/ssa v0.48.0
 	github.com/fluxcd/pkg/ssh v0.18.0
 	github.com/getsentry/sentry-go v0.32.0

go.mod

@@ -168,8 +168,8 @@ github.com/fluxcd/pkg/git v0.31.0 h1:hVUJcRujNa+GA5zrjrMpuVcgHbCBjfq0CZIZJqJl22I
 github.com/fluxcd/pkg/git v0.31.0/go.mod h1:rUgLXVQGBkBggHOLVMhHMHaweQ8Oc6HwZiN2Zm08Zxs=
 github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3sz6bM=
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
-github.com/fluxcd/pkg/runtime v0.60.0 h1:d++EkV3FlycB+bzakB5NumwY4J8xts8i7lbvD6jBLeU=
-github.com/fluxcd/pkg/runtime v0.60.0/go.mod h1:UeU0/eZLErYC/1bTmgzBfNXhiHy9fuQzjfLK0HxRgxY=
+github.com/fluxcd/pkg/runtime v0.61.0 h1:63OCvVoJd3RbmAl7UBUzOeNtaY5V1iVL+SaaqiNMM74=
+github.com/fluxcd/pkg/runtime v0.61.0/go.mod h1:UeU0/eZLErYC/1bTmgzBfNXhiHy9fuQzjfLK0HxRgxY=
 github.com/fluxcd/pkg/ssa v0.48.0 h1:DW+4DG8L/yZEi30UltOEXPB1d/ZFn4HfVhpJQp5oc2o=
 github.com/fluxcd/pkg/ssa v0.48.0/go.mod h1:T50TO0U2obLodZnrFgOrxollfBEy4V673OkM2aTUF1c=
 github.com/fluxcd/pkg/ssh v0.18.0 h1:SB0RrZ/YZIla3chTUulsfVmiCzJv5pEWfHM3dHMC8AU=

go.sum

@@ -40,6 +40,7 @@ import (
 	"github.com/fluxcd/pkg/auth"
 	pkgcache "github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/masktoken"
+	"github.com/fluxcd/pkg/runtime/secrets"
 
 	apiv1 "github.com/fluxcd/notification-controller/api/v1"
 	apiv1beta3 "github.com/fluxcd/notification-controller/api/v1beta3"
@@ -311,7 +312,11 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 
 	webhook := provider.Spec.Address
 	username := provider.Spec.Username
-	proxy := provider.Spec.Proxy
+	// TODO: Remove deprecated proxy handling when Provider v1 is released.
+	deprecatedProxy := provider.Spec.Proxy
+	if deprecatedProxy != "" {
+		log.FromContext(ctx).Error(nil, "warning: spec.proxy is deprecated, please use spec.proxySecretRef instead. Support for this field will be removed in v1.")
+	}
 	token := ""
 	password := ""
 	headers := make(map[string]string)
@@ -336,11 +341,12 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 		}
 
 		if val, ok := secret.Data["proxy"]; ok {
-			proxy = strings.TrimSpace(string(val))
-			_, err := url.Parse(proxy)
+			deprecatedProxy = strings.TrimSpace(string(val))
+			_, err := url.Parse(deprecatedProxy)
 			if err != nil {
 				return nil, "", fmt.Errorf("invalid 'proxy' in secret '%s/%s'", secret.Namespace, secret.Name)
 			}
+			log.FromContext(ctx).Error(nil, "warning: specifying proxy with 'proxy' key in the referenced secret is deprecated, use spec.proxySecretRef with 'address' key instead. Support for the 'proxy' key will be removed in v1.")
 		}
 
 		if val, ok := secret.Data["token"]; ok {
@@ -359,6 +365,17 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 		}
 	}
 
+	var proxy string
+	if provider.Spec.ProxySecretRef != nil {
+		proxyURL, err := secrets.ProxyURLFromSecret(ctx, kubeClient, provider.Spec.ProxySecretRef.Name, provider.Namespace)
+		if err != nil {
+			return nil, "", fmt.Errorf("failed to get proxy URL from secret: %w", err)
+		}
+		proxy = proxyURL.String()
+	} else {
+		proxy = deprecatedProxy
+	}
+
 	var certPool *x509.CertPool
 	if provider.Spec.CertSecretRef != nil {
 		var secret corev1.Secret

internal/server/event_handlers.go

@@ -548,13 +548,15 @@ func TestGetNotificationParams(t *testing.T) {
 func TestCreateNotifier(t *testing.T) {
 	secretName := "foo-secret"
 	certSecretName := "cert-secret"
+	proxySecretName := "proxy-secret"
 	tests := []struct {
-		name           string
-		providerSpec   *apiv1beta3.ProviderSpec
-		secretType     corev1.SecretType
-		secretData     map[string][]byte
-		certSecretData map[string][]byte
-		wantErr        bool
+		name            string
+		providerSpec    *apiv1beta3.ProviderSpec
+		secretType      corev1.SecretType
+		secretData      map[string][]byte
+		certSecretData  map[string][]byte
+		proxySecretData map[string][]byte
+		wantErr         bool
 	}{
 		{
 			name: "no address, no secret ref",
@@ -578,6 +580,7 @@ func TestCreateNotifier(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		// TODO: Remove deprecated secret proxy key tests when Provider v1 is released.
 		{
 			name: "reference to secret with valid address, proxy, headers",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -625,6 +628,7 @@ func TestCreateNotifier(t *testing.T) {
 				"address": []byte("https://example.com"),
 			},
 		},
+		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
 		{
 			name: "invalid spec proxy overridden by valid secret ref proxy",
 			providerSpec: &apiv1beta3.ProviderSpec{
@@ -780,6 +784,60 @@ Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
 			},
 			wantErr: false,
 		},
+		{
+			name: "proxy from ProxySecretRef",
+			providerSpec: &apiv1beta3.ProviderSpec{
+				Type:           "generic",
+				Address:        "https://example.com",
+				ProxySecretRef: &meta.LocalObjectReference{Name: proxySecretName},
+			},
+			proxySecretData: map[string][]byte{
+				"address": []byte("http://proxy.example.com:8080"),
+			},
+		},
+		{
+			name: "proxy from ProxySecretRef with authentication",
+			providerSpec: &apiv1beta3.ProviderSpec{
+				Type:           "generic",
+				Address:        "https://example.com",
+				ProxySecretRef: &meta.LocalObjectReference{Name: proxySecretName},
+			},
+			proxySecretData: map[string][]byte{
+				"address":  []byte("http://proxy.example.com:8080"),
+				"username": []byte("proxyuser"),
+				"password": []byte("proxypass"),
+			},
+		},
+		{
+			name: "ProxySecretRef reference to non-existing secret",
+			providerSpec: &apiv1beta3.ProviderSpec{
+				Type:           "generic",
+				Address:        "https://example.com",
+				ProxySecretRef: &meta.LocalObjectReference{Name: "non-existing"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "ProxySecretRef missing address field",
+			providerSpec: &apiv1beta3.ProviderSpec{
+				Type:           "generic",
+				Address:        "https://example.com",
+				ProxySecretRef: &meta.LocalObjectReference{Name: proxySecretName},
+			},
+			proxySecretData: map[string][]byte{
+				"username": []byte("proxyuser"),
+			},
+			wantErr: true,
+		},
+		// TODO: Remove deprecated spec.proxy field tests when Provider v1 is released.
+		{
+			name: "deprecated spec.proxy field",
+			providerSpec: &apiv1beta3.ProviderSpec{
+				Type:    "generic",
+				Address: "https://example.com",
+				Proxy:   "http://proxy.example.com:8080",
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -806,6 +864,13 @@ Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
 				}
 				builder.WithObjects(secret)
 			}
+			if tt.proxySecretData != nil {
+				secret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{Name: proxySecretName},
+					Data:       tt.proxySecretData,
+				}
+				builder.WithObjects(secret)
+			}
 			provider := apiv1beta3.Provider{Spec: *tt.providerSpec}
 
 			_, _, err := createNotifier(context.TODO(), builder.Build(), &provider, "", nil)