Merge branch 'main' into chore/remove_v1alpha1_of_observability_api

Author: tataruty

.github/workflows/build.yml

@@ -64,7 +64,7 @@ jobs:
           driver-opts: network=host
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         with:
           platforms: arm64
 
@@ -119,7 +119,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
           images: |

.github/workflows/conformance.yml

@@ -78,7 +78,7 @@ jobs:
 
       - name: NGF Docker meta
         id: ngf-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
@@ -92,7 +92,7 @@ jobs:
 
       - name: NGINX Docker meta
         id: nginx-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}

.github/workflows/functional.yml

@@ -60,7 +60,7 @@ jobs:
 
       - name: NGF Docker meta
         id: ngf-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
@@ -73,7 +73,7 @@ jobs:
 
       - name: NGINX Docker meta
         id: nginx-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}

.github/workflows/helm.yml

@@ -39,7 +39,7 @@ jobs:
 
       - name: NGF Docker meta
         id: ngf-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
@@ -52,7 +52,7 @@ jobs:
 
       - name: NGINX Docker meta
         id: nginx-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
@@ -119,7 +119,7 @@ jobs:
           check-latest: true
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
 
       - name: Install Chart
         run: |
@@ -172,7 +172,7 @@ jobs:
           check-latest: true
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
 
       - name: Install Chart
         run: |

.github/workflows/lint.yml

@@ -122,7 +122,7 @@ jobs:
           check-latest: true
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
         with:
           version: 3.14.0 # renovate: datasource=github-tags depName=helm/chart-testing
           # v6.0.0 resolved the compatibility issue with Python > 3.13. may be removed after the action itself is updated

build/ubi/Dockerfile.nginx

@@ -6,7 +6,7 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi
 ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo
 ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
 
-FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:7ec723b1189ae6f1b9f25451800dbd6d5c046a0b7b020b4f2bcc90e83a640d4b AS ubi9-packages
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:68964f6fa5ddd8e736139e9301cebb59e4c44fc1c4df71cb308599352bdc17da AS ubi9-packages
 
 FROM redhat/ubi9-minimal:9.6 AS ubi-nginx
 

build/ubi/Dockerfile.nginxplus

@@ -6,7 +6,7 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-
 ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key
 ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
 
-FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:7ec723b1189ae6f1b9f25451800dbd6d5c046a0b7b020b4f2bcc90e83a640d4b AS ubi9-packages
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:68964f6fa5ddd8e736139e9301cebb59e4c44fc1c4df71cb308599352bdc17da AS ubi9-packages
 
 FROM redhat/ubi9-minimal:9.6 AS ubi-nginx-plus
 

internal/controller/provisioner/objects.go

@@ -686,33 +686,69 @@ func (p *NginxProvisioner) buildNginxDeployment(
 		}
 	}
 
-	var replicas *int32
-	if deploymentCfg.Replicas != nil {
-		replicas = deploymentCfg.Replicas
-	}
-
-	if isAutoscalingEnabled(&deploymentCfg) {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-
-		hpa := &autoscalingv2.HorizontalPodAutoscaler{}
-		err := p.k8sClient.Get(ctx, types.NamespacedName{
-			Namespace: objectMeta.Namespace,
-			Name:      objectMeta.Name,
-		}, hpa)
-		if err == nil && hpa.Status.DesiredReplicas > 0 {
-			// overwrite with HPA's desiredReplicas
-			replicas = helpers.GetPointer(hpa.Status.DesiredReplicas)
-		}
-	}
-
+	// Determine replica count based on HPA status
+	replicas := p.determineReplicas(objectMeta, deploymentCfg)
 	if replicas != nil {
 		deployment.Spec.Replicas = replicas
 	}
 
 	return deployment, nil
 }
 
+// determineReplicas determines the appropriate replica count for a deployment based on HPA status.
+//
+// HPA Replicas Management Strategy:
+//
+// When an HPA is managing a deployment, we must read the current deployment's replicas
+// from the cluster and use that value, rather than trying to set our own value or read
+// from HPA.Status.DesiredReplicas (which is eventually consistent and stale).
+//
+// Why we can't use HPA.Status.DesiredReplicas:
+// - HPA.Status updates lag behind Deployment.Spec.Replicas changes
+// - When HPA scales down: HPA writes Deployment.Spec → then updates its own Status
+// - If we read Status during this window, we get the OLD value and overwrite HPA's new value
+// - This creates a race condition causing pod churn
+//
+// Our approach:
+// - When HPA exists: Read current deployment replicas from cluster and use that
+// - When HPA doesn't exist yet: Set replicas for initial deployment creation
+// - When HPA exists but Deployment doesn't exist yet: Set replicas for initial deployment creation
+// - When HPA is disabled: Set replicas normally.
+func (p *NginxProvisioner) determineReplicas(
+	objectMeta metav1.ObjectMeta,
+	deploymentCfg ngfAPIv1alpha2.DeploymentSpec,
+) *int32 {
+	replicas := deploymentCfg.Replicas
+
+	if !isAutoscalingEnabled(&deploymentCfg) {
+		return replicas
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	hpa := &autoscalingv2.HorizontalPodAutoscaler{}
+	err := p.k8sClient.Get(ctx, types.NamespacedName{
+		Namespace: objectMeta.Namespace,
+		Name:      objectMeta.Name,
+	}, hpa)
+	if err != nil {
+		return replicas
+	}
+
+	existingDeployment := &appsv1.Deployment{}
+	err = p.k8sClient.Get(ctx, types.NamespacedName{
+		Namespace: objectMeta.Namespace,
+		Name:      objectMeta.Name,
+	}, existingDeployment)
+
+	if err == nil && existingDeployment.Spec.Replicas != nil {
+		replicas = existingDeployment.Spec.Replicas
+	}
+
+	return replicas
+}
+
 // applyPatches applies the provided patches to the given object.
 func applyPatches(obj client.Object, patches []ngfAPIv1alpha2.Patch) error {
 	if len(patches) == 0 {