control-plane/api-gateway/controllers/gateway_controller.go seems to be reconciling Gateways with Gateway Class other than consul

[vorbidan]

Question

control-plane/api-gateway/controllers/gateway_controller.go seems to be trying to reconcile gateways with a GatewayClass other than "consul", and in the process deleting the Service Account, which is associated with that Gtateway, should this be happening?

2025-10-13T22:05:35.661Z    DEBUG    Reconciling Gateway    {"gateway": {"name":"http","namespace":"kgateway-system"}}                                                                                                                             
2025-10-13T22:05:35.965Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.062Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.161Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.162Z    DEBUG    deleting from Consul    {"gateway": {"name":"http","namespace":"kgateway-system"}, "kind": "api-gateway", "namespace": "", "name": "http"}

CLI Commands (consul-k8s, consul-k8s-control-plane, helm)

Helm Configuration

Chart Version: 1.8.3

Relevant part:

connectInject:
  enabled: true
  default: false
  # Enable central config to allow auth method creation
  centralConfig:
    enabled: true
  # Enable webhook to ensure proper initialization
  webhook:
    failurePolicy: "Ignore"
  apiGateway:
    # Disable the Gateway API CRDs since we are managing them externally via gwapi.
    manageExternalCRDs: false
  k8sDenyNamespaces: ['kgateway-system']
  namespaceSelector: |
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: "NotIn"
        values: ["kube-system","local-path-storage","openebs","gmp-system","gke-managed-cim", "argocd","kgateway-system"]
  logLevel: "DEBUG"

Logs

From consul-connect-injector

2025-10-13T22:05:35.661Z    DEBUG    Reconciling Gateway    {"gateway": {"name":"http","namespace":"kgateway-system"}}                                                                                                                             
2025-10-13T22:05:35.965Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.062Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.161Z    DEBUG    controllers.GatewayClass    Reconciling GatewayClass    {"gatewayClass": "kgateway"}                                                                                                                          
2025-10-13T22:05:36.162Z    DEBUG    deleting from Consul    {"gateway": {"name":"http","namespace":"kgateway-system"}, "kind": "api-gateway", "namespace": "", "name": "http"}

From kgateway controller:

│ {"time":"2025-10-13T22:21:09.171329607Z","level":"info","msg":"reconciling gateway","component":"controller-runtime","controller":"gateway","controllerGroup":"gateway.networking.k8s.io","controllerKind":"Gateway","Gateway":{"name":"http","nam │
│ espace":"kgateway-system"},"namespace":"kgateway-system","name":"http","reconcileID":"79e9a3aa-caef-4de8-94de-4caca8ac62c4","gw":{"Namespace":"kgateway-system","Name":"http"}}                                                                    │
│ {"time":"2025-10-13T22:21:09.176487206Z","level":"info","msg":"deploying object","component":"deployer","kind":{"kind":"ServiceAccount","apiVersion":"v1"},"namespace":"kgateway-system","name":"http"}                                            │
│ {"time":"2025-10-13T22:21:09.182659598Z","level":"info","msg":"deploying object","component":"deployer","kind":{"kind":"Service","apiVersion":"v1"},"namespace":"kgateway-system","name":"http"}                                                   │
│ {"time":"2025-10-13T22:21:09.18792777Z","level":"info","msg":"deploying object","component":"deployer","kind":{"kind":"Deployment","apiVersion":"apps/v1"},"namespace":"kgateway-system","name":"http"}  

Indirect evidence that the ServiceAccount is being deleted by something:

kubectl get serviceaccount http -n kgateway-system --show-managed-fields -ojsonpath='{.metadata.managedFields[*].manager}{","}{.metadata.managedFields[*].operation}{","}{.metadata.managedFields[*].time}{"\n"}' --watch

kgateway.dev/kgateway,Apply,2025-10-13T22:15:20Z
kgateway.dev/kgateway,Apply,2025-10-13T22:15:20Z
kgateway.dev/kgateway,Apply,2025-10-13T22:15:21Z
kgateway.dev/kgateway,Apply,2025-10-13T22:15:21Z
...

Current understanding and Expected behavior

My understanding is that Consul Gateway API Controller should not be doing anything to gateways, with a GatewayClass different from consul.

Environment details

• Kubernetes version: v1.32.6
• Cloud Provider: self-hosted VMWare
• Networking CNI plugin in use: Cilium

Additional information

Stopping consul-connect-injector results in http gateway pod starting.
Restarting consul-connect-injector results in http gateway Service account being deleted and pod cycling.

[vorbidan]

It is intentionally reconciling gateways which do not belong to consul. Not only does it reconcile - it adds them to the "deleted" queue, and garbage collects gateways and related resources, even when they are created by different controllers. This is a serious bug.