Preserve annotations on service; ignore replicas on HPA

ciarams87 · ciarams87 · commit ca25b1058b4f · 2025-10-28T15:23:45.000Z
diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go
@@ -691,6 +691,9 @@ func (p *NginxProvisioner) buildNginxDeployment(
 		replicas = deploymentCfg.Replicas
 	}
 
+	// When HPA is enabled, we should not set the replicas field to allow HPA exclusive control.
+	// Setting replicas causes a race condition where NGF and HPA fight over the replica count.
+	// See: https://github.com/nginx/nginx-gateway-fabric/issues/4007
 	if isAutoscalingEnabled(&deploymentCfg) {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
@@ -700,9 +703,14 @@ func (p *NginxProvisioner) buildNginxDeployment(
 			Namespace: objectMeta.Namespace,
 			Name:      objectMeta.Name,
 		}, hpa)
-		if err == nil && hpa.Status.DesiredReplicas > 0 {
-			// overwrite with HPA's desiredReplicas
-			replicas = helpers.GetPointer(hpa.Status.DesiredReplicas)
+		if err == nil {
+			// HPA exists - do not set replicas field, let HPA manage it
+			replicas = nil
+		} else if replicas == nil && deploymentCfg.Autoscaling.MinReplicas != nil {
+			// HPA doesn't exist yet - set initial replicas
+			// This handles the initial deployment before HPA takes over
+			// Use minReplicas as the initial value
+			replicas = deploymentCfg.Autoscaling.MinReplicas
 		}
 	}
 
diff --git a/internal/controller/provisioner/objects_test.go b/internal/controller/provisioner/objects_test.go
@@ -462,8 +462,8 @@ func TestBuildNginxResourceObjects_DeploymentReplicasFromHPA(t *testing.T) {
 		}
 	}
 	g.Expect(deployment).ToNot(BeNil())
-	g.Expect(deployment.Spec.Replicas).ToNot(BeNil())
-	g.Expect(*deployment.Spec.Replicas).To(Equal(int32(7)))
+	g.Expect(deployment.Spec.Replicas).To(BeNil(),
+		"Deployment replicas should be nil when HPA exists to allow HPA exclusive control")
 }
 
 func TestBuildNginxResourceObjects_Plus(t *testing.T) {
diff --git a/internal/controller/provisioner/setter.go b/internal/controller/provisioner/setter.go
@@ -83,8 +83,23 @@ func serviceSpecSetter(
 	objectMeta metav1.ObjectMeta,
 ) controllerutil.MutateFn {
 	return func() error {
+		// Preserve all existing annotations from the service, then overwrite with NGF-managed ones
+		// This allows external controllers (MetalLB, external-dns, cloud providers) to add
+		// annotations without NGF removing them during reconciliation.
+		// See: https://github.com/nginx/nginx-gateway-fabric/issues/4012
+		mergedAnnotations := make(map[string]string)
+
+		// Start with all existing annotations
+		if service.Annotations != nil {
+			maps.Copy(mergedAnnotations, service.Annotations)
+		}
+
+		// Overwrite with NGF-managed annotations (from Gateway Infrastructure or NginxProxy)
+		// NGF-managed annotations take precedence
+		maps.Copy(mergedAnnotations, objectMeta.Annotations)
+
 		service.Labels = objectMeta.Labels
-		service.Annotations = objectMeta.Annotations
+		service.Annotations = mergedAnnotations
 		service.Spec = spec
 		return nil
 	}
diff --git a/internal/controller/provisioner/setter_test.go b/internal/controller/provisioner/setter_test.go
@@ -0,0 +1,121 @@
+package provisioner
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestServiceSpecSetter_PreservesExistingAnnotations(t *testing.T) {
+	tests := []struct {
+		existingAnnotations   map[string]string
+		ngfManagedAnnotations map[string]string
+		expectedAnnotations   map[string]string
+		name                  string
+	}{
+		{
+			name: "preserves external annotations and adds NGF annotations",
+			existingAnnotations: map[string]string{
+				"metallb.universe.tf/address-pool":          "production-public-ips",
+				"external-dns.alpha.kubernetes.io/hostname": "example.com",
+			},
+			ngfManagedAnnotations: map[string]string{
+				"gateway.nginx.org/managed": "true",
+			},
+			expectedAnnotations: map[string]string{
+				"metallb.universe.tf/address-pool":          "production-public-ips",
+				"external-dns.alpha.kubernetes.io/hostname": "example.com",
+				"gateway.nginx.org/managed":                 "true",
+			},
+		},
+		{
+			name: "NGF annotations take precedence",
+			existingAnnotations: map[string]string{
+				"custom.annotation":                "old-value",
+				"metallb.universe.tf/address-pool": "staging",
+			},
+			ngfManagedAnnotations: map[string]string{
+				"custom.annotation": "new-value",
+			},
+			expectedAnnotations: map[string]string{
+				"custom.annotation":                "new-value",
+				"metallb.universe.tf/address-pool": "staging",
+			},
+		},
+		{
+			name:                "new service with no existing annotations",
+			existingAnnotations: nil,
+			ngfManagedAnnotations: map[string]string{
+				"gateway.nginx.org/managed": "true",
+			},
+			expectedAnnotations: map[string]string{
+				"gateway.nginx.org/managed": "true",
+			},
+		},
+		{
+			name: "preserves external annotations with patched annotations",
+			existingAnnotations: map[string]string{
+				"metallb.universe.tf/ip-allocated-from-pool": "production",
+				"metallb.universe.tf/loadBalancerIPs":        "192.168.1.100",
+			},
+			ngfManagedAnnotations: map[string]string{
+				"gateway.nginx.org/managed":                         "true",
+				"custom.patched.io/example":                         "patched-value",
+				"service.beta.kubernetes.io/aws-load-balancer-type": "nlb",
+			},
+			expectedAnnotations: map[string]string{
+				"metallb.universe.tf/ip-allocated-from-pool":        "production",
+				"metallb.universe.tf/loadBalancerIPs":               "192.168.1.100",
+				"gateway.nginx.org/managed":                         "true",
+				"custom.patched.io/example":                         "patched-value",
+				"service.beta.kubernetes.io/aws-load-balancer-type": "nlb",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			// Create existing service with annotations
+			existingService := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-service",
+					Namespace:   "default",
+					Annotations: tt.existingAnnotations,
+				},
+			}
+
+			// Create desired object metadata with NGF-managed annotations
+			desiredMeta := metav1.ObjectMeta{
+				Labels: map[string]string{
+					"app": "nginx-gateway",
+				},
+				Annotations: tt.ngfManagedAnnotations,
+			}
+
+			// Create desired spec
+			desiredSpec := corev1.ServiceSpec{
+				Type: corev1.ServiceTypeLoadBalancer,
+				Ports: []corev1.ServicePort{
+					{
+						Name:     "http",
+						Port:     80,
+						Protocol: corev1.ProtocolTCP,
+					},
+				},
+			}
+
+			// Execute the setter
+			setter := serviceSpecSetter(existingService, desiredSpec, desiredMeta)
+			err := setter()
+
+			g.Expect(err).ToNot(HaveOccurred())
+			g.Expect(existingService.Annotations).To(Equal(tt.expectedAnnotations))
+			g.Expect(existingService.Labels).To(Equal(desiredMeta.Labels))
+			g.Expect(existingService.Spec).To(Equal(desiredSpec))
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -462,8 +462,8 @@ func TestBuildNginxResourceObjects_DeploymentReplicasFromHPA(t *testing.T) {`
`462`	`462`	`}`
`463`	`463`	`}`
`464`	`464`	`g.Expect(deployment).ToNot(BeNil())`
`465`		`- g.Expect(deployment.Spec.Replicas).ToNot(BeNil())`
`466`		`- g.Expect(*deployment.Spec.Replicas).To(Equal(int32(7)))`
	`465`	`+ g.Expect(deployment.Spec.Replicas).To(BeNil(),`
	`466`	`+ "Deployment replicas should be nil when HPA exists to allow HPA exclusive control")`
`467`	`467`	`}`
`468`	`468`
`469`	`469`	`func TestBuildNginxResourceObjects_Plus(t *testing.T) {`