Deployment gateway-nginx generation and resourceVersion numbers skyrocketing #4447
Description
Describe the bug
I've installed NGINX Gateway Fabric in a (pretty much) standard configuration and I've noticed that the generation and resourceVersion of the deployment handling my gateway are skyrocketing. Rancher is consistently detecting it constantly as updating and it's going up by hundreds of versions each second.
After < 24 hours of runtime I'm at generation: 735956 and resourceVersion: 2363035. I'm worried this constant updating would affect availability in a production environment. (This is currently just a testing environment).
To Reproduce
Steps to reproduce the behavior:
- Install certs for the NGF using this guide followed by NGF using Helm with this guid.. Specifically I used:
helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginxGateway.productTelemetry.enable=false --set config.proxyProtocol.enabled=true --set "config.proxyProtocol.trustedCIDRs[0]=89.41.168.0/26" --set controller.service.annotations."service\.beta\.kubernetes\.io/transip-loadbalancer-protocol"=proxy \
--set controller.service.externalTrafficPolicy=LocalThose should be the same settings as I used to use for nginx ingress-operator according to this guide: https://www.transip.nl/knowledgebase/7207-nginx-ingress-controller-configureren-kubernetes
2. Deploy a gateway using:
kind: Gateway
metadata:
name: gateway
namespace: platform
spec:
gatewayClassName: nginx
listeners:
- allowedRoutes:
namespaces:
from: All
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: All
hostname: '*.example.com'
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: example-com-tls
mode: Terminate- I've connected my cluster to a Rancher instance to manage it, that's when I started noticing the
gateway-nginxdeployment consistently blinking between active and updating. Upon closer observation of the yaml I noticed (ip-addresses changed):
apiVersion: apps/v1
kind: Deployment
metadata:
name: gateway-nginx
annotations:
deployment.kubernetes.io/revision: '2'
field.cattle.io/publicEndpoints: '[{"addresses":["12-345-456-789.haip.transip.net"],"port":80,"protocol":"TCP","serviceName":"platform:gateway-nginx","allNodes":false},{"addresses":["12-345-456-789.haip.transip.net"],"port":443,"protocol":"TCP","serviceName":"platform:gateway-nginx","allNodes":false}]'
creationTimestamp: '2025-12-09T17:55:45Z'
generation: 735956
labels:
app.kubernetes.io/instance: ngf
app.kubernetes.io/managed-by: ngf-nginx
app.kubernetes.io/name: gateway-nginx
gateway.networking.k8s.io/gateway-name: gateway
namespace: platform
resourceVersion: '2363035'
uid: d5c2a665-7776-4080-b436-0229fc86beaa
fields:
- gateway-nginx
- 1/1
- 1
- 1
- 41h
- nginx
- ghcr.io/nginx/nginx-gateway-fabric/nginx:2.2.1
- >-
app.kubernetes.io/instance=ngf,app.kubernetes.io/managed-by=ngf-nginx,app.kubernetes.io/name=gateway-nginx,gateway.networking.k8s.io/gateway-name=gateway
spec:
... removed for brievetyWhen checking the logs of this pod I see:
Expected behavior
I would expect this to be a stable deployment that just remains active rather than updating all the time. Should I be worried?
Your environment
- Version of the NGINX Gateway Fabric: v2.2.1
- Version of Kubernetes: v1.32.8
- Kubernetes platform (e.g. Mini-kube or GCP): TransIP
- Details on how you expose the NGINX Gateway Fabric Pod: Service of type loadbalancer
- Logs of NGINX container:
{"level":"info","ts":"2025-12-11T15:01:53Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:53Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:53Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:54Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:54Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:55Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:55Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:56Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:56Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:57Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:57Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:58Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:58Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:59Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:59Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
{"level":"info","ts":"2025-12-11T15:01:59Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"platform","nginx resource name":"gateway-nginx","resource names":["gateway-nginx"]}
- NGINX Configuration:
# configuration file /etc/nginx/nginx.conf:
load_module modules/ngx_http_js_module.so;
include /etc/nginx/main-includes/*.conf;
worker_processes auto;
pid /var/run/nginx/nginx.pid;
events {
include /etc/nginx/events-includes/*.conf;
}
http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/mime.types;
js_import modules/njs/httpmatches.js;
js_import modules/njs/epp.js;
default_type application/octet-stream;
proxy_headers_hash_bucket_size 512;
proxy_headers_hash_max_size 1024;
server_names_hash_bucket_size 256;
server_names_hash_max_size 1024;
variables_hash_bucket_size 512;
variables_hash_max_size 1024;
sendfile on;
tcp_nopush on;
server_tokens off;
server {
listen unix:/var/run/nginx/nginx-status.sock;
access_log off;
location /stub_status {
stub_status;
}
}
}
stream {
variables_hash_bucket_size 512;
variables_hash_max_size 1024;
map_hash_max_size 2048;
map_hash_bucket_size 256;
log_format stream-main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name"';
access_log /dev/stdout stream-main;
include /etc/nginx/stream-conf.d/*.conf;
}
# configuration file /etc/nginx/main-includes/main.conf:
error_log stderr info;
# configuration file /etc/nginx/events-includes/events.conf:
worker_connections 1024;
# configuration file /etc/nginx/conf.d/http.conf:
http2 on;
# Set $gw_api_compliant_host variable to the value of $http_host unless $http_host is empty, then set it to the value
# of $host. We prefer $http_host because it contains the original value of the host header, which is required by the
# Gateway API. However, in an HTTP/1.0 request, it's possible that $http_host can be empty. In this case, we will use
# the value of $host. See http://nginx.org/en/docs/http/ngx_http_core_module.html#var_host.
map $http_host $gw_api_compliant_host {
'' $host;
default $http_host;
}
# Set $connection_header variable to upgrade when the $http_upgrade header is set, otherwise, set it to close. This
# allows support for websocket connections. See https://nginx.org/en/docs/http/websocket.html.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
## Returns just the path from the original request URI.
map $request_uri $request_uri_path {
"~^(?P<path>[^?]*)(\?.*)?$" $path;
}
# NGINX health check server block.
server {
listen 8081;
listen [::]:8081;
location = /readyz {
access_log off;
return 200;
}
}
js_preload_object matches from /etc/nginx/conf.d/matches.json;
server {
listen 80 default_server;
listen [::]:80 default_server;
default_type text/html;
return 404;
}
server {
listen 80;
listen [::]:80;
server_name *.example.com;
include /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf;
location ^~ / {
return 302 "https://$host$request_uri";
proxy_http_version 1.1;
}
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
ssl_certificate_key /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
if ($ssl_server_name != $host) {
return 421;
}
server_name admin.example.com;
include /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf;
location ^~ / {
proxy_http_version 1.1;
proxy_set_header Host "$gw_api_compliant_host";
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
proxy_set_header X-Real-IP "$remote_addr";
proxy_set_header X-Forwarded-Proto "$scheme";
proxy_set_header X-Forwarded-Host "$host";
proxy_set_header X-Forwarded-Port "$server_port";
proxy_set_header Upgrade "$http_upgrade";
proxy_set_header Connection "$connection_upgrade";
proxy_pass http://example-cms_admin-example-service_3000$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
ssl_certificate_key /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
if ($ssl_server_name != $host) {
return 421;
}
server_name kids.example.com;
include /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf;
location ^~ / {
proxy_http_version 1.1;
proxy_set_header Host "$gw_api_compliant_host";
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
proxy_set_header X-Real-IP "$remote_addr";
proxy_set_header X-Forwarded-Proto "$scheme";
proxy_set_header X-Forwarded-Host "$host";
proxy_set_header X-Forwarded-Port "$server_port";
proxy_set_header Upgrade "$http_upgrade";
proxy_set_header Connection "$connection_upgrade";
proxy_pass http://example-cms_mijn-example-service_3000$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
ssl_certificate_key /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
if ($ssl_server_name != $host) {
return 421;
}
server_name mijn.example.com;
include /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf;
location ^~ / {
proxy_http_version 1.1;
proxy_set_header Host "$gw_api_compliant_host";
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
proxy_set_header X-Real-IP "$remote_addr";
proxy_set_header X-Forwarded-Proto "$scheme";
proxy_set_header X-Forwarded-Host "$host";
proxy_set_header X-Forwarded-Port "$server_port";
proxy_set_header Upgrade "$http_upgrade";
proxy_set_header Connection "$connection_upgrade";
proxy_pass http://example-cms_mijn-example-service_3000$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
ssl_certificate_key /etc/nginx/secrets/ssl_keypair_platform_example-com-tls.pem;
if ($ssl_server_name != $host) {
return 421;
}
server_name search.example.com;
include /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf;
location ^~ / {
proxy_http_version 1.1;
proxy_set_header Host "$gw_api_compliant_host";
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
proxy_set_header X-Real-IP "$remote_addr";
proxy_set_header X-Forwarded-Proto "$scheme";
proxy_set_header X-Forwarded-Host "$host";
proxy_set_header X-Forwarded-Port "$server_port";
proxy_set_header Upgrade "$http_upgrade";
proxy_set_header Connection "$connection_upgrade";
proxy_pass http://example-cms_meilisearch_7700$request_uri;
}
}
server {
listen unix:/var/run/nginx/nginx-503-server.sock;
access_log off;
return 503;
}
server {
listen unix:/var/run/nginx/nginx-500-server.sock;
access_log off;
return 500;
}
upstream example-cms_admin-example-service_3000 {
random two least_conn;
zone example-cms_admin-example-service_3000 512k;
server 10.12.38.55:3000;
}
upstream example-cms_meilisearch_7700 {
random two least_conn;
zone example-cms_meilisearch_7700 512k;
server 10.12.38.50:7700;
}
upstream example-cms_mijn-example-service_3000 {
random two least_conn;
zone example-cms_mijn-example-service_3000 512k;
server 10.12.38.55:3000;
}
upstream invalid-backend-ref {
random two least_conn;
server unix:/var/run/nginx/nginx-500-server.sock;
}
# configuration file /etc/nginx/includes/ClientSettingsPolicy_platform_large-body-gateway-client-settings.conf:
client_max_body_size 500m;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/stream-conf.d/stream.conf:
server {
listen unix:/var/run/nginx/connection-closed-server.sock;
return "";
}