Add control and data plane HPA

[nowjean]

Proposed changes

Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the
following format:

Problem: I want NGF to work with a HorizontalPodAutoscaler

Solution: Add HPA for deployement

Testing: Describe any testing that you did.
I've deployed my AKS cluster and checked hpa working correctly.

Closes #3447

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Add HPA for control and data plane deployment. The Data plane HPA using NginxProxy CRD resource.

[nginx-bot]

Hi @nowjean! Welcome to the project! 🎉

Thanks for opening this pull request!
Be sure to check out our Contributing Guidelines while you wait for someone on the team to review this.

[github-actions]

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
_{Posted by the CLA Assistant Lite bot.}

[nowjean]

I have hereby read the F5 CLA and agree to its terms

[salonichf5]

Thank you for you contribution to the project. Please run make generate-all from root directory to auto generate schema files.

[nowjean]

Thank you for you contribution to the project. Please run make generate-all from root directory to auto generate schema files.

I’ve completed 'make generate-all'. Could you please review my PR?

[sjberman]

So this only affects the control plane, correct? We probably want to support this for the nginx data plane as well (seems like that would be the more beneficial use case).

In order to configure deployment options for the data plane, it requires a bit more work, specifically in our APIs and the code itself. The NginxProxy CRD holds the deployment configuration for the nginx data plane, which the control plane uses to configure the data plane when deploying it.

Here is a simple example of how we add a new field to the API to allow for configuring these types of deployment fields: #3319.

[sjberman]

I'd also love a more descriptive PR title, as well as a release note in the description so we can include this feature in our release notes :)

[nowjean]

@sjberman Yes, this PR only affects the control plane. Can we also implement HPA for the data plane?

AFAIK, the data plane Deployment is created by the NginxProxy CRD, and its name depends on the Gateway's name parameter. This means we can't assume a fixed name in values.yaml.

HPA only applies to Deployments with a fixed name, like:

scaleTargetRef:
  apiVersion: apps/v1
  kind: Deployment
  name: my-app

So, I think we can't implement HPA via the Helm chart, especially since data plane and control plane pods are now separated in 2.0.
Do you have any suggestions or recommended approaches for enabling HPA on the data plane?

[sjberman]

@nowjean I updated my comment with a description on how it can be implemented on the data plane side. Glad we're on the same page :)

[salonichf5]

Thank you for you contribution to the project. Please run make generate-all from root directory to auto generate schema files.

I’ve completed 'make generate-all'. Could you please review my PR?

Will manual test this PR for both control plane and data plane when we have all the changes :)

[nowjean]

@sjberman @salonichf5 I've pushed my changes to this PR.
This is my first time working with Golang and creating CRDs, so I’d appreciate your review.

From my testing, the code correctly applies HPA to both the control plane and data plane.
To enable this, please set nginx.autoscaling.enabled: true and configure nginx.container.resources accordingly.

[salonichf5]

Testing applying these HPA for control plane and data plane pods

1. Control plane pod

values.yaml

  autoscaling:
    # Enable or disable Horizontal Pod Autoscaler
    enabled: true
    annotations: {
       example.com/test: "true" 
    }
    minReplicas: 2
    maxReplicas: 4
    targetCPUUtilizationPercentage: 60
    targetMemoryUtilizationPercentage: 70
    behavior: 
      scaleUp:
        stabilizationWindowSeconds: 100
        policies:
        - type: Pods
          value: 2
          periodSeconds: 20
      scaleDown:
        stabilizationWindowSeconds: 200
        policies:
        - type: Pods
          value: 1
          periodSeconds: 20
  autoscalingTemplate: 
  - type: Pods
    pods:
      metric:
        name: nginx_gateway_fabric_nginx_process_requests_total
      target:
        type: AverageValue
        averageValue: 10000m

HPA details

k describe horizontalpodautoscalers.autoscaling -n nginx-gateway ngf-nginx-gateway-fabric
Name:                                                     ngf-nginx-gateway-fabric
Namespace:                                                nginx-gateway
Labels:                                                   app.kubernetes.io/instance=ngf
                                                          app.kubernetes.io/managed-by=Helm
                                                          app.kubernetes.io/name=nginx-gateway-fabric
                                                          app.kubernetes.io/version=edge
                                                          helm.sh/chart=nginx-gateway-fabric-2.0.1
Annotations:                                              example.com/test: true
                                                          meta.helm.sh/release-name: ngf
                                                          meta.helm.sh/release-namespace: nginx-gateway
CreationTimestamp:                                        Fri, 20 Jun 2025 14:16:18 -0600
Reference:                                                Deployment/ngf-nginx-gateway-fabric
Metrics:                                                  ( current / target )
  resource memory on pods  (as a percentage of request):  <unknown> / 70%
  resource cpu on pods  (as a percentage of request):     <unknown> / 60%
Min replicas:                                             2
Max replicas:                                             4
Behavior:
  Scale Up:
    Stabilization Window: 100 seconds
    Select Policy: Max
    Policies:
      - Type: Pods  Value: 2  Period: 20 seconds
  Scale Down:
    Stabilization Window: 200 seconds
    Select Policy: Max
    Policies:
      - Type: Pods  Value: 1  Period: 20 seconds
Deployment pods:    2 current / 2 desired
Conditions:
  Type           Status  Reason                   Message
  ----           ------  ------                   -------
  AbleToScale    True    SucceededGetScale        the HPA controller was able to get the target's current scale
  ScalingActive  False   FailedGetResourceMetric  the HPA was unable to compute the replica count: failed to get memory utilization: unable to get metrics for resource memory: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io)
Events:
  Type     Reason                        Age                 From                       Message
  ----     ------                        ----                ----                       -------
  Normal   SuccessfulRescale             11m                 horizontal-pod-autoscaler  New size: 2; reason: Current number of replicas below Spec.MinReplicas
  Warning  FailedGetResourceMetric       9m5s (x8 over 10m)  horizontal-pod-autoscaler  failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io)
  Warning  FailedComputeMetricsReplicas  9m5s (x8 over 10m)  horizontal-pod-autoscaler  invalid metrics (2 invalid out of 2), first error is: failed to get memory resource metric value: failed to get memory utilization: unable to get metrics for resource memory: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io)
  Warning  FailedGetResourceMetric       50s (x41 over 10m)  horizontal-pod-autoscaler  failed to get memory utilization: unable to get metrics for resource memory: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io)

Needed to install the metrics server (enabling insecure TLS) to get metrics for resource memory and ScalingActive is false since i did not set memory request.

should this be communicated to end user about setting additional fields if we want scaling to be active

2. Auto scaling set for both control plane and data plane pods

values.yaml

# NGINX Gateway Fabric

  resources:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"

  autoscaling:
    # Enable or disable Horizontal Pod Autoscaler
    enabled: true
    annotations: {
       example.com/test: "true" 
    }
    minReplicas: 2
    maxReplicas: 4
    targetCPUUtilizationPercentage: 60
    targetMemoryUtilizationPercentage: 70
    behavior: 
      scaleUp:
        stabilizationWindowSeconds: 100
        policies:
        - type: Pods
          value: 2
          periodSeconds: 20
      scaleDown:
        stabilizationWindowSeconds: 200
        policies:
        - type: Pods
          value: 1
          periodSeconds: 20
  autoscalingTemplate: 
  - type: Pods
    pods:
      metric:
        name: nginx_gateway_fabric_nginx_process_requests_total
      target:
        type: AverageValue
        averageValue: 10000m
        


#  NGINX Deployment
  autoscaling:
    # Enable or disable Horizontal Pod Autoscaler
    enabled: true
    hpaAnnotations: {
        cafe.example.com/test: "true"
    }
    minReplicas: 2
    maxReplicas: 4
    targetCPUUtilizationPercentage: 40
    targetMemoryUtilizationPercentage: 30
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 100
        policies:
        - type: Pods
          value: 3
          periodSeconds: 20
      scaleUp:
        stabilizationWindowSeconds: 50
        policies:
        - type: Pods
          value: 1
          periodSeconds: 20



  container:
    # -- The resource requirements of the NGINX container. You should be set this value, If you want to use dataplane Autoscaling(HPA).
    resources:
      requests:
        cpu: 500m
        memory: 2Gi

k describe horizontalpodautoscalers.autoscaling -n nginx-gateway ngf-nginx-gateway-fabric
Name:                                                     ngf-nginx-gateway-fabric
Namespace:                                                nginx-gateway
Labels:                                                   app.kubernetes.io/instance=ngf
                                                          app.kubernetes.io/managed-by=Helm
                                                          app.kubernetes.io/name=nginx-gateway-fabric
                                                          app.kubernetes.io/version=edge
                                                          helm.sh/chart=nginx-gateway-fabric-2.0.1
Annotations:                                              example.com/test: true
                                                          meta.helm.sh/release-name: ngf
                                                          meta.helm.sh/release-namespace: nginx-gateway
CreationTimestamp:                                        Fri, 20 Jun 2025 14:56:42 -0600
Reference:                                                Deployment/ngf-nginx-gateway-fabric
Metrics:                                                  ( current / target )
  resource memory on pods  (as a percentage of request):  21% (29343744) / 70%
  resource cpu on pods  (as a percentage of request):     7% (7m) / 60%
Min replicas:                                             2
Max replicas:                                             4
Behavior:
  Scale Up:
    Stabilization Window: 100 seconds
    Select Policy: Max
    Policies:
      - Type: Pods  Value: 2  Period: 20 seconds
  Scale Down:
    Stabilization Window: 200 seconds
    Select Policy: Max
    Policies:
      - Type: Pods  Value: 1  Period: 20 seconds
Deployment pods:    2 current / 2 desired
Conditions:
  Type            Status  Reason            Message
  ----            ------  ------            -------
  AbleToScale     True    ReadyForNewScale  recommended size matches current size
  ScalingActive   True    ValidMetricFound  the HPA was able to successfully calculate a replica count from memory resource utilization (percentage of request)
  ScalingLimited  True    TooFewReplicas    the desired replica count is less than the minimum replica count
Events:
  Type     Reason                   Age    From                       Message
  ----     ------                   ----   ----                       -------
  Normal   SuccessfulRescale        5m40s  horizontal-pod-autoscaler  New size: 2; reason: Current number of replicas below Spec.MinReplicas
  Warning  FailedGetResourceMetric  5m25s  horizontal-pod-autoscaler  failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready)

I saw HPA get configured for control plane pod but i couldn't see one configured for data plane pod.

Events from the nginx deployment and logs could normal.

helm template ngf ./charts/nginx-gateway-fabric -f ./charts/nginx-gateway-fabric/values.yaml
# Source: nginx-gateway-fabric/templates/hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  annotations: 
    example.com/test: "true"
  labels:
    helm.sh/chart: nginx-gateway-fabric-2.0.1
    app.kubernetes.io/name: nginx-gateway-fabric
    app.kubernetes.io/instance: ngf
    app.kubernetes.io/version: "edge"
    app.kubernetes.io/managed-by: Helm
  name: ngf-nginx-gateway-fabric
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: ngf-nginx-gateway-fabric
  minReplicas: 2
  maxReplicas: 4
  metrics:
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 60
  behavior:
    scaleDown:
      policies:
      - periodSeconds: 20
        type: Pods
        value: 1
      stabilizationWindowSeconds: 200
    scaleUp:
      policies:
      - periodSeconds: 20
        type: Pods
        value: 2
      stabilizationWindowSeconds: 100

The NginxProxy resource reflects resources value but not autoscaling fields

k describe nginxproxies.gateway.nginx.org -n nginx-gateway ngf-proxy-config
Name:         ngf-proxy-config
Namespace:    nginx-gateway
Labels:       app.kubernetes.io/instance=ngf
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=nginx-gateway-fabric
              app.kubernetes.io/version=edge
              helm.sh/chart=nginx-gateway-fabric-2.0.1
Annotations:  meta.helm.sh/release-name: ngf
              meta.helm.sh/release-namespace: nginx-gateway
API Version:  gateway.nginx.org/v1alpha2
Kind:         NginxProxy
Metadata:
  Creation Timestamp:  2025-06-20T20:56:42Z
  Generation:          1
  Resource Version:    481755
  UID:                 6140ca30-cd48-4b13-b53f-a7e382f842db
Spec:
  Ip Family:  dual
  Kubernetes:
    Deployment:
      Container:
        Image:
          Pull Policy:  Never
          Repository:   nginx-gateway-fabric/nginx
          Tag:          sa.choudhary
        Resources:
          Requests:
            Cpu:     500m
            Memory:  2Gi
      Replicas:      1
    Service:
      External Traffic Policy:  Local
      Type:                     LoadBalancer
Events:                         <none>

So a couple of observations

• you are not specifying scaleTargetRef in NGINXProxy resource
• also, during helm install i am running into error that unknown field "spec.kubernetes.deployment.autoscaling" from the NginxProxy template. So API has been updated but maybe something up with how yaml is nested.
• I think this could be a possible issue. I did spend some time debugging and adding target refs but that failed too

W0620 15:33:11.844029   43067 warnings.go:70] unknown field "spec.kubernetes.deployment.autoscaling"
W0620 15:33:11.844075   43067 warnings.go:70] unknown field "spec.scaleTargetRef"

What am I doing wrong in terms of testing ? @sjberman @nowjean

[nowjean]

@salonichf5 @sjberman Thanks for testing!

Please refer to below guide and review my PR again.

I've patched Makefile generate-crds

crd:maxDescLen=0

This option off the description of CRDs. Because, new nginxProxy manifest file occurs

The CustomResourceDefinition "nginxproxies.gateway.nginx.org" is invalid: metadata.annotations: Too long: must have at most 262144 byte

1. Rebuild the image
   I’ve updated the CRDs, so please rebuild the NGF Docker image:
   make generate-all.
   make build-ngf-image.
   (You’ll find this target in the Makefile.)

2. Apply new NginxProxy CRD.

kubectl apply -f gateway.nginx.org_nginxproxies.yaml

3. Point Helm to the new image
   Edit values.yaml so the Helm chart uses the image you just built:

 image:
   # -- The NGINX Gateway Fabric image to use
   repository: ghcr.io/nginx/nginx-gateway-fabric  # → replace with your new image
   tag: edge  # → replace with your new tag

(In my case, I had to upgrade my runc version to build ngf docker images.)

4. Deploy the Helm chart

• The control-plane HPA is created automatically by the Helm template.

• The data-plane HPA is created by each Gateway resource, because every NginxProxy manages its own control-plane Deployment, Service, and so on. After you apply a Gateway, you’ll see an HPA for its Deployment.

End-users can create multiple Gateways, and each one needs its own HPA, so the logic now lives in the Gateway resource.

Plus, I'm not sure about this part:

Needed to install the metrics server (enabling insecure TLS) to get metrics for resource memory and ScalingActive is false >since i did not set memory request.
should this be communicated to end user about setting additional fields if we want scaling to be active

Normally, we assume that end users already have the Metrics Server running if they're using HPA or similar features. But maybe it's worth adding a note in the docs to avoid confusion.

[sjberman]

@nowjean We'll squash when we merge, so no need to do it now. Just a couple of outstanding comments from me that haven't been addressed yet.

[nowjean]

@sjberman Do I need to something more?

[sjberman]

@nowjean There were still a couple of my comments that haven't been answered/addressed yet.

[nowjean]

@nowjean There were still a couple of my comments that haven't been answered/addressed yet.

Thanks, I've replied all of your comments before, Please let me know any needed action.

[sjberman]

@nowjean I don't see any response to the following:

#3492 (comment)
#3492 (comment)
#3492 (comment)
#3492 (comment)

[nowjean]

@nowjean I don't see any response to the following:

#3492 (comment) #3492 (comment) #3492 (comment) #3492 (comment)

@sjberman I also replied to all four comments two weeks ago. Can’t you see that?

[sjberman]

@nowjean They're pending, which likely means you responded as a review and didn't submit it. Otherwise I can't see them.

[nowjean]

@nowjean They're pending, which likely means you responded as a review and didn't submit it. Otherwise I can't see them.

@sjberman So Sorry for that. I've submitted my reviews. Thanks!

[mpstefan]

Hey @nowjean, we looked at this issue during our community meeting. Did you get a chance to review the comments left on this PR? We're excited to get this in the next release.

[nowjean]

@mpstefan Sure! I will push today.

[sjberman]

@nowjean If you could rebase as well and fix conflicts, that would be great. I'll test this soon.

[nowjean]

@sjberman I rebased upstream main branch and resolved conflicts.

git rebase upstream/main
[resolve conflicts..]
git add .
git rebase --continue

and then,

make generate-all
make unit-test

git add .
git commit -m "blah blah blah~~"

It was super complicated task for me. Anyway, I think hpa branch rebased successfully and resolved all conflicts.
Please check this! Thanks.

[sjberman]

This doesn't need to use CEL validation. You can just set minimum and maximum directly on the field. See other int values as examples in here.

[sjberman]

This still needs to be fixed (and the comment below).

[sjberman]

Same comment

[sjberman]

Where does this metric come from?

[nowjean]

It's kind of premetheus custom metric or something. User should set the metric indivisually, It is a just example of custom metric.

[sjberman]

Ok, I don't believe we export a metric with this name, so I just don't want to confuse any users into thinking that it's an example of a real metric. Maybe we can use something more generic sounding.

[sjberman]

This comment is phrased strangely to me. Is it's intention to say that this value should NOT be set if using autoscaling?

[nowjean]

This means the value of resources should be be set for using dataplane HPA. For example, HPA needs cpu or memory metric for autoscaling..

[sjberman]

Okay, then just a nitpick on the formatting/grammar:

You should set this value if you want to use dataplane Autoscaling(HPA).

[sjberman]

Looks like we have an issue with the current way our controller handles external resource updates. We don't allow anyone but our own controller to make changes to the nginx resources. But that's a problem if the HPA wants to scale it and change the number of replicas. Are there other fields that the HPA updates besides replicas?

I'm going to need to think about how we handle this...

[sjberman]

A workaround solution for now could be that where we set the Replicas value in objects.go for the Deployment, we first check to see if HPA is enabled, and then see if the HPA object already exists (using the k8s client) and get its status.desiredReplicas field and set that as the Replicas. Then at least our controller will ensure they are the same value.

I'm hoping I can figure out something better in the long term.

[sjberman]

If this works, then in the API and helm values where Replicas is defined, we should update comments to say that the value is ignored if HPA is enabled.

[sarthyparty]

I think the adding a scale sub resource to the NginxProxy is a better long term solution. I think it's standard Kubernetes practice to do this when trying to scale custom setups.

[sjberman]

One issue I can think of that could be problematic is that if our controller is down for any reason, and the HPA sets the /scale on the NginxProxy CRD, our controller can't act on it and nginx won't be scaled.

[sjberman]

Actually, I think the scaling on the NginxProxy resource isn't going to work. The NginxProxy resource can be attached to the GatewayClass, and its settings apply to all Gateways for that class. So if you have X amount of Gateways (and therefore X amount of nginx Deployments and HPAs), they may all have different requirements for scaling. They can't all update the same replica field at the GatewayClass level. They'll just be fighting with each other.

[sarthyparty]

Oh yeah that is true, I guess you'd need one nginx proxy per gateway

[sjberman]

@nowjean So all that to say I think the solution in my earlier comment using status.desiredReplicas is probably our option.

[nowjean]

@sjberman Oh.. okay it's little bit complicated but I will try status.desiredReplicas feature. But, can it resolve this issue? So if you have X amount of Gateways (and therefore X amount of nginx Deployments and HPAs), they may all have different requirements for scaling.

[sjberman]

But, can it resolve this issue?

Yes, this shouldn't be a problem with your changes.

[sjberman]

You removed the validation:XValidation portion of the syntax, which is still needed.

[sjberman]

@nowjean We're looking at doing a release in the next couple of weeks, and would love to include these changes. If you're schedule is too busy to focus on this, that's totally okay. Let us know, and we can also look into taking over the remaining pieces of this work.