Skip to content

Kong chart: scope IngressClass and Gateway API controller name by ingress class #1519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vkobets wants to merge 1 commit into
base: main
Choose a base branch
from
+10 −1
Open

Kong chart: scope IngressClass and Gateway API controller name by ingress class #1519

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions charts/kong/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changelog

## Unreleased

### Changes

* Align `IngressClass.spec.controller` and Gateway API
`CONTROLLER_GATEWAY_API_CONTROLLER_NAME` with `ingressController.ingressClass`
when using multiple controllers or a non-default ingress class.
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changelog entry describes the alignment change, but it doesn’t call out the operational upgrade impact: IngressClass.spec.controller is immutable, so users with an existing chart-managed IngressClass and a non-default ingressController.ingressClass will need to delete/recreate the IngressClass before upgrading. Similarly, changing the Gateway API controller name may require updating existing GatewayClass controllerName values. Please add explicit upgrade notes here (and ideally in UPGRADE.md) to prevent failed upgrades / unexpected controller non-reconciliation.

Suggested change
when using multiple controllers or a non-default ingress class.
when using multiple controllers or a non-default ingress class.
Upgrade note: `IngressClass.spec.controller` is immutable. If you have an
existing chart-managed `IngressClass` and use a non-default
`ingressController.ingressClass`, you may need to delete and recreate the
`IngressClass` before upgrading. If you use Gateway API resources, you may
also need to update existing `GatewayClass.spec.controllerName` values to
match the new controller name after upgrade, otherwise the controller may
not reconcile those resources.

Copilot uses AI. Check for mistakes.

## 3.2.0

### Changes
Expand Down
1 change: 1 addition & 0 deletions charts/kong/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,7 @@ The name of the Service which will be used by the controller to update the Ingre
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_GATEWAY_API_CONTROLLER_NAME" (printf "ingress-controllers.konghq.com/-%s" .Values.ingressController.ingressClass) -}}
Copy link
Copy Markdown
Member

@pmalek pmalek Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not connect these 2 concepts. IngressClass and Gateway API controller name are 2 disjoint configuration aspects.

Comment on lines 502 to +505
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting CONTROLLER_GATEWAY_API_CONTROLLER_NAME to ingress-controllers.konghq.com/-%s changes the controller identity for Gateway API reconciliation and can break existing GatewayClass objects that use the long-standing default konghq.com/kic-gateway-controller (the chart’s own helm-test GatewayClass uses that value in templates/tests/test-resources.yaml). Unless the KIC default has changed, this is a breaking behavior change on upgrade. Consider preserving the default when ingressController.ingressClass is the default class (or only setting this env var when the user explicitly opts in / when ingressClass != "kong"), and/or using the konghq.com/kic-gateway-controller[-<class>] naming scheme to stay compatible with existing manifests.

Suggested change
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_GATEWAY_API_CONTROLLER_NAME" (printf "ingress-controllers.konghq.com/-%s" .Values.ingressController.ingressClass) -}}
{{- $gatewayAPIControllerName := "konghq.com/kic-gateway-controller" -}}
{{- if ne .Values.ingressController.ingressClass "kong" -}}
{{- $gatewayAPIControllerName = printf "konghq.com/kic-gateway-controller-%s" .Values.ingressController.ingressClass -}}
{{- end -}}
{{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
{{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
{{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
{{- $_ := set $autoEnv "CONTROLLER_GATEWAY_API_CONTROLLER_NAME" $gatewayAPIControllerName -}}

Copilot uses AI. Check for mistakes.
{{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}

{{- if .Values.ingressController.admissionWebhook.enabled }}
Expand Down
2 changes: 1 addition & 1 deletion charts/kong/templates/ingress-class.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,5 @@ metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
controller: ingress-controllers.konghq.com/kong
controller: ingress-controllers.konghq.com/{{ .Values.ingressController.ingressClass }}
Copy link
Copy Markdown
Member

@pmalek pmalek Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is ok 👍

Comment on lines 31 to +32
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IngressClass.spec.controller is immutable. For any existing chart-managed IngressClass created with the old fixed controller value (ingress-controllers.konghq.com/kong), upgrading with a non-default ingressController.ingressClass will make Helm try to patch this field and the upgrade will fail unless the IngressClass is deleted/recreated. Consider adding template logic to detect an existing IngressClass with a different .spec.controller and fail with a clear message (or otherwise document/handle the required delete-and-recreate flow).

Copilot uses AI. Check for mistakes.
{{- end -}}