provisioner-Service controller creates infinite reconciliation loop causing excessive nginx reloads

[swisscat]

Describe the bug
The provisioner-Service controller creates an infinite reconciliation feedback loop where it continuously reconciles the nginx-gateway-nginx Service, triggering excessive NGINX reloads (2-3 times per second).

To Reproduce

1. Deploy nginx-gateway-fabric v2.2.0 with cert-manager
2. Create multiple HTTPRoutes with SnippetsFilters
3. Enable debug logging: kubectl patch nginxgateway nginx-gateway-config -n nginx-gateway --type='merge' -p='{"spec":{"logging":{"level":"debug"}}}'
4. Observe logs showing continuous Service reconciliation

Expected behavior
The nginx-gateway-nginx Service should only be reconciled when there are actual changes to Gateway resources, HTTPRoutes, or endpoints.

Actual behavior
The provisioner-Service controller continuously reconciles the nginx-gateway-nginx Service even when nothing changes, creating a feedback loop:

{"level":"debug","ts":"2025-10-26T21:57:24Z","msg":"Reconciling the resource","controller":"provisioner-Service","Service":{"name":"nginx-gateway-nginx","namespace":"nginx-gateway"}}
{"level":"debug","ts":"2025-10-26T21:57:24Z","msg":"Upserted the resource","controller":"provisioner-Service","Service":{"name":"nginx-gateway-nginx","namespace":"nginx-gateway"}}
{"level":"debug","ts":"2025-10-26T21:57:24Z","logger":"provisioner.eventLoop","msg":"added an event to the next batch","type":"*events.UpsertEvent"}
{"level":"info","ts":"2025-10-26T21:57:24Z","logger":"provisioner","msg":"Creating/Updating nginx resources","namespace":"nginx-gateway","name":"nginx-gateway-nginx"}
  // ... repeats 2-3 times per second

Your environment

• nginx-gateway-fabric: v2.2.0
• Kubernetes: 1.33.4
• Platform: Scaleway Kubernetes
• Exposed through LoadBalancer

Additional context

• Issue occurs on clusters with cert-manager and cilium (100% correlation)
• Issue does not occur on docker-desktop (no cert-manager, no cilium)
• Frequent pod updates (deployments) amplify the issue but don't cause it
• Debug logs show no other controller besides provisioner-Service reconciling at this rate

[nginx-bot]

Hi @swisscat! Welcome to the project! 🎉

Thanks for opening this issue!
Be sure to check out our Contributing Guidelines and the Issue Lifecycle while you wait for someone on the team to take a look at this.

[salonichf5]

Thanks for reporting this! We’ve been able to reproduce the continuous reconciliation behavior and confirmed that the issue exists.
It appears to be caused by annotation changes on managed objects, which trigger repeated reconciliations. I’ve suggested modifying the NGINX deployment as a temporary workaround, and we’re actively working toward a resolution.