Kong
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 8 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 8 deletions
diff --git a/‎Makefile‎
Lines changed: 4 additions & 2 deletions b/‎Makefile‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎config/crd/incubator/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion b/‎config/crd/incubator/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/crd/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion b/‎config/crd/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 4 deletions b/‎go.sum‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎internal/dataplane/kongstate/kongupstreampolicy.go‎
Lines changed: 30 additions & 9 deletions b/‎internal/dataplane/kongstate/kongupstreampolicy.go‎
Lines changed: 30 additions & 9 deletions
diff --git a/‎internal/dataplane/kongstate/kongupstreampolicy_test.go‎
Lines changed: 103 additions & 0 deletions b/‎internal/dataplane/kongstate/kongupstreampolicy_test.go‎
Lines changed: 103 additions & 0 deletions
@@ -106,19 +106,19 @@ Adding a new version? You'll need three changes:
  - [0.0.5](#005)
  - [0.0.4 and prior](#004-and-prior)
 
- ## Unreleased
+## Unreleased
 
 ### Fixed
 
 - Count the `attachedRoutes` of a `Gateway` in the correct way in case of `HTTPRoute`s
   with multiple parent references.
   [#7517](https://github.com/Kong/kubernetes-ingress-controller/pull/7517)
 
- ## [3.4.6]
+## [3.4.6]
 
- > Release date: 2025-06-06
+> Release date: 2025-06-06
 
- ### Fixed
+### Fixed
 
  - Keep the plugin's ID unchanged if there is already the same plugin exists
    when working with DB backed Kong gateways. "Same" plugin is identified by the
@@ -465,7 +465,7 @@ Please use [3.4.1] or later instead.
 - It is now possible to disable synchronization of consumers to Konnect through the
   flag `--konnect-disable-consumers-sync`.
   [#6313](https://github.com/Kong/kubernetes-ingress-controller/pull/6313)
-- Allow `KongCustomEntity` to refer to plugins in another namespace via 
+- Allow `KongCustomEntity` to refer to plugins in another namespace via
   `spec.parentRef.namespace`. The reference is allowed only when there is a
   `ReferenceGrant` in the namespace of the `KongPlugin` to grant permissions
   to `KongCustomEntity` of referring to `KongPlugin`.
@@ -726,7 +726,7 @@ Please use [3.4.1] or later instead.
 - Do not generate invalid duplicate upstream targets when routes use multiple
   Services with the same endpoints.
   [#5817](https://github.com/Kong/kubernetes-ingress-controller/pull/5817)
-- Remove the constraint of items of `parentRefs` can only be empty or 
+- Remove the constraint of items of `parentRefs` can only be empty or
   `gateway.network.k8s.io/Gateway` in validating `HTTPRoute`s. If an item in
   `parentRefs`'s group/kind is not `gateway.network.k8s.io/Gateway`, the item
   is seen as a parent other than the controller and ignored in parentRef check.
@@ -772,7 +772,6 @@ Please use [3.4.1] or later instead.
   attached to the route or service only.
   [#6132](https://github.com/Kong/kubernetes-ingress-controller/pull/6132)
 
-
 ## [3.1.5]
 
 > Release date: 2024-05-17
@@ -937,7 +936,7 @@ Please use [3.4.1] or later instead.
   [#5312](https://github.com/Kong/kubernetes-ingress-controller/pull/5312)
 - Added functionality to the `KongUpstreamPolicy` controller to properly set and
   enforce `KongUpstreamPolicy` status. 
-  The controller will set an ancestor status in `KongUpstreamPolicy` status for 
+  The controller will set an ancestor status in `KongUpstreamPolicy` status for
   each of its ancestors (i.e. `Service` or `KongServiceFacade`) with the `Accepted`
   and `Programmed` condition.
   [#5185](https://github.com/Kong/kubernetes-ingress-controller/pull/5185)
 
@@ -792,9 +792,11 @@ uninstall-gateway-api-crds: go-mod-download-gateway-api kustomize
 	$(KUSTOMIZE) build $(GATEWAY_API_CRDS_LOCAL_PATH) | kubectl delete -f -
 	$(KUSTOMIZE) build $(GATEWAY_API_CRDS_LOCAL_PATH)/experimental | kubectl delete -f -
 
-# Install CRDs into the K8s cluster specified in $KUBECONFIG.
 .PHONY: install
-install: manifests install-gateway-api-crds
+install: manifests install-gateway-api-crds install.crds.kubernetes-configuration
+
+.PHONY: install.crds.kubernetes-configuration
+install.crds.kubernetes-configuration: kustomize
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
 # Uninstall CRDs from the K8s cluster specified in $KUBECONFIG.
 
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://github.com/kong/kubernetes-configuration/config/crd/ingress-controller-incubator?ref=v1.3.1 # Version is auto-updated by the generating script.
+  - https://github.com/kong/kubernetes-configuration/config/crd/ingress-controller-incubator?ref=v1.3.3 # Version is auto-updated by the generating script.
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://github.com/kong/kubernetes-configuration/config/crd/ingress-controller?ref=v1.3.1 # Version is auto-updated by the generating script.
+  - https://github.com/kong/kubernetes-configuration/config/crd/ingress-controller?ref=v1.3.3 # Version is auto-updated by the generating script.
@@ -17,7 +17,7 @@ go 1.24.3
 
 require (
 	cloud.google.com/go/container v1.43.0
-	github.com/Kong/sdk-konnect-go v0.2.22
+	github.com/Kong/sdk-konnect-go v0.2.26
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/blang/semver/v4 v4.0.0
@@ -31,7 +31,7 @@ require (
 	github.com/jpillora/backoff v1.0.0
 	github.com/kong/go-database-reconciler v1.23.0
 	github.com/kong/go-kong v0.66.1
-	github.com/kong/kubernetes-configuration v1.3.1
+	github.com/kong/kubernetes-configuration v1.3.3
 	github.com/kong/kubernetes-telemetry v0.1.9
 	github.com/kong/kubernetes-testing-framework v0.47.2
 	github.com/lithammer/dedent v1.1.0
 
@@ -20,8 +20,8 @@ github.com/Kong/go-diff v1.2.2 h1:KKKaqHc8IxuguFVIZMNt3bi6YuC/t9r7BGD8bOOpSgM=
 github.com/Kong/go-diff v1.2.2/go.mod h1:nlvdwVZQk3Rm+tbI0cDmKFrOjghtcZTrZBp+UruvvA8=
 github.com/Kong/gojsondiff v1.3.2 h1:qIOVq2mUXt+NXy8Be5gRUee9TP3Ve0MbQSafg9bXKZE=
 github.com/Kong/gojsondiff v1.3.2/go.mod h1:DiIxtU59q4alK7ecP+7k56C5UjgOviJ5gQVR2esEhYw=
-github.com/Kong/sdk-konnect-go v0.2.22 h1:7Jm+LdqqDaypg30DIVeg9QiNS9Eg80dmsDw8Fz2v96U=
-github.com/Kong/sdk-konnect-go v0.2.22/go.mod h1:xsmTIkBbmVyUh1nRFjQMOhxYIPDl+sMfmRmPuZHtwLE=
+github.com/Kong/sdk-konnect-go v0.2.26 h1:39zLa4oExkvY4GS/TIU1i40tUjSxoe+EyH9SuWECKP8=
+github.com/Kong/sdk-konnect-go v0.2.26/go.mod h1:xsmTIkBbmVyUh1nRFjQMOhxYIPDl+sMfmRmPuZHtwLE=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@@ -228,8 +228,8 @@ github.com/kong/go-database-reconciler v1.23.0 h1:Hwk1DAz546DDGuOj65tnMvDEhLHg2s
 github.com/kong/go-database-reconciler v1.23.0/go.mod h1:FhP9xPcigtDyq7jHS0EGRpwlVwx5+27caTeg2Yqf0Fs=
 github.com/kong/go-kong v0.66.1 h1:UVdemzcCpfXEl6O/VHdf0rT2bXdIO5ykuJbf2z1JTko=
 github.com/kong/go-kong v0.66.1/go.mod h1:wRMPAXGOB3kn53TF6zN4l2JhIWPUfXDFKNHkMHBB3iQ=
-github.com/kong/kubernetes-configuration v1.3.1 h1:mA36ROsWLA1/1PDPYC0mbTMB3D8sLG6FbsXBoq2LNog=
-github.com/kong/kubernetes-configuration v1.3.1/go.mod h1:wakGUhvbgYjrE9n0y9lXvNFcP2JTDOIoIoxJTTWw4oQ=
+github.com/kong/kubernetes-configuration v1.3.3 h1:UpEm6S85H3eJKD/OlfxoJ3tRHAaSEY5+7fbfR0q+SPw=
+github.com/kong/kubernetes-configuration v1.3.3/go.mod h1:+HRrz0eeoy7d5YJYiCkk736xaSq3y9fbV5SvucYo/tY=
 github.com/kong/kubernetes-telemetry v0.1.9 h1:XbDMZjZZclHO4oyJGW1mmZ6bzbTnANjcRAYsBg+jpno=
 github.com/kong/kubernetes-telemetry v0.1.9/go.mod h1:lBSbaQdJkoMMO0d+cJWopoJiJ+QHFBttbhCp5VRibJ8=
 github.com/kong/kubernetes-testing-framework v0.47.2 h1:+2Z9anTpbV/hwNeN+NFQz53BMU+g3QJydkweBp3tULo=
 
@@ -75,8 +75,8 @@ func TranslateKongUpstreamPolicy(policy configurationv1beta1.KongUpstreamPolicyS
 		HashOn:           translateHashOn(policy.HashOn),
 		HashOnHeader:     translateHashOnHeader(policy.HashOn),
 		HashOnURICapture: translateHashOnURICapture(policy.HashOn),
-		HashOnCookie:     translateHashOnCookie(policy.HashOn),
-		HashOnCookiePath: translateHashOnCookiePath(policy.HashOn),
+		HashOnCookie:     translateHashOnCookie(policy.HashOn, policy.HashOnFallback),
+		HashOnCookiePath: translateHashOnCookiePath(policy.HashOn, policy.HashOnFallback),
 		HashOnQueryArg:   translateHashOnQueryArg(policy.HashOn),
 
 		HashFallback:           translateHashOn(policy.HashOnFallback),
@@ -90,7 +90,10 @@ func translateHashOn(hashOn *configurationv1beta1.KongUpstreamHash) *string {
 	if hashOn == nil {
 		return nil
 	}
-	// CRD validations will ensure only one of hashOn fields can be set, therefore the order doesn't matter.
+
+	// CRD validations will ensure only one of hashOn fields can be set, therefore
+	// the order in which we check these doesn't matter.
+
 	switch {
 	case hashOn.Input != nil:
 		return lo.ToPtr(string(*hashOn.Input))
@@ -114,11 +117,20 @@ func translateHashOnHeader(hashOn *configurationv1beta1.KongUpstreamHash) *strin
 	return hashOn.Header
 }
 
-func translateHashOnCookie(hashOn *configurationv1beta1.KongUpstreamHash) *string {
-	if hashOn == nil {
+func translateHashOnCookie(hashOn, hashOnFallback *configurationv1beta1.KongUpstreamHash) *string {
+	if hashOn == nil && hashOnFallback == nil {
 		return nil
 	}
-	return hashOn.Cookie
+
+	if hashOn != nil && hashOn.Cookie != nil {
+		return hashOn.Cookie
+	}
+	if hashOnFallback != nil && hashOnFallback.Cookie != nil {
+		return hashOnFallback.Cookie
+	}
+
+	// This should not happen as this should be prevented by the CRD validation.
+	return nil
 }
 
 func translateHashOnQueryArg(hashOn *configurationv1beta1.KongUpstreamHash) *string {
@@ -135,11 +147,20 @@ func translateHashOnURICapture(hashOn *configurationv1beta1.KongUpstreamHash) *s
 	return hashOn.URICapture
 }
 
-func translateHashOnCookiePath(hashOn *configurationv1beta1.KongUpstreamHash) *string {
-	if hashOn == nil {
+func translateHashOnCookiePath(hashOn, hashOnFallback *configurationv1beta1.KongUpstreamHash) *string {
+	if hashOn == nil && hashOnFallback == nil {
 		return nil
 	}
-	return hashOn.CookiePath
+
+	if hashOn != nil && hashOn.CookiePath != nil {
+		return hashOn.CookiePath
+	}
+	if hashOnFallback != nil && hashOnFallback.CookiePath != nil {
+		return hashOnFallback.CookiePath
+	}
+
+	// This should not happen as this should be prevented by the CRD validation.
+	return nil
 }
 
 func translateHealthchecks(healthchecks *configurationv1beta1.KongUpstreamHealthcheck) *kong.Healthcheck {
 
@@ -193,6 +193,109 @@ func TestTranslateKongUpstreamPolicy(t *testing.T) {
 				HashFallbackHeader: lo.ToPtr("bar"),
 			},
 		},
+		{
+			name: "KongUpstreamPolicySpec with hash-on header and hash-on fallback cookie",
+			policySpec: configurationv1beta1.KongUpstreamPolicySpec{
+				HashOn: &configurationv1beta1.KongUpstreamHash{
+					Header: lo.ToPtr("foo"),
+				},
+				HashOnFallback: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name"),
+					CookiePath: lo.ToPtr("/cookie-path"),
+				},
+			},
+			expectedUpstream: &kong.Upstream{
+				HashOn:           lo.ToPtr("header"),
+				HashOnHeader:     lo.ToPtr("foo"),
+				HashFallback:     lo.ToPtr("cookie"),
+				HashOnCookie:     lo.ToPtr("cookie-name"),
+				HashOnCookiePath: lo.ToPtr("/cookie-path"),
+			},
+		},
+		{
+			name: "KongUpstreamPolicySpec with hash-on query-arg and hash-on fallback cookie",
+			policySpec: configurationv1beta1.KongUpstreamPolicySpec{
+				HashOn: &configurationv1beta1.KongUpstreamHash{
+					QueryArg: lo.ToPtr("foo"),
+				},
+				HashOnFallback: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name"),
+					CookiePath: lo.ToPtr("/cookie-path"),
+				},
+			},
+			expectedUpstream: &kong.Upstream{
+				HashOn:           lo.ToPtr("query_arg"),
+				HashOnQueryArg:   lo.ToPtr("foo"),
+				HashFallback:     lo.ToPtr("cookie"),
+				HashOnCookie:     lo.ToPtr("cookie-name"),
+				HashOnCookiePath: lo.ToPtr("/cookie-path"),
+			},
+		},
+		{
+			name: "KongUpstreamPolicySpec with hash-on uri-capture and hash-on fallback cookie",
+			policySpec: configurationv1beta1.KongUpstreamPolicySpec{
+				HashOn: &configurationv1beta1.KongUpstreamHash{
+					URICapture: lo.ToPtr("foo"),
+				},
+				HashOnFallback: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name"),
+					CookiePath: lo.ToPtr("/cookie-path"),
+				},
+			},
+			expectedUpstream: &kong.Upstream{
+				HashOn:           lo.ToPtr("uri_capture"),
+				HashOnURICapture: lo.ToPtr("foo"),
+				HashFallback:     lo.ToPtr("cookie"),
+				HashOnCookie:     lo.ToPtr("cookie-name"),
+				HashOnCookiePath: lo.ToPtr("/cookie-path"),
+			},
+		},
+		{
+			// This will be blocked by CRD validation rules because according to
+			// https://developer.konghq.com/gateway/entities/upstream/#consistent-hashing
+			// if the primary hash_on is set to cookie, the hash_fallback is invalid
+			// and cannot be used.
+			name: "KongUpstreamPolicySpec with hash-on cookie and hash-on fallback cookie is incorrect and should not happen",
+			policySpec: configurationv1beta1.KongUpstreamPolicySpec{
+				HashOn: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name"),
+					CookiePath: lo.ToPtr("/cookie-path"),
+				},
+				HashOnFallback: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name-2"),
+					CookiePath: lo.ToPtr("/cookie-path-2"),
+				},
+			},
+			expectedUpstream: &kong.Upstream{
+				HashOn:           lo.ToPtr("cookie"),
+				HashOnCookie:     lo.ToPtr("cookie-name"),
+				HashOnCookiePath: lo.ToPtr("/cookie-path"),
+				HashFallback:     lo.ToPtr("cookie"),
+			},
+		},
+		{
+			// This will be blocked by CRD validation rules because according to
+			// https://developer.konghq.com/gateway/entities/upstream/#consistent-hashing
+			// if the primary hash_on is set to cookie, the hash_fallback is invalid
+			// and cannot be used.
+			name: "KongUpstreamPolicySpec with hash-on cookie and hash-on fallback header is incorrect and should not happen",
+			policySpec: configurationv1beta1.KongUpstreamPolicySpec{
+				HashOn: &configurationv1beta1.KongUpstreamHash{
+					Cookie:     lo.ToPtr("cookie-name"),
+					CookiePath: lo.ToPtr("/cookie-path"),
+				},
+				HashOnFallback: &configurationv1beta1.KongUpstreamHash{
+					Header: lo.ToPtr("header-name"),
+				},
+			},
+			expectedUpstream: &kong.Upstream{
+				HashOn:             lo.ToPtr("cookie"),
+				HashOnCookie:       lo.ToPtr("cookie-name"),
+				HashOnCookiePath:   lo.ToPtr("/cookie-path"),
+				HashFallback:       lo.ToPtr("header"),
+				HashFallbackHeader: lo.ToPtr("header-name"),
+			},
+		},
 		{
 			name: "KongUpstreamPolicySpec with hash-on cookie",
 			policySpec: configurationv1beta1.KongUpstreamPolicySpec{