/config?check_hash=1 400 error

I only updated version of kong and ingress-controller .
I used same chart.
I met the 400 error at “/config?check_hash=1”.
I already checked release history of kong and ingress-controller but there is no clue of check_hash.

Do I need to update some configuration for new version?

[before]
kong:1.4.2
kong-ingress-controller:0.6.0

[after]
kong:1.5.0
kong-ingress-controller:0.7.1

The “/config?check_hash=1” result is different
[before]
2020/02/26 10:01:14 [notice] 61#0: *8020 [lua] cache.lua:321: purge(): [DB cache] purging (local) cache, client: 127.0.0.1, server: kong_admin, request: “POST /config?check_hash=1 HTTP/1.1”, host: “localhost:8444”
127.0.0.1 - - [26/Feb/2020:10:01:14 +0000] “POST /config?check_hash=1 HTTP/1.1” 201 2612 “-” “Go-http-client/1.1”

[after]
127.0.0.1 - - [26/Feb/2020:09:43:29 +0000] “POST /config?check_hash=1 HTTP/1.1” 400 288 “-” "Go-http-client/1.1

Can you share the logs of the controller? That will show us the root cause.

How to change secret-based credentials? Is there document or guide?
How to fix “/config: 400 Bad Request”?

This is controller logs

[New Version]
W0226 23:33:17.608394 1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
E0226 23:33:17.713311 1 controller.go:119] unexpected failure updating Kong configuration:
posting new config to /config: 400 Bad Request {“fields”:{“plugins”:[null,null,null,{“config”:{“headers”:[null,null,null,null,null,null,null,“required field missing”]}}]},“name”:“invalid declarative configuration”,“code”:14,“message”:“declarative config is invalid: {plugins={[4]={config={headers={[8]=“required field missing”}}}}}”}

[Old Version]
I0226 23:20:55.580871 1 controller.go:135] successfully synced configuration to Kong
I0226 23:21:04.932947 1 controller.go:135] successfully synced configuration to Kong

I use kongcredential for jwt

apiVersion: configuration.konghq.com/v1
config:
  algorithm: RS256
  key: AAA
  rsa_public_key: |
    -----BEGIN PUBLIC KEY-----
    MIIBIjA 
	...
    kwIDAQAB
    -----END PUBLIC KEY-----
consumerRef: global-consumer
kind: KongCredential
metadata:
  annotations:
    kubernetes.io/ingress.class: aaa-kong
  creationTimestamp: "2020-02-26T23:32:07Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: kong
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: kong
  name: global-consumer-credentials
  namespace: default
type: jwt

This is kongplugin

apiVersion: configuration.konghq.com/v1
enabled: true
kind: KongPlugin
metadata:
  creationTimestamp: "2020-02-26T23:32:07Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: kong
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: kong
    global: "false"
  name: jwt
  namespace: default
  resourceVersion: "1918758"
  selfLink: /apis/configuration.konghq.com/v1/namespaces/nms/kongplugins/jwt
  uid: ec55345a-b18f-4f11-8a7b-c041a9f03250
plugin: jwt

This shows the error that headers required field is missing for a plugin configuration.

I found how to change kongcredential to k8s secret
reference : Kubernetes gRPC Deployment: Dune Quote Service Example | Kong Inc.

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: global-consumer
credentials:
- jwt-public



apiVersion: v1
kind: Secret
metadata:
  name: jwt-public
  labels:
    app: jwt-public
stringData:
  kongCredType: jwt
  key: "key"
  algorithm: RS256
  rsa_public_key: |-
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEQyvTWd9o84DTpFP7jo
...
    kwIDAQAB
    -----END PUBLIC KEY-----