crossplane · twobiers · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 26, 2025
@@ -55,6 +55,16 @@ const (
 	errUpdateCriticalAnnotations = "cannot update critical annotations"
 )
 
+//nolint:gochecknoglobals // this is a list of critical annotations that should be retried when updating, and is not expected to be modified at runtime.
+var (
+	criticalAnnotations = []string{
+		meta.AnnotationKeyExternalCreateFailed,
+		meta.AnnotationKeyExternalCreatePending,
+		meta.AnnotationKeyExternalCreateSucceeded,
+		meta.AnnotationKeyExternalName,
+	}
+)
+
 // NameAsExternalName writes the name of the managed resource to
 // the external name annotation field in order to be used as name of
 // the external resource in provider.
@@ -277,15 +287,36 @@ func NewRetryingCriticalAnnotationUpdater(c client.Client) *RetryingCriticalAnno
 // UpdateCriticalAnnotations updates (i.e. persists) the annotations of the
 // supplied Object. It retries in the face of any API server error several times
 // in order to ensure annotations that contain critical state are persisted.
-// Pending changes to the supplied Object's spec, status, or other metadata
-// might get reset to their current state according to the API server, e.g. in
-// case of a conflict error.
+// Only annotations will be updated as part of this operation, other fields of the
+// supplied Object will not be modified.
 func (u *RetryingCriticalAnnotationUpdater) UpdateCriticalAnnotations(ctx context.Context, o client.Object) error {
-	a := o.GetAnnotations()
+	a := make(map[string]string)
+	for _, k := range criticalAnnotations {
+		if v, ok := o.GetAnnotations()[k]; ok {
+			a[k] = v
+		}
+	}
+
+	if len(a) == 0 {
+		// No critical annotations to update.
+		return nil
+	}
+
 	err := retry.OnError(retry.DefaultRetry, func(err error) bool {
 		return !errors.Is(err, context.Canceled)
 	}, func() error {
-		err := u.client.Update(ctx, o)
+		patchMap := map[string]any{
+			"metadata": map[string]any{
+				"annotations": a,
+			},
+		}
+
+		patchData, err := json.Marshal(patchMap)
+		if err != nil {
+			return err
+		}
+
+		err = u.client.Patch(ctx, o, client.RawPatch(types.MergePatchType, patchData), client.FieldOwner(fieldOwnerAPISimpleRefResolver), client.ForceOwnership)
 		if kerrors.IsConflict(err) {
 			if getErr := u.client.Get(ctx, client.ObjectKeyFromObject(o), o); getErr != nil {
 				return getErr

@@ -551,12 +551,12 @@ func TestRetryingCriticalAnnotationUpdater(t *testing.T) {
 		o   client.Object
 	}
 
-	setLabels := func(obj client.Object) error {
-		obj.SetLabels(map[string]string{"getcalled": "true"})
+	setAnnotations := func(obj client.Object) error {
+		obj.SetAnnotations(map[string]string{"crossplane.io/external-name": "my-external-name"})
 		return nil
 	}
 	objectReturnedByGet := &fake.LegacyManaged{}
-	setLabels(objectReturnedByGet)
+	setAnnotations(objectReturnedByGet)
 
 	cases := map[string]struct {
 		reason string
@@ -567,14 +567,18 @@ func TestRetryingCriticalAnnotationUpdater(t *testing.T) {
 		"UpdateConflictGetError": {
 			reason: "We should return any error we encounter getting the supplied object",
 			c: &test.MockClient{
-				MockGet: test.NewMockGetFn(errBoom, setLabels),
-				MockUpdate: test.NewMockUpdateFn(kerrors.NewConflict(schema.GroupResource{
+				MockGet: test.NewMockGetFn(errBoom, setAnnotations),
+				MockPatch: test.NewMockPatchFn(kerrors.NewConflict(schema.GroupResource{
 					Group:    "foo.com",
 					Resource: "bars",
 				}, "abc", errBoom)),
 			},
 			args: args{
-				o: &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errUpdateCriticalAnnotations),
@@ -584,28 +588,40 @@ func TestRetryingCriticalAnnotationUpdater(t *testing.T) {
 		"UpdateError": {
 			reason: "We should return any error we encounter updating the supplied object",
 			c: &test.MockClient{
-				MockGet:    test.NewMockGetFn(nil, setLabels),
-				MockUpdate: test.NewMockUpdateFn(errBoom),
+				MockGet:   test.NewMockGetFn(nil, setAnnotations),
+				MockPatch: test.NewMockPatchFn(errBoom),
 			},
 			args: args{
-				o: &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errUpdateCriticalAnnotations),
-				o:   &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 		},
 		"SuccessfulGetAfterAConflict": {
 			reason: "A successful get after a conflict should not hide the conflict error and prevent retries",
 			c: &test.MockClient{
-				MockGet: test.NewMockGetFn(nil, setLabels),
-				MockUpdate: test.NewMockUpdateFn(kerrors.NewConflict(schema.GroupResource{
+				MockGet: test.NewMockGetFn(nil, setAnnotations),
+				MockPatch: test.NewMockPatchFn(kerrors.NewConflict(schema.GroupResource{
 					Group:    "foo.com",
 					Resource: "bars",
 				}, "abc", errBoom)),
 			},
 			args: args{
-				o: &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 			want: want{
 				err: errors.Wrap(kerrors.NewConflict(schema.GroupResource{
@@ -618,15 +634,23 @@ func TestRetryingCriticalAnnotationUpdater(t *testing.T) {
 		"Success": {
 			reason: "We should return without error if we successfully update our annotations",
 			c: &test.MockClient{
-				MockGet:    test.NewMockGetFn(nil, setLabels),
-				MockUpdate: test.NewMockUpdateFn(errBoom),
+				MockGet:   test.NewMockGetFn(nil, setAnnotations),
+				MockPatch: test.NewMockPatchFn(errBoom),
 			},
 			args: args{
-				o: &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errUpdateCriticalAnnotations),
-				o:   &fake.LegacyManaged{},
+				o: &fake.LegacyManaged{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{"crossplane.io/external-name": "my-external-name"},
+					},
+				},
 			},
 		},
 	}

@@ -1410,6 +1410,21 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (resu
 		return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, managed), errUpdateManagedStatus)
 	}
 
+	if observation.ResourceExists {
+		// When a resource exists or is just created, it might have received
+		// a non-deterministic external name after its creation, which we need to persist.
+		// We do this by updating the critical annotations.
+		// This is needed because some resources might not receive an external-name directly
+		// after the creation, but later as part of an asynchronous process.
+		// When Crossplane supports asynchronous creation of resources natively, this logic
+		// might not be needed anymore and can be revisited.
+		if err := r.managed.UpdateCriticalAnnotations(ctx, managed); err != nil {
+			log.Debug(errUpdateManagedAnnotations, "error", err)
+			record.Event(managed, event.Warning(reasonCannotUpdateManaged, errors.Wrap(err, errUpdateManagedAnnotations)))
+			return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, managed), errUpdateManagedAnnotations)
+		}
+	}
+
 	if observation.ResourceLateInitialized && policy.ShouldLateInitialize() {
 		// Note that this update may reset any pending updates to the status of
 		// the managed resource from when it was observed above. This is because