XR status is not updated if XR is patched from composition functions

[mproffitt]

When running compositions in pipeline mode, an issue arises as a result of the patching carried out on the XR as part of the compoosition function runner here:

crossplane/internal/controller/apiextensions/composite/composition_functions.go

Lines 391 to 393 in 603e4ca

	if err := c.client.Status().Patch(ctx, xr, client.Apply, client.ForceOwnership, client.FieldOwner(FieldOwnerXR)); err != nil {
	return CompositionResult{}, errors.Wrap(err, errApplyXRStatus)
	}

When the patch is applied, the XR resourceVersion field is updated on the managed resource but is never reflected back into the XR as it's handed back to the main reconile loop.

The outcome of this is that when crossplane tries to update the conditions inside the reconciler here

crossplane/internal/controller/apiextensions/composite/reconciler.go

Line 711 in 603e4ca

return reconcile.Result{RequeueAfter: r.pollInterval}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)

it is unable to proceed with the error being masked inside the reconcile.Result.

The error returned from the client here is the object has been modified; please apply your changes to the latest version and try again which seems to get lost by the client logs making this difficult to trace.

This manifests inside the XR as "Stuck" status fields similar to that reported in slack here: https://crossplane.slack.com/archives/CEG3T90A1/p1699029022000269 despite their underlying resources being marked ready, for example when I run my pipeline, most of the resources become ready except 2 of them:

• eks-cluster-vpc (vpcs.ec2.aws.upbound.io)
• awsmanagedcontrolplane (objects.kubernetes.crossplane.io)

In the crossplane beta trace tree, these objects show as ready but unready against the XR:

$ crossplane beta trace xi sample-customer-zkrp6
NAME                                                 SYNCED   READY   STATUS
CompositeImport/sample-customer-zkrp6                True     False   Unready resources: awsmanagedcontrolplane, eks-cluster-vpc
...
├─ VPC/sample-customer                               True     True    Available
├─ ClusterAuth/sample-customer-eks-cluster-auth      True     True    Available
...
├─ Object/sample-customer-awsmanagedcontrolplane     True     True    Available
...

Another side effect I've seen from this is composition function error status being reflected from transient timeouts that don't seem to clear, for example if a running function temporarily became incommunicado, e.g. through pod restart, this presents as an rpc error even if the pod is subsequently running correctly.

  conditions:
  - lastTransitionTime: "2023-11-04T14:34:22Z"
    message: 'cannot compose resources: cannot run Composition pipeline step "generate-subnets":
      cannot run Function "function-generate-subnets": rpc error: code = DeadlineExceeded
      desc = context deadline exceeded'
    reason: ReconcileError
    status: "False"
    type: Synced
  - lastTransitionTime: "2023-11-03T07:16:09Z"
    message: 'Unready resources: awsmanagedcontrolplane, eks-cluster-vpc'
    reason: Creating
    status: "False"
    type: Ready

Examining both the function pod logs and the crossplane pod logs shows the function working and behaving normally.

To verify the behaviour I was seeing, I looked at modifying the behaviour of the reconciler at the end of the Reconcile function to retrieve the last applied resourceVersion and this seems to have a positive effect:

	nxr := composite.New(composite.WithGroupVersionKind(r.gvk))
	if err := r.client.Get(ctx, req.NamespacedName, nxr); err != nil {
		log.Debug(errGet, "error", err)
		return reconcile.Result{}, errors.Wrap(resource.IgnoreNotFound(err), errGet)
	}
	
	xr.SetResourceVersion(nxr.GetResourceVersion())
	if err = r.client.Status().Update(ctx, xr); err != nil {
		log.Debug(errUpdateStatus, "error", err)
	}
	return reconcile.Result{RequeueAfter: r.pollInterval}, errors.Wrap(err, errUpdateStatus)

Whilst re-fetching the XR is neither a clean or elegant solution, I wasn't able to determine what the new resourceVersion would be without doing so

$ crossplane beta trace xi sample-customer-zkrp6
NAME                                                 SYNCED   READY   STATUS
CompositeImport/sample-customer-zkrp6                True     True    Available
...
├─ VPC/sample-customer                               True     True    Available
...
├─ Object/sample-customer-awsmanagedcontrolplane     True     True    Available
...

[negz]

We have an E2E test that verifies that it's possible to patch XR status using functions. The XR status is back-propagated to the claim. So it seems like this is working in at least some situations.

When the patch is applied, the XR resourceVersion field is updated on the managed resource but is never reflected back into the XR as it's handed back to the main reconile loop.

When you say managed resource here, do you mean the XR?

I would have expected client.Status().Patch() to load the updated resource version into XR. 🤔 That seems to be happening in our E2E tests:

XR "apiextensions-composition-functions-kj2df" revision BEFORE COMPOSE: "980"
2023-11-04T23:34:27Z    DEBUG   crossplane      Reconciling     {"controller": "offered/compositeresourcedefinition.apiextensions.crossplane.io", "request": {"name":"xnopresources.nop.example.org"}, "uid": "61860f6d-b38f-4dc0-b8f7-7047e5a4583b", "version": "708", "name": "xnopresources.nop.example.org", "controller": "claim/xnopresources.nop.example.org", "request": {"name":"apiextensions-composition-functions","namespace":"default"}}
XR "apiextensions-composition-functions-kj2df" revision AFTER status PATCH: "1018"
2023-11-04T23:34:27Z    DEBUG   crossplane      Reconciling     {"controller": "defined/compositeresourcedefinition.apiextensions.crossplane.io", "controller": "composite/xnopresources.nop.example.org", "request": {"name":"apiextensions-composition-functions-kj2df-v4rxj"}}
2023-11-04T23:34:27Z    DEBUG   crossplane      Pipeline step "be-a-dummy": I am doing a compose!       {"controller": "defined/compositeresourcedefinition.apiextensions.crossplane.io", "controller": "composite/xnopresources.nop.example.org", "request": {"name":"apiextensions-composition-functions-kj2df"}, "uid": "3b21b0ce-6a8a-4ab8-9b7e-d6ab950742c8", "version": "980", "name": "apiextensions-composition-functions-kj2df"}
2023-11-04T23:34:27Z    DEBUG   crossplane      Composed resource is not yet ready      {"controller": "defined/compositeresourcedefinition.apiextensions.crossplane.io", "controller": "composite/xnopresources.nop.example.org", "request": {"name":"apiextensions-composition-functions-kj2df"}, "uid": "3b21b0ce-6a8a-4ab8-9b7e-d6ab950742c8", "version": "980", "name": "apiextensions-composition-functions-kj2df", "id": "nested-xr"}
XR "apiextensions-composition-functions-kj2df" revision AFTER COMPOSE: "1018"

Details

diff --git a/internal/controller/apiextensions/composite/composition_functions.go b/internal/controller/apiextensions/composite/composition_functions.go
index d006fec4..b1dc87ce 100644
--- a/internal/controller/apiextensions/composite/composition_functions.go
+++ b/internal/controller/apiextensions/composite/composition_functions.go
@@ -391,6 +391,7 @@ func (c *FunctionComposer) Compose(ctx context.Context, xr *composite.Unstructur
        if err := c.client.Status().Patch(ctx, xr, client.Apply, client.ForceOwnership, client.FieldOwner(FieldOwnerXR)); err != nil {
                return CompositionResult{}, errors.Wrap(err, errApplyXRStatus)
        }
+       fmt.Printf("XR %q revision AFTER status PATCH: %q\n", xr.GetName(), xr.GetResourceVersion())

        // Produce our array of resources to return to the Reconciler. The
        // Reconciler uses this array to determine whether the XR is ready.
diff --git a/internal/controller/apiextensions/composite/reconciler.go b/internal/controller/apiextensions/composite/reconciler.go
index a7dcc0b8..7a164aed 100644
--- a/internal/controller/apiextensions/composite/reconciler.go
+++ b/internal/controller/apiextensions/composite/reconciler.go
@@ -614,6 +614,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
        }

+       fmt.Printf("XR %q revision BEFORE COMPOSE: %q\n", xr.GetName(), xr.GetResourceVersion())
+
        // TODO(negz): Pass this method a copy of xr, to make very clear that
        // anything it does won't be reflected in the state of xr?
        res, err := r.resource.Compose(ctx, xr, CompositionRequest{Revision: rev, Environment: env})
@@ -628,6 +630,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
        }

+       fmt.Printf("XR %q revision AFTER COMPOSE: %q\n", xr.GetName(), xr.GetResourceVersion())
+
        if r.kindObserver != nil {
                var gvks []schema.GroupVersionKind
                for _, ref := range xr.GetResourceReferences() {
@@ -704,6 +708,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
        }

+       fmt.Printf("XR %q revision BEFORE status UPDATE: %q\n", xr.GetName(), xr.GetResourceVersion())
+
        // We requeue after our poll interval because we can't watch composed
        // resources - we can't know what type of resources we might compose
        // when this controller is started.

which seems to get lost by the client logs making this difficult to trace

As of v1.14 we intentionally don't surface these issues as Kubernetes events because they're almost always transient and should clear up on the next reconcile.

To verify the behaviour I was seeing, I looked at modifying the behaviour of the reconciler at the end of the Reconcile function to retrieve the last applied resourceVersion and this seems to have a positive effect

Unfortunately we can't do this, as it could lead to data loss. The revision is used for optimistic concurrency. We want updates to fail if the client as an outdated revision, otherwise the update could potentially reset the status to an outdated revision.

Can you share your XRD, XR, and Composition to help reproduce this?

[negz]

Just thinking out loud: If something else (the claim controller?) was updating the XR so frequently that its resource version was constantly changing between when the function composer patched the status and when the reconciler tried to update the status that could cause the behavior seen here.

[negz]

I just tried to reproduce this using the the following manifests. No luck so far.

https://github.com/negz/function-patch-and-transform/tree/repro-cc-4968/example

[mproffitt]

Can you share your XRD, XR, and Composition to help reproduce this?

Of course. Everything is contained on the composition-rework branch at https://github.com/giantswarm/crossplane-cluster-import/tree/composition-rework/crossplane - I'm only focusing on AWS at the moment though so you're free to ignore anything for other providers.

• The relevant Composition: https://github.com/giantswarm/crossplane-cluster-import/blob/composition-rework/crossplane/composition/composition-aws.yaml
• The associated XRD: https://github.com/giantswarm/crossplane-cluster-import/blob/composition-rework/crossplane/composition/definition.yaml
• The sanitised XR: https://github.com/giantswarm/crossplane-cluster-import/blob/composition-rework/xrender/observed-xr.yaml

This composition uses two custom functions. They are:

• crossplane-fn-generate-subnets: https://github.com/giantswarm/crossplane-fn-generate-subnets/
• crossplane-fn-describe-nodegroups: https://github.com/giantswarm/crossplane-fn-describe-nodegroups

When you say managed resource here, do you mean the XR?

In this instance yes. I was trying to differentiate between the XR loaded into memory inside the controller and the XR persisted inside the cluster. Potentially a poor choice of words though.

As of v1.14 we intentionally don't surface these issues as Kubernetes events because they're almost always transient and should clear up on the next reconcile.

I absolutely agree about this not being raised as an event. As a cluster admin, this would be noise. Are these logged though? I never saw them inside the crossplane logs and it was only when I specifically logged the error that I began to understand why I was seeing this behaviour. (I would be willing to admit I probably didn't look very hard here though).

To try and explain a little further. When I first saw this issue, I did wonder if it was a result of a dependency chain.

If we look at the resources, I first create a Cluster object with managementPolicies: ["Observe"]. The VPC object is also created but cannot complete because the Cluster has not reconciled its status back to the XR here which is read by the VPC here

The cluster object is also used by the generate-subnets step which is a custom function that exists here: https://github.com/giantswarm/crossplane-fn-generate-subnets/

This function is the only one of the two additional functions that actually writes back to the XR (here) although I do not persist this change but instead hand that back for crossplane to persist for me.

What I find interesting about this is only a few of the 15 resources created by this composition actually fail. Most are updated on the status correctly. However in the XR above, only two of the listed "waiting" resources persistently fail for me.

Edited 06-11-2023 to reflect permalinks for public record.

[mproffitt]

If something else (the claim controller?)

Given what I've come to understand about the crossplane machinery, I'm not seeing evidence of this and to the contrary, on the status of the assosiated claim, I see these conditions:

 conditions:
  - lastTransitionTime: "2023-11-05T11:59:02Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2023-11-05T11:59:02Z"
    message: Composite resource claim is waiting for composite resource to become
      Ready
    reason: Waiting
    status: "False"
    type: Ready

This would imply to me that the claim controller isn't actually doing anything right now as it's waiting for the XR to complete?

[mproffitt]

I tried a varient of your patch above with additional print in the claim controller and what I'm seeing is that the claim is applied twice for each reconciliation loop

crossplane-6d65f78db8-rtwb5 crossplane ===== LOADING COMPOSITE RESOURCE =====
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE COMPOSE: "34904"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "34904"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "34904"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status PATCH: ""
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER status PATCH: "34969"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "34969"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "34984"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER COMPOSE: "34969"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status UPDATE: "34969" -- AT CLUSTER: "34984"
crossplane-6d65f78db8-rtwb5 crossplane ===== LOADING COMPOSITE RESOURCE =====
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE COMPOSE: "34984"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status PATCH: ""
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER status PATCH: "35098"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "35098"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "35102"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER COMPOSE: "35098"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status UPDATE: "35098" -- AT CLUSTER: "35102"
crossplane-6d65f78db8-rtwb5 crossplane ===== LOADING COMPOSITE RESOURCE =====
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE COMPOSE: "35102"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status PATCH: ""
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER status PATCH: "35208"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "35208"
crossplane-6d65f78db8-rtwb5 crossplane CLAIM ON XR "sample-customer-45ptp" revision: BEFORE APPLY: "35217"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision AFTER COMPOSE: "35208"
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE status UPDATE: "35208" -- AT CLUSTER: "35217"
crossplane-6d65f78db8-rtwb5 crossplane ===== LOADING COMPOSITE RESOURCE =====
crossplane-6d65f78db8-rtwb5 crossplane XR "sample-customer-45ptp" revision BEFORE COMPOSE: "35217"

The first apply uses the same XR resourceVersion as the composite controller whilst the second has the version which blocks the update.

Details

diff --git a/internal/controller/apiextensions/claim/reconciler.go b/internal/controller/apiextensions/claim/reconciler.go
index f4fb4430..0942e2a2 100644
--- a/internal/controller/apiextensions/claim/reconciler.go
+++ b/internal/controller/apiextensions/claim/reconciler.go
@@ -19,6 +19,7 @@ package claim

 import (
        "context"
+       "fmt"
        "time"

        "github.com/google/go-cmp/cmp"
@@ -505,6 +506,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, cm), errUpdateClaimStatus)
        }

+       fmt.Printf("CLAIM ON XR %q revision: BEFORE APPLY: %q\n", cp.GetName(), cp.GetResourceVersion())
        err := r.client.Apply(ctx, cp, resource.AllowUpdateIf(func(old, obj runtime.Object) bool { return !cmp.Equal(old, obj) }))
        switch {
        case resource.IsNotAllowed(err):
diff --git a/internal/controller/apiextensions/composite/composition_functions.go b/internal/controller/apiextensions/composite/composition_functions.go
index d006fec4..cba381b9 100644
--- a/internal/controller/apiextensions/composite/composition_functions.go
+++ b/internal/controller/apiextensions/composite/composition_functions.go
@@ -388,9 +388,11 @@ func (c *FunctionComposer) Compose(ctx context.Context, xr *composite.Unstructur
        xr.SetKind(k)
        xr.SetName(n)

+       fmt.Printf("XR %q revision BEFORE status PATCH: %q\n", xr.GetName(), xr.GetResourceVersion())
        if err := c.client.Status().Patch(ctx, xr, client.Apply, client.ForceOwnership, client.FieldOwner(FieldOwnerXR)); err != nil {
                return CompositionResult{}, errors.Wrap(err, errApplyXRStatus)
        }
+       fmt.Printf("XR %q revision AFTER status PATCH: %q\n", xr.GetName(), xr.GetResourceVersion())

        // Produce our array of resources to return to the Reconciler. The
        // Reconciler uses this array to determine whether the XR is ready.
diff --git a/internal/controller/apiextensions/composite/reconciler.go b/internal/controller/apiextensions/composite/reconciler.go
index a7dcc0b8..abbeb872 100644
--- a/internal/controller/apiextensions/composite/reconciler.go
+++ b/internal/controller/apiextensions/composite/reconciler.go
@@ -480,6 +480,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
        ctx, cancel := context.WithTimeout(ctx, timeout)
        defer cancel()

+       fmt.Printf("===== LOADING COMPOSITE RESOURCE =====\n")
        xr := composite.New(composite.WithGroupVersionKind(r.gvk))
        if err := r.client.Get(ctx, req.NamespacedName, xr); err != nil {
                log.Debug(errGet, "error", err)
@@ -614,6 +615,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
        }

+       fmt.Printf("XR %q revision BEFORE COMPOSE: %q\n", xr.GetName(), xr.GetResourceVersion())
+
        // TODO(negz): Pass this method a copy of xr, to make very clear that
        // anything it does won't be reflected in the state of xr?
        res, err := r.resource.Compose(ctx, xr, CompositionRequest{Revision: rev, Environment: env})
@@ -628,6 +631,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
                return reconcile.Result{Requeue: true}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
        }

+       fmt.Printf("XR %q revision AFTER COMPOSE: %q\n", xr.GetName(), xr.GetResourceVersion())
+
        if r.kindObserver != nil {
                var gvks []schema.GroupVersionKind
                for _, ref := range xr.GetResourceReferences() {
@@ -708,6 +713,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reco
        // resources - we can't know what type of resources we might compose
        // when this controller is started.
        xr.SetConditions(xpv1.Available())
+
+       nxr := composite.New(composite.WithGroupVersionKind(r.gvk))
+       if err := r.client.Get(ctx, req.NamespacedName, nxr); err != nil {
+               log.Debug(errGet, "error", err)
+               return reconcile.Result{}, errors.Wrap(resource.IgnoreNotFound(err), errGet)
+       }
+
+       fmt.Printf("XR %q revision BEFORE status UPDATE: %q -- AT CLUSTER: %q\n", xr.GetName(), xr.GetResourceVersion(), nxr.GetResourceVersion())
        return reconcile.Result{RequeueAfter: r.pollInterval}, errors.Wrap(r.client.Status().Update(ctx, xr), errUpdateStatus)
 }

[negz]

@mproffitt Could you try create just the XR directly, without a claim, and see whether Crossplane can update its status?

[mproffitt]

That seems to have an effect:

$ k get importclaims.crossplane.giantswarm.io -A
No resources found
$ k get ximports.crossplane.giantswarm.io
NAME                    SYNCED   READY   COMPOSITION      AGE
sample-customer-45ptp   True     True    aws-eks-import   2m42s
$ k get xi sample-customer-45ptp -o yaml | yq .status.conditions
- lastTransitionTime: "2023-11-05T19:28:25Z"
  reason: ReconcileSuccess
  status: "True"
  type: Synced
- lastTransitionTime: "2023-11-05T19:29:20Z"
  reason: Available
  status: "True"
  type: Ready

[negz]

Thank you, that's useful. It certainly seems to be a race between the claim and composite controllers.

What's interesting is that in our E2E tests the XR and claim eventually do become ready. I wonder what the difference is. Is there any chance that your XR spec or status is never reaching a steady state? Is the function pipeline causing it to change each time the XR is reconciled

Are these logged though? I never saw them inside the crossplane logs and it was only when I specifically logged the error that I began to understand why I was seeing this behaviour. (I would be willing to admit I probably didn't look very hard here though).

It doesn't seem like they are. We only recently refactored to suppress these - I agree they should be debug logged.