Fix multiple in-place updates issues

Signed-off-by: Alex Demicev <alex.demicev@lambdal.com>

Author: alexander-demicev

.dockerignore

@@ -3,6 +3,7 @@
 .vscode
 bin/
 test/
+!test/extension/
 **/*.yaml
 hack/
 docs/

controlplane/config/rbac/role.yaml

@@ -18,6 +18,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:

controlplane/internal/controllers/rke2controlplane_controller.go

@@ -70,9 +70,14 @@ import (
 )
 
 const (
-	// rke2ManagerName is the name of the RKE2 manager deployment.
+	// rke2ManagerName is the SSA field manager used for the main RKE2 control-plane
+	// objects (Machine spec, InfraMachine, RKE2Config).
 	rke2ManagerName = "rke2controlplane"
 
+	// rke2MetadataManagerName is a separate SSA field manager used for the
+	// labels and annotations only patches written every reconcile by syncMachines.
+	rke2MetadataManagerName = "rke2controlplane-metadata"
+
 	// rke2ControlPlaneKind is the kind of the RKE2 control plane.
 	rke2ControlPlaneKind = "RKE2ControlPlane"
 
@@ -119,6 +124,7 @@ type RKE2ControlPlaneReconciler struct {
 // +kubebuilder:rbac:groups="infrastructure.cluster.x-k8s.io",resources=*,verbs=get;list;watch;create;patch;delete
 // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch
 // +kubebuilder:rbac:groups=runtime.cluster.x-k8s.io,resources=extensionconfigs,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

controlplane/internal/controllers/scale.go

@@ -474,7 +474,11 @@ func (r *RKE2ControlPlaneReconciler) UpdateExternalObject(
 	// Update annotations
 	updatedObject.SetAnnotations(rcp.Spec.MachineTemplate.ObjectMeta.Annotations)
 
-	if err := ssa.Patch(ctx, r.Client, rke2ManagerName, updatedObject, ssa.WithCachingProxy{Cache: r.ssaCache, Original: obj}); err != nil {
+	// Use the metadata only field manager so we only own the labels/annotations
+	// that were derived from RCP.MachineTemplate metadata. This avoids stripping
+	// other annotations (e.g. UpdateInProgressAnnotation) that triggerInPlaceUpdate
+	// wrote under the main rke2ManagerName.
+	if err := ssa.Patch(ctx, r.Client, rke2MetadataManagerName, updatedObject, ssa.WithCachingProxy{Cache: r.ssaCache, Original: obj}); err != nil {
 		return fmt.Errorf("failed to update %s: %w", obj.GetObjectKind().GroupVersionKind().Kind, err)
 	}
 

go.mod

@@ -19,13 +19,15 @@ require (
 	go.etcd.io/etcd/api/v3 v3.6.10
 	go.etcd.io/etcd/client/v3 v3.6.10
 	go.uber.org/zap v1.28.0
+	gomodules.xyz/jsonpatch/v2 v2.5.0
 	google.golang.org/grpc v1.80.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.35.4
 	k8s.io/apiextensions-apiserver v0.35.4
 	k8s.io/apimachinery v0.35.4
 	k8s.io/apiserver v0.35.4
 	k8s.io/client-go v0.35.4
+	k8s.io/component-base v0.35.4
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/cluster-api v1.13.1
@@ -156,14 +158,12 @@ require (
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/cluster-bootstrap v0.35.4 // indirect
-	k8s.io/component-base v0.35.4 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect

pkg/rke2/control_plane.go

@@ -46,6 +46,7 @@ import (
 	controlplanev1 "github.com/rancher/cluster-api-provider-rke2/controlplane/api/v1beta2"
 	"github.com/rancher/cluster-api-provider-rke2/pkg/capi/hooks"
 	"github.com/rancher/cluster-api-provider-rke2/pkg/capi/inplace"
+	"github.com/rancher/cluster-api-provider-rke2/pkg/rke2/desiredstate"
 )
 
 // UpToDateResult is the result of calling the UpToDate func for a Machine.
@@ -141,7 +142,7 @@ func NewControlPlane(
 	machinesUpToDateResults := map[string]UpToDateResult{}
 
 	for _, m := range ownedMachines {
-		upToDate, result, err := UpToDate(ctx, m, rcp, infraObjects, rke2Configs)
+		upToDate, result, err := UpToDate(ctx, client, cluster, m, rcp, infraObjects, rke2Configs)
 		if err != nil {
 			return nil, err
 		}
@@ -628,8 +629,14 @@ func (c *ControlPlane) UsesEmbeddedEtcd() bool {
 
 // UpToDate checks if a Machine is up to date with the control plane's configuration.
 // If not, messages explaining why are provided with different level of detail for logs and conditions.
-func UpToDate(ctx context.Context, machine *clusterv1.Machine, rcp *controlplanev1.RKE2ControlPlane,
-	infraConfigs map[string]*unstructured.Unstructured, machineConfigs map[string]*bootstrapv1.RKE2Config,
+func UpToDate(
+	ctx context.Context,
+	c client.Client,
+	cluster *clusterv1.Cluster,
+	machine *clusterv1.Machine,
+	rcp *controlplanev1.RKE2ControlPlane,
+	infraConfigs map[string]*unstructured.Unstructured,
+	machineConfigs map[string]*bootstrapv1.RKE2Config,
 ) (bool, *UpToDateResult, error) {
 	res := &UpToDateResult{
 		EligibleForInPlaceUpdate: true,
@@ -655,7 +662,11 @@ func UpToDate(ctx context.Context, machine *clusterv1.Machine, rcp *controlplane
 	}
 
 	// Machines that do not match with rcp config.
-	matches, specLogMessages, specConditionMessages := matchesMachineSpec(ctx, infraConfigs, machineConfigs, rcp, machine)
+	matches, specLogMessages, specConditionMessages, err := matchesMachineSpec(ctx, c, cluster, infraConfigs, machineConfigs, rcp, machine, res)
+	if err != nil {
+		return false, nil, err
+	}
+
 	if !matches {
 		res.LogMessages = append(res.LogMessages, specLogMessages...)
 		res.ConditionMessages = append(res.ConditionMessages, specConditionMessages...)
@@ -681,14 +692,55 @@ func UpToDate(ctx context.Context, machine *clusterv1.Machine, rcp *controlplane
 // - are not relevant for the rollout decision (ex: failureDomain).
 func matchesMachineSpec(
 	ctx context.Context,
+	c client.Client,
+	cluster *clusterv1.Cluster,
 	infraConfigs map[string]*unstructured.Unstructured,
 	machineConfigs map[string]*bootstrapv1.RKE2Config,
 	rcp *controlplanev1.RKE2ControlPlane,
 	machine *clusterv1.Machine,
-) (bool, []string, []string) {
+	res *UpToDateResult,
+) (bool, []string, []string, error) {
 	logMessages := []string{}
 	conditionMessages := []string{}
 
+	if cluster != nil {
+		desiredMachine, err := desiredstate.ComputeDesiredMachine(
+			rcp, cluster,
+			machine.Spec.InfrastructureRef, machine.Spec.Bootstrap.ConfigRef,
+			machine.Spec.FailureDomain, machine,
+		)
+		if err != nil {
+			return false, nil, nil, fmt.Errorf("failed to compute desired Machine for %s: %w", machine.Name, err)
+		}
+
+		// Note: spec.version is not mutated in-place by syncMachines and accordingly
+		// not updated by desiredstate.ComputeDesiredMachine, so we have to update it here.
+		// Note: spec.failureDomain is in general only changed on delete/create, so we don't have to update it here for in-place.
+		desiredMachine.Spec.Version = rcp.Spec.Version
+		res.DesiredMachine = desiredMachine
+		// Note: Intentionally not storing currentMachine as it can change later, e.g. through syncMachines.
+
+		if res.CurrentRKE2Config != nil {
+			desiredRKE2Config, err := desiredstate.ComputeDesiredRKE2Config(rcp, cluster, res.CurrentRKE2Config.Name, res.CurrentRKE2Config)
+			if err != nil {
+				return false, nil, nil, fmt.Errorf("failed to compute desired RKE2Config for %s: %w", machine.Name, err)
+			}
+
+			res.DesiredRKE2Config = desiredRKE2Config
+		}
+
+		if res.CurrentInfraMachine != nil {
+			desiredInfraMachine, err := desiredstate.ComputeDesiredInfraMachine(
+				ctx, c, rcp, cluster, res.CurrentInfraMachine.GetName(), res.CurrentInfraMachine,
+			)
+			if err != nil {
+				return false, nil, nil, fmt.Errorf("failed to compute desired InfraMachine for %s: %w", machine.Name, err)
+			}
+
+			res.DesiredInfraMachine = desiredInfraMachine
+		}
+	}
+
 	if !collections.MatchesKubernetesVersion(rcp.Spec.Version)(machine) {
 		machineVersion := ""
 		if machine != nil && machine.Spec.Version != "" {
@@ -711,8 +763,8 @@ func matchesMachineSpec(
 	}
 
 	if len(logMessages) > 0 || len(conditionMessages) > 0 {
-		return false, logMessages, conditionMessages
+		return false, logMessages, conditionMessages, nil
 	}
 
-	return true, nil, nil
+	return true, nil, nil, nil
 }