Indirect delete will lead mismatch of CRD to provider's resource

[scarlet25151]

What happened?

when combine use with oam/kubevela:

Status:           running
  Workflow:
    App Revision:  logic-application-sample-1-v1:6595e5303f2de867
    Context Backend:
      API Version:  v1
      Kind:         ConfigMap
      Name:         workflow-logic-application-sample-1-context
      UID:          e1c8975f-bfb0-48f1-b7ce-6efbd920a666
    Mode:           DAG
    Steps:
      Id:        fhawg14wc7
      Name:      rds-sample-1
      Phase:     succeeded
      Type:      apply-component
      Id:        oej7toqwvc
      Name:      slb-sample-1
      Phase:     succeeded
      Type:      apply-component
      Id:        ug9jngn1eg
      Name:      logic-sample-1
      Phase:     succeeded
      Type:      apply-component
    Suspend:     false
    Terminated:  false
Events:          <none>
kubectl get clb
NAME           READY   SYNCED   AGE
slb-sample-1   True    True     104m

After delete kubevela's application, the clb component is not correctly delete:

chenyu.jiang：~$ kubectl get clb
NAME           READY   SYNCED   AGE
slb-sample-1   False   False    122m

Then when after delete the finilizer in the clb runtime spec, it may mismatch and delete wrong cloud resource.

How can we reproduce it?

What environment did it happen in?

Crossplane version:

apiVersion: core.oam.dev/v1beta1
kind: ComponentDefinition
metadata:
  name: alibaba-slb
  annotations:
    definition.oam.dev/description: "slb is the instance for create and watch alicloud slb resource"
spec:
  workload:
    type: clbs.slb.alibaba.crossplane.io
    definition:
      apiVersion: slb.alibaba.crossplane.io/v1alpha1
      kind: CLB
  schematic:
    cue:
      template: |
        output: {
          apiVersion: "slb.alibaba.crossplane.io/v1alpha1"
          kind: "CLB"
          metadata: {
            name: context.name
            namespace: "default"
          }
          spec: {
            forProvider: {
              region: "cn-shanghai"
              addressType: "internet"
              loadBalancerSpec: "slb.s1.small"
            }
            writeConnectionSecretToRef: {
                namespace: "crossplane-system"
                name: parameter.writeConnectionSecretToRefName
            }
          }
        }
        parameter: {
          appid: string
          writeConnectionSecretToRefName: string
        }
---
apiVersion: core.oam.dev/v1beta1
kind: ComponentDefinition
metadata:
  name: alibaba-rds
  annotations:
    definition.oam.dev/description: "rds is the instance for create and watch alicloud rds resource"
spec:
  workload:
    type: rdsinstances.database.alibaba.crossplane.io
    definition:
      apiVersion: database.alibaba.crossplane.io/v1alpha1
      kind: RDSInstance
  schematic:
    cue:
      template: |
        output: {
          apiVersion: "database.alibaba.crossplane.io/v1alpha1"
          kind: "RDSInstance"
          metadata: {
            name: context.name
          }
          spec: {
            forProvider: {
              engine: "mysql"
              engineVersion: "8.0"
              dbInstanceClass: "rds.mysql.c1.large"
              dbInstanceStorageInGB: 20
              securityIPList: "0.0.0.0/0"
              masterUsername: "test123"
              writeConnectionSecretToRef: {
                namespace: "crossplane-system"
                name: parameter.writeConnectionSecretToRefName
              }
              providerConfigRef: name: "default"
              deletionPolicy: "Delete"
            }
          }
        }
        parameter: {
          appid: string
          writeConnectionSecretToRefName: string
        }
---
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
  name: my-sample-1
spec:
  components:
    - name: rds-sample-1
      type: alibaba-rds
      properties:
        writeConnectionSecretToRefName: example-rds-1
      outputs:
        - name: dbAddress
          valueFrom: output.status.atProvider.dbInstanceID + ".mysql.rds.aliyuncs.com"
        - name: dbInstanceID
          valueFrom: output.status.atProvider.dbInstanceID
    - name: slb-sample-1
      type: alibaba-slb
      properties:
        writeConnectionSecretToRefName: clb-1
      outputs:
        - name: slb-type
          valueFrom: output.spec.forProvider.loadBalancerSpec
        - name: slb-ID
          valueFrom: output.status.atProvider.loadBalancerID
    - name: myserver
      type: deplotment
      dependsOn:
        - rds-sample-1
        - slb-sample-1
      inputs:
        - from: dbAddress
          parameterKey: properties.dbAddress
        - from: dbInstanceID
          parameterKey: properties.dbInstanceID
        - from: slb-type
          parameterKey: properties.loadbalancerSpec
        - from: slb-ID
          parameterKey: properties.loadbalancerID

the server can be any deployment. three component are gather by the kubevela application. when delete the application the status of clb CR will be false. and cannot be delete directly using kubectl delete clb xxx, but the behavior that delete the wrong resource is not easy to find and hard to look up from the logs of kubevela's controller.