Merge pull request #208 from openshift-cherrypick-robot/cherry-pick-2…

…06-to-release-4.15 [release-4.15] Bug 2279890: Fix createOrUpdate for rolebindings
red-hat-storage · Aug 1, 2024 · 5f47833 · 5f47833
2 parents d0cc309 + 30819db
commit 5f47833
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/controllers/mirrorpeer_controller.go b/controllers/mirrorpeer_controller.go
@@ -549,14 +549,19 @@ func (r *MirrorPeerReconciler) createClusterRoleBindingsForSpoke(ctx context.Con
 		ObjectMeta: metav1.ObjectMeta{
 			Name: spokeClusterRoleBindingName,
 		},
-		Subjects: subjects,
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     "open-cluster-management:token-exchange:agent",
-		},
 	}
 	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, &spokeRoleBinding, func() error {
+		spokeRoleBinding.Subjects = subjects
+
+		if spokeRoleBinding.CreationTimestamp.IsZero() {
+			// RoleRef is immutable. So inject it only while creating new object.
+			spokeRoleBinding.RoleRef = rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "ClusterRole",
+				Name:     "open-cluster-management:token-exchange:agent",
+			}
+		}
+
 		return nil
 	})