From 30819db9dade6261f492f10e8b34d6378e914d61 Mon Sep 17 00:00:00 2001
From: vbadrina <vbadrina@redhat.com>
Date: Thu, 9 May 2024 18:15:20 +0530
Subject: [PATCH] Fix createOrUpdate for rolebindings

This commit fixes issue with mutate fn for controllerutil
createOrUpdate function

Signed-off-by: vbadrina <vbadrina@redhat.com>
---
 controllers/mirrorpeer_controller.go | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/controllers/mirrorpeer_controller.go b/controllers/mirrorpeer_controller.go
index fb950099..35434769 100644
--- a/controllers/mirrorpeer_controller.go
+++ b/controllers/mirrorpeer_controller.go
@@ -549,14 +549,19 @@ func (r *MirrorPeerReconciler) createClusterRoleBindingsForSpoke(ctx context.Con
 		ObjectMeta: metav1.ObjectMeta{
 			Name: spokeClusterRoleBindingName,
 		},
-		Subjects: subjects,
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     "open-cluster-management:token-exchange:agent",
-		},
 	}
 	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, &spokeRoleBinding, func() error {
+		spokeRoleBinding.Subjects = subjects
+
+		if spokeRoleBinding.CreationTimestamp.IsZero() {
+			// RoleRef is immutable. So inject it only while creating new object.
+			spokeRoleBinding.RoleRef = rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "ClusterRole",
+				Name:     "open-cluster-management:token-exchange:agent",
+			}
+		}
+
 		return nil
 	})