From 4ceabc2efcef9d667e759e05af83027bf9bd2cb9 Mon Sep 17 00:00:00 2001
From: vpnachev <vladimir.nachev@sap.com>
Date: Tue, 22 Oct 2024 10:11:58 +0300
Subject: [PATCH] Fix immutable RoleBinding.roleRef

---
 pkg/controller/lifecycle/actuator.go      | 15 ++++++++++-----
 pkg/controller/lifecycle/actuator_test.go |  4 ++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/pkg/controller/lifecycle/actuator.go b/pkg/controller/lifecycle/actuator.go
index 9cb90130..570e1dc0 100644
--- a/pkg/controller/lifecycle/actuator.go
+++ b/pkg/controller/lifecycle/actuator.go
@@ -708,12 +708,16 @@ func getRoleBinding(scope lakom.ScopeType, shootAccessServiceAccountName string)
 			Namespace: metav1.NamespaceSystem,
 		},
 	}
+	annotations := map[string]string{
+		resourcesv1alpha1.DeleteOnInvalidUpdate: "true",
+	}
 
 	if scope == lakom.Cluster {
 		return &rbacv1.ClusterRoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:   constants.LakomResourceReader,
-				Labels: getLabels(),
+				Name:        constants.LakomResourceReader,
+				Labels:      getLabels(),
+				Annotations: annotations,
 			},
 			RoleRef:  roleRef,
 			Subjects: subjects,
@@ -722,9 +726,10 @@ func getRoleBinding(scope lakom.ScopeType, shootAccessServiceAccountName string)
 
 	return &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      constants.LakomResourceReader,
-			Namespace: metav1.NamespaceSystem,
-			Labels:    getLabels(),
+			Name:        constants.LakomResourceReader,
+			Namespace:   metav1.NamespaceSystem,
+			Labels:      getLabels(),
+			Annotations: annotations,
 		},
 		RoleRef:  roleRef,
 		Subjects: subjects,
diff --git a/pkg/controller/lifecycle/actuator_test.go b/pkg/controller/lifecycle/actuator_test.go
index fba22ae5..99559244 100644
--- a/pkg/controller/lifecycle/actuator_test.go
+++ b/pkg/controller/lifecycle/actuator_test.go
@@ -351,6 +351,8 @@ func expectedShootRoleBinding(saName string, lakomScope lakom.ScopeType) string
 		return `apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  annotations:
+    resources.gardener.cloud/delete-on-invalid-update: "true"
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: lakom
@@ -370,6 +372,8 @@ subjects:
 	return `apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  annotations:
+    resources.gardener.cloud/delete-on-invalid-update: "true"
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: lakom