Recreate rolebinding because roleRef attr is immutable

As we now use admin roleRef (previously edit) there will be existing SA
rolebindings that need to be updated.

app/services/clusters/kubernetes/create_or_update_service_account_service.rb

@@ -69,7 +69,13 @@ module Clusters
 
       def create_role_or_cluster_role_binding
         if namespace_creator
-          kubeclient.create_or_update_role_binding(role_binding_resource)
+          begin
+            kubeclient.delete_role_binding(role_binding_name, service_account_namespace)
+          rescue Kubeclient::ResourceNotFoundError
+            # Do nothing as we will create new role binding below
+          end
+
+          kubeclient.update_role_binding(role_binding_resource)
         else
           kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource)
         end

lib/gitlab/kubernetes/kube_client.rb

@@ -61,18 +61,11 @@ module Gitlab
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
       # group client
       delegate :update_cluster_role_binding,
-        to: :rbac_client
-
-      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
-      # group client
-      delegate :create_role,
-      :get_role,
-      :update_role,
-      to: :rbac_client
-
-      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
-      # group client
-      delegate :update_role_binding,
+        :create_role,
+        :get_role,
+        :update_role,
+        :delete_role_binding,
+        :update_role_binding,
         to: :rbac_client
 
       # non-entity methods that can only work with the core client
@@ -186,6 +179,7 @@ module Gitlab
         update_cluster_role_binding(resource)
       end
 
+      # Note that we cannot update roleRef as that is immutable
       def create_or_update_role_binding(resource)
         update_role_binding(resource)
       end

spec/lib/gitlab/kubernetes/kube_client_spec.rb

@@ -302,6 +302,8 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
       :create_role,
       :get_role,
       :update_role,
+      :delete_role_binding,
+      :update_role_binding,
       :update_cluster_role_binding
     ].each do |method|
       describe "##{method}" do

spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb

@@ -28,6 +28,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute'
     stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
     stub_kubeclient_create_secret(api_url)
 
+    stub_kubeclient_delete_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
     stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
     stub_kubeclient_get_namespace(api_url, namespace: namespace)
     stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)

spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb

@@ -141,6 +141,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
       before do
         cluster.platform_kubernetes.rbac!
 
+        stub_kubeclient_delete_role_binding(api_url, role_binding_name, namespace: namespace)
         stub_kubeclient_put_role_binding(api_url, role_binding_name, namespace: namespace)
         stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)

spec/support/helpers/kubernetes_helpers.rb

@@ -250,6 +250,11 @@ module KubernetesHelpers
       .to_return(kube_response({}))
   end
 
+  def stub_kubeclient_delete_role_binding(api_url, name, namespace: 'default')
+    WebMock.stub_request(:delete, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
+      .to_return(kube_response({}))
+  end
+
   def stub_kubeclient_put_role_binding(api_url, name, namespace: 'default')
     WebMock.stub_request(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
       .to_return(kube_response({}))