Status condition LastTransitionTime updates on every reconcile even when status is unchanged #1232
Description
Describe the bug
The Healthy status condition on VaultStaticSecret updates its LastTransitionTime on every reconciliation, even when the condition status has not changed (remains True).
- This violates the https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Condition, which states it should only update when the condition status transitions.
- It contradicts the CRD spec of vaultstaticsecret.
To Reproduce
Steps to reproduce the behavior:
- Deploy a
K8Ssecretand other custom resources as per the application deployment. - Wait for the initial sync to complete.
- Wait upto
refreshAftertime. - Observe the Healthy condition's LastTransitionTime changes on every
refreshAfterinterval.
I have not observed any errors in the status field or the operator log. There is no need to have a deployment or argo.Rollout.
Application deployment:
---
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: secret-sync
app.kubernetes.io/managed-by: hashicorp-vso
app.kubernetes.io/name: vault-secrets-operator
name: secret1
namespace: vault-secrets-operator
type: Opaque
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
namespace: vault-secrets-operator
name: vaultstaticsecret-sample-tenant-1
spec:
vaultAuthRef: mango-banana
mount: kvv2
type: kv-v2
path: path
refreshAfter: 10s
destination:
name: secret1
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
labels:
app.kubernetes.io/name: vaultauth
app.kubernetes.io/instance: vaultauth-sample
app.kubernetes.io/part-of: vault-secrets-operator
app.kubernetes.io/created-by: vault-secrets-operator
name: mango-banana
namespace: vault-secrets-operator
spec:
vaultConnectionRef: default
method: kubernetes
mount: mango-banana
kubernetes:
role: mango-banana-mango
serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
labels:
app.kubernetes.io/name: vaultconnection
app.kubernetes.io/instance: vaultconnection-sample
app.kubernetes.io/part-of: vault-secrets-operator
app.kubernetes.io/created-by: vault-secrets-operator
name: default
namespace: vault-secrets-operator
spec:
address: https://localhost:9876
skipTLSVerify: true
Health condition of vaultstaticsecret
% echo && \
date && \
kubectl describe vaultstaticsecret vaultstaticsecret-sample-tenant-1 -n vault-secrets-operator | grep -A 12 Conditions && \
date && \
echo "sleep 11" && \
sleep 11 && \
date && \
kubectl describe vaultstaticsecret vaultstaticsecret-sample-tenant-1 -n vault-secrets-operator | grep -A 12 Conditions
Fri Mar 6 10:36:34 CET 2026
Conditions:
Last Transition Time: 2026-03-06T09:21:51Z # here
Message: Secret synced, horizon=8.111056765s
Observed Generation: 3
Reason: Synced
Status: True
Type: SecretSynced
Last Transition Time: 2026-03-06T09:36:35Z # here
Message: VaultStaticSecretHealthy
Observed Generation: 3
Reason: Healthy
Status: True
Type: Healthy
Fri Mar 6 10:36:35 CET 2026
sleep 11
Fri Mar 6 10:36:46 CET 2026
Conditions:
Last Transition Time: 2026-03-06T09:21:51Z # here
Message: Secret synced, horizon=8.111056765s
Observed Generation: 3
Reason: Synced
Status: True
Type: SecretSynced
Last Transition Time: 2026-03-06T09:36:43Z # here
Message: VaultStaticSecretHealthy
Observed Generation: 3
Reason: Healthy
Status: True
Type: Healthy
Expected behavior
LastTransitionTime should remain unchanged across reconciliations when the condition status has not transitioned.
Environment
- Kubernetes version:
- Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS-1.33
- Other configuration options or runtime services (istio, etc.): Not applicable
- vault-secrets-operator version: v1.2.0