Describe the bug
The Healthy status condition on VaultStaticSecret updates its LastTransitionTime on every reconciliation, even when the condition status has not changed (remains True).
To Reproduce
Steps to reproduce the behavior:
- Deploy a
K8S secret and other custom resources as per the application deployment.
- Wait for the initial sync to complete.
- Wait upto
refreshAfter time.
- Observe the Healthy condition's LastTransitionTime changes on every
refreshAfter interval.
I have not observed any errors in the status field or the operator log. There is no need to have a deployment or argo.Rollout.
Application deployment:
---
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: secret-sync
app.kubernetes.io/managed-by: hashicorp-vso
app.kubernetes.io/name: vault-secrets-operator
name: secret1
namespace: vault-secrets-operator
type: Opaque
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
namespace: vault-secrets-operator
name: vaultstaticsecret-sample-tenant-1
spec:
vaultAuthRef: mango-banana
mount: kvv2
type: kv-v2
path: path
refreshAfter: 10s
destination:
name: secret1
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
labels:
app.kubernetes.io/name: vaultauth
app.kubernetes.io/instance: vaultauth-sample
app.kubernetes.io/part-of: vault-secrets-operator
app.kubernetes.io/created-by: vault-secrets-operator
name: mango-banana
namespace: vault-secrets-operator
spec:
vaultConnectionRef: default
method: kubernetes
mount: mango-banana
kubernetes:
role: mango-banana-mango
serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
labels:
app.kubernetes.io/name: vaultconnection
app.kubernetes.io/instance: vaultconnection-sample
app.kubernetes.io/part-of: vault-secrets-operator
app.kubernetes.io/created-by: vault-secrets-operator
name: default
namespace: vault-secrets-operator
spec:
address: https://localhost:9876
skipTLSVerify: true
Health condition of vaultstaticsecret
% echo && \
date && \
kubectl describe vaultstaticsecret vaultstaticsecret-sample-tenant-1 -n vault-secrets-operator | grep -A 12 Conditions && \
date && \
echo "sleep 11" && \
sleep 11 && \
date && \
kubectl describe vaultstaticsecret vaultstaticsecret-sample-tenant-1 -n vault-secrets-operator | grep -A 12 Conditions
Fri Mar 6 10:36:34 CET 2026
Conditions:
Last Transition Time: 2026-03-06T09:21:51Z # here
Message: Secret synced, horizon=8.111056765s
Observed Generation: 3
Reason: Synced
Status: True
Type: SecretSynced
Last Transition Time: 2026-03-06T09:36:35Z # here
Message: VaultStaticSecretHealthy
Observed Generation: 3
Reason: Healthy
Status: True
Type: Healthy
Fri Mar 6 10:36:35 CET 2026
sleep 11
Fri Mar 6 10:36:46 CET 2026
Conditions:
Last Transition Time: 2026-03-06T09:21:51Z # here
Message: Secret synced, horizon=8.111056765s
Observed Generation: 3
Reason: Synced
Status: True
Type: SecretSynced
Last Transition Time: 2026-03-06T09:36:43Z # here
Message: VaultStaticSecretHealthy
Observed Generation: 3
Reason: Healthy
Status: True
Type: Healthy
Expected behavior
LastTransitionTime should remain unchanged across reconciliations when the condition status has not transitioned.
Environment
- Kubernetes version:
- Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS-1.33
- Other configuration options or runtime services (istio, etc.): Not applicable
- vault-secrets-operator version: v1.2.0
Describe the bug
The
Healthystatus condition onVaultStaticSecretupdates itsLastTransitionTimeon every reconciliation, even when the condition status has not changed (remains True).To Reproduce
Steps to reproduce the behavior:
K8Ssecretand other custom resources as per the application deployment.refreshAftertime.refreshAfterinterval.I have not observed any errors in the status field or the operator log. There is no need to have a
deploymentorargo.Rollout.Application deployment:
Health condition of
vaultstaticsecretExpected behavior
LastTransitionTimeshould remain unchanged across reconciliations when the condition status has not transitioned.Environment