Alternative to using with agent injector?


Using TLS-enabled Vault, I need to pass on the certificate authority to use to the agent injector so that the init-container / sidecar knows how to validate the Vault TLS certificate at runtime.

I can successfully do this by annotating the pods with, but this proves painful in the long run.
Since the CA cert file is always set to the same path in pods (using Kube own PKI here), is there a way to define this globally?

Am using the helm chart, but could not find any obvious way to do this.

The flags defined in vault-k8s/flags.go at main · hashicorp/vault-k8s · GitHub hints that there is no such capability.

Has anyone any idea if this is possible, or if I should raise an issue for improvement against the codebase?

Thanks in advance