I am using vault-agent-sidecar to retrieve secrets from External Vault Server. The Server is listening on HTTPS endpoint and is signed by well-known CA.
In this case, does the client side annotation should still have annotation of
vault.hashicorp.com/ca-cert which point to CA bundle or it can be optional here.
from Agent Sidecar Injector Annotations | Vault | HashiCorp Developer, it has just one liner explaination.