Custom plugin upgrade in Kubernetes StatefulSet

This issue came up in the Vault issue tracker before:

I believe the essence of the problem, is that the Vault plugin mechanism is fundamentally incompatible with Kubernetes. It appears to be designed for deployments on VMs, where plugins are only updated whilst stable Vault servers continue to run undisturbed.

I proposed in the above-linked issue:

I wonder if HashiCorp would be willing to have a conversation about making the checksum verification of plugins optional … the current approach doesn’t seem well suited to maintaining uptime of a cluster during upgrade in K8s?

There was a response, but I declined to take the lead on pursuing it, as I personally do not run Vault on Kubernetes.