Expose Vault In Kubernetes Which is installed with self-signed certificate?

Hello All,
I am hoping to solve few questions i have in mind.
I have installed vault with self signed certificate, HA mode, raft configuration. While it’s installing and agent sidecar is working fine, I am now planning to expose it outside of cluster to be available for clients. And i have no idea to accomplish that, or to integrate it with ingress.


cat <<EOF >${TMPDIR}/csr.conf
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.2 = *.${NAMESPACE}.svc.cluster.local
DNS.3 = *.${VAULT_INTERNAL_SVC}.${NAMESPACE}.svc.cluster.local
IP.1 =

I have ingress-nginx, and i have a domain as well.
One idea i have is to use tls passthrough but i wonder if this will work, as if my domain is vault.example.com, and i use tls passthrough will the vault server able to verify vault.example.com, since i haven’t included it in the self-signed config.

Any idea, or gist to nudge me in the right direction will be very helpful.