I managed, eventually, to get vault running in HA mode with raft storage and AWSKMS unsealing. It is incredibly durable once you get all raft engines joined together.
My question now is about TLS certs and private keys. Is it OK to have all participants in a StatefulSet using the same key and cert?
Also is it advantageous to leverage kubernetes to be the CA and sign the cert used by vault and raft? Or is it more secure to create a custom CA to sign the shared private key and cert across all the pods in the statefulset?