If you’re using signed SSH keys, then the SSH mount’s CA public key is an unauthenticated API endpoint and can be downloaded freely by anything that’s able to communicate with your Vault cluster.
You will need to develop a method of pulling down the correct CA cert(s) and updating the sshd.conf file to leverage this. I’m personally not aware of any existing “helpers” for this activity. (Note that HashiCorp’s Vault SSH Helper utility is for OTP setups.)
However, using config management software to push the config is an equally valid approach, IMO. Use whichever approach makes the most sense for your use cases.