Vault auto-unseal not working in azure

hello,
I’m having issue using vault auto-unseal with azure. i keep getting this error
“seal configuration missing, not initialized”

kubectl logs kxs-vault-plf-0 -n vault
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://kxs-vault-plf-0.kxs-vault-plf-internal:8201
              Go Version: go1.15.11
              Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: debug
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: file
                 Version: Vault v1.7.1
             Version Sha: 917142287996a005cb1ed9d96d00d06a0590e44e

2021-05-06T15:06:24.853Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2021-05-06T15:06:24.854Z [DEBUG] core: set config: sanitized config={"api_addr":"","cache_size":0,"cluster_addr":"","cluster_cipher_suites":"","cluster_name":"","default_lease_ttl":0,"default_max_request_duration":0,"disable_cache":false,"disable_clustering":false,"disable_indexing":false,"disable_mlock":true,"disable_performance_standby":false,"disable_printable_check":false,"disable_sealwrap":false,"disable_sentinel_trace":false,"enable_ui":true,"listeners":[{"config":{"address":"[::]:8200","cluster_address":"[::]:8201","tls_disable":1},"type":"tcp"}],"log_format":"unspecified","log_level":"","max_lease_ttl":0,"pid_file":"","plugin_directory":"","raw_storage_endpoint":false,"seals":[{"disabled":false,"type":"shamir"}],"storage":{"cluster_addr":"","disable_clustering":false,"redirect_addr":"","type":"file"}}
2021-05-06T15:06:24.854Z [DEBUG] storage.cache: creating LRU cache: size=0
2021-05-06T15:06:24.854Z [DEBUG] cluster listener addresses synthesized: cluster_addresses=[[::]:8201]
==> Vault server started! Log data will stream in below:

2021-05-06T15:06:30.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:35.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:40.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:45.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:46.434Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:46.434Z [INFO]  core: seal configuration missing, not initialized
2021-05-06T15:06:50.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:06:55.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:07:00.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:07:05.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:07:10.534Z [INFO]  core: security barrier not initialized
2021-05-06T15:07:15.534Z [INFO]  core: security barrier not initialized
server:
  # enabled: true
  image:
    repository: ${vault_image_repository}
    tag: ${vault_image_tag}
  dataStorage:
    enabled: true
    size: 10Gi
  auditStorage:
    enabled: ${vault_enable_audit}

  logLevel: "debug"

  # For HA configuration and because we need to manually init the vault,
  # we need to define custom readiness/liveness Probe settings
  readinessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
    #initialDelaySeconds: 60
  livenessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true"
    initialDelaySeconds: 60
  # postStart:
  #   - /bin/sh
  #   - -c
  #   - kubectl exec -ti ${vault_name} -n vault -- vault operator init
  extraLabels:
    aadpodidbinding: "vault"

  ha:
    enabled: false
    replicas: ${replicas}
    apiAddr: http://127.0.0.1:8200
    config: |
      ui = true
      listener "tcp" {
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "azure" {
        accountName = "${accountName}"
        accountKey  = "${accountKey}"
        container   = "${container}"
        environment = "AzurePublicCloud"
      }
      seal "azurekeyvault" {
        tenant_id      = "${tenant_id}"
        client_id      = "8d84635e"
        client_secret  = "Jy2G85~"
        vault_name     = "${vault_name}"
        key_name       = "${key_name}"
        subscription_id  "1155fb0a"
        
      }

  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: kong
      cert-manager.io/cluster-issuer: letsencrypt
      konghq.com/https-redirect-status-code: "301"
      konghq.com/protocols: https
    path: /
    hosts:
      - host: vault.${host}
        paths:
    # Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
    extraPaths:
      - path: /ui
        backend:
          serviceName: ${vault_name}-ui
          servicePort: 8200
    tls:
      - secretName: tls
        hosts:
          - vault.${host}

  # service:
  #   enabled: false
  #   # clusterIP controls whether a Cluster IP address is attached to the
  #   # Vault service within Kubernetes.  By default the Vault service will
  #   # be given a Cluster IP address, set to None to disable.  When disabled
  #   # Kubernetes will create a "headless" service.  Headless services can be
  #   # used to communicate with pods directly through DNS instead of a round robin
  #   # load balancer.
  #   clusterIP: None
  #   port: 8200

# Vault UI
ui:
  # True if you want to create a Service entry for the Vault UI.
  #
  # serviceType can be used to control the type of service created. For
  # example, setting this to "LoadBalancer" will create an external load
  # balancer (for supported K8S installations) to access the UI.
  enabled: ${vault_ui}
  # publishNotReadyAddresses: true
  # The service should only contain selectors for active Vault pod
  activeVaultPodOnly: false
  serviceType: "LoadBalancer"
  externalPort: 8200
  serviceNodePort: null

“kubectl exec -ti kxs-vault-plf-0 -n vault – vault operator init” works and initializes vault but it still comes sealed after initialization

kubectl exec -ti kxs-vault-plf-0 -n vault -- vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.7.1
Storage Type       file
HA Enabled         false
command terminated with exit code 2

Just glancing - your seal config shouldn’t be in the HA config stanza, I think.

i think it is meant to be under HA