Vault Plugin TLS issue

I am having issues relating to install plugin for vault. While vault works fine and i could get the secrets as injector but setting up plugins is creating headache.
While writing the config file for plugin, i get the error.

Some steps:

vault write sys/plugins/catalog/secret/op-connect \
sha_256="$(sha256sum /vault/data/plugins/op-connect | cut -d " " -f1)" \
command="op-connect -ca-cert=/vault/userconfig/vault-server-tls/"

vault secrets enable --plugin-name='op-connect' --path="op" plugin

// I get a issue here
vault write op/config @op-connect-config.json

secrets.op-connect.op-connect_96388717.op-connect.op-connect: plugin tls init: error="error during token unwrap request: Put \"\": x509: certificate is valid for, 34.xx.xx.xx, not" timestamp=2022-02-17T18:06:44.542Z
2022-02-17T18:06:44.547Z [INFO]  http: TLS handshake error from remote error: tls: bad certificate

Not sure why the API_ADDR is the pod ip, which is not present in the SAN of the csr as seen below

My CSR config is

cat <<EOF >${TMPDIR}/csr.conf
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
DNS.2 = *.${NAMESPACE}.svc.cluster.local
DNS.3 = *.${VAULT_INTERNAL_SVC}.${NAMESPACE}.svc.cluster.local
DNS.4 = vault.${NAMESPACE}.svc.cluster.local
DNS.5 = vault-agent-injector-svc
DNS.6 = vault-agent-injector-svc.vault
DNS.7 = vault-agent-injector-svc.vault.svc
DNS.8 = vault-agent-injector-svc.vault.svc.cluster.local
DNS.9 = vault
DNS.10 = vault.${NAMESPACE}
DNS.11 = vault.${NAMESPACE}.svc
IP.1 =
IP.2 = 34.xx.xx.xx

Any hint would be of great help. Thanks