Vault with TLS certificates on K8s

Vault
1

Hello,

We are running vault on Kubernetes and things are fine if we do not use TLS Certificates. We got so far a signed certificate for the vault web interface to replace the self signed one. Since vault is already configure and up running (No TLS), steps we are taking to implement the TLS certificates are as follows:

helm upgrade vault hashicorp/vault --values /vault/values.yml

Release “vault” has been upgraded. Happy Helming!
NAME: vault
LAST DEPLOYED: Wed May 19 13:47:30 2021
NAMESPACE: namespace
STATUS: deployed
REVISION: 52
TEST SUITE: None
NOTES:
Thank you for installing HashiCorp Vault!

the values.yml file:

global:
tlsDisable: false
server:
extraEnvironmentVars:
VAULT_CACERT: /vault/data/cert/vault.ca
readinessProbe:
enabled: true
livenessProbe:
enabled: true
dataStorage:
storageClass: starlex
auditStorage:
enabled: true
storageClass: starlex
service:
enabled: true
type: NodePort
ingress:
enabled: false
hosts:
- host: vault.example.com
http:
paths:
- path: /
backend:
serviceName: vault
servicePort: 8200
extraVolumes:
- type: secret
name: vault-server-tls

standalone:
  enabled: true 
  config: |
   listener "tcp" {
     address = "[::]:8200"
     cluster_address = "[::]:8201"
     tls_cert_file = "/vault/data/cert/vault.crt"
     tls_key_file  = "/vault/data/cert/vault.key"
     tls_client_ca_file = "/vault/data/cert/vault.ca"
   }
   storage "file" {
     path = "/vault/data"
   }

ui:
enabled: true
serviceType: NodePort

unseal keys works but we need to export the env as below:

/ $ export VAULT_ADDR=https://vault.example.com:30381

The status output looks fine.
/ $ vault status
Key Value

Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.7.0
Storage Type file
Cluster Name vault-cluster-b82ff123
Cluster ID 01b6cf44-1521-cc09-1731-72bb6975ee23
HA Enabled false

kubectl get pod vault-0
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 2 5m48s

Logs show bad certificate:
kubectl logs vault-0

2021-05-19T11:50:52.964Z [INFO] core: usage gauge collection is disabled
2021-05-19T11:50:52.966Z [INFO] core: post-unseal setup complete
2021-05-19T11:50:52.966Z [INFO] core: vault is unsealed
2021-05-19T11:51:08.365Z [INFO] http: TLS handshake error from 127.0.0.1:60536: remote error: tls: bad certificate

when we try to access the vault web interface, we get the 404 error and the ingress certificate is used:

Common Name
Kubernetes Ingress Controller Fake Certificate

Any help is appreciated.