For increased security, our Vault setups are configured to terminate TLS sessions directly at the Vault server process. To do so, we use cert-manager to provision LetsEncrypt certificates that the Vault server Pods can use. There was an issue with this setup, where the Vault servers didn’t reload the certificate when this was renewed by cert-manager, rendering Vault insecure / unavailable.
We’ve now added a small side-car container on the Vault server Pods that automatically reloads the certificate in-place whenever this gets renewed. This operation won’t cause any disruption to the Vault service.