This is a bit odd, but I had to chase this a bit to get vault authenticated to our vault-instance with a non-public cert.
The comments in main.go led me to believe I could set VAULT_CACERT to point at a ca certificate I had mounted from a configmap under /ssl.
This was not the case though, because the code path for vault k8s auth here does its’ own post request instead of using the vault client that would have been set up with those environment variables.
I got it working by mounting my ca certs directly into /etc/ssl/certs, but I did end up chasing my tail for a bit.