Qual endereço de servidor devo usar no arquivo de configuração do emissor do vault?

Eu defini e apliquei um ServiceAccount "service-account-token" : Vault-Config/service-account-token.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: service-account-token
automountServiceAccountToken: false

root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/service-account- 
token.yaml 
serviceaccount/service-account-token created

root@k8s-eu-1-control-plane-node-1:~# kubectl get ServiceAccount
NAME                       SECRETS   AGE
default                    0         10d
issuer                     0         20h
secrets-store-csi-driver   0         2d9h
service-account-token      0         22s   // <----------------------
webapp-sa                  0         2d1h

Eu defini e apliquei um segredo do emissor do cofre:

root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/cert-manager-vault-issuer-
secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: issuer-token-abcde
  #namespace: nats
  annotations:
    kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token # https://developer.hashicorp.com/vault
/docs/auth/kubernetes#continue-using-long-lived-tokens

->

root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/cert-manager-vault-
issuer-secret.yaml 
secret/issuer-token-abcde created

->

root@k8s-eu-1-control-plane-node-1:~# kubectl get secrets
NAME                         TYPE                                  DATA   AGE
issuer-token-abcde           kubernetes.io/service-account-token   3      8s  // <------------
nats-box-contexts            Opaque                                1      6d
sh.helm.release.v1.csi.v1    helm.sh/release.v1                    1      2d9h
sh.helm.release.v1.nats.v1   helm.sh/release.v1                    1      6d

Quando aplico este vault-issuer : Vault-Config/vault-issuer-cert-manager.yaml:

# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-   
manager#configure-an-issuer-and-generate-a-certificate

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: vault-issuer
      #namespace: nats
    spec:
      vault:
        server: http://vault.default // <---- as suggested here: https://cert-manager.io/docs/configuration/vault/#deployment
        path: pki_int/sign/nats
        auth:
          kubernetes:
            mountPath: /v1/auth/kubernetes
            role: issuer
            secretRef:
              name: issuer-token-abcde
              #key: token

-> :

root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/vault-issuer-cert-
manager.yaml 
issuer.cert-manager.io/vault-issuer created

Recebo este erro:

root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer vault-issue
Failed to initialize Vault client: while requesting a Vault token using the Kubernetes auth:
error calling Vault server: Post "https://vault.default/v1/auth/kubernetes/login": dial tcp: 
lookup vault.default on 10.96.0.10:53: no such host

Para a configuração do Vault apliquei através do helm estes valores:

root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/overrides.yaml :

global:
   enabled: true
   tlsDisable: false
injector:
   enabled: true
server:
   extraEnvironmentVars:
      VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
      VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
      VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
   dataStorage:
       enabled: true
   volumes:
      - name: userconfig-vault-ha-tls
        secret:
         defaultMode: 420
         secretName: vault-ha-tls
   volumeMounts:
      - mountPath: /vault/userconfig/vault-ha-tls
        name: userconfig-vault-ha-tls
        readOnly: true
   standalone:
      enabled: false
   affinity: ""
   readinessProbe:
     enabled: true
     path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
   ha:
      enabled: true
      replicas: 3
      raft:
         enabled: true
         setNodeId: true
         config: |
            cluster_name = "vault-integrated-storage"
            ui = true
            listener "tcp" {
               tls_disable = 0
               address = "[::]:8200"
               cluster_address = "[::]:8201"
               tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
               tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
               tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
            }

            # https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#vault-storage-configuration

            storage "raft" {
               path = "/vault/data"

               retry_join {
                 leader_api_addr = "https://vault-0.vault-internal:8200"
                 leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
                 leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
                 leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
               }

               retry_join {
                 leader_api_addr = "https://vault-1.vault-internal:8200"
                 leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
                 leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
                 leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
               }

               retry_join {
                 leader_api_addr = "https://vault-2.vault-internal:8200"
                 leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
                 leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
                 leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
               }

               retry_join {
                 leader_api_addr = "https://vault-3.vault-internal:8200"
                 leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
                 leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
                 leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
               }

               retry_join {
                 leader_api_addr = "https://vault-4.vault-internal:8200"
                 leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
                 leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
                 leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
               }

               autopilot {
                 server_stabilization_time = "10s"
                 last_contact_threshold = "10s"
                 min_quorum = 5
                 cleanup_dead_servers = false
                 dead_server_last_contact_threshold = "10m"
                 max_trailing_logs = 1000
                 disable_upgrade_migration = false
               }


            }
            disable_mlock = true
            service_registration "kubernetes" {}

Qual endereço de servidor devo colocar no arquivo de configuração do vault-issuer : Vault-Config/vault-issuer-cert-manager.yaml:

# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-manager#configure-an-issuer-and-generate-a-certificate

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  #namespace: nats
spec:
  vault:
    server: https://vault-0.vault-internal:8200/    // <----------------- ????????
    path: pki_int/sign/nats
    auth:
      kubernetes:
        mountPath: /v1/auth/kubernetes
        role: issuer
        secretRef:
          name: issuer-token-abcde
          key: token

--> :

root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer     vault-issue

Message:               Failed to initialize Vault client: while  
requesting a Vault token using the Kubernetes auth: error calling 
Vault server: Post "http://vault.default:8200/v1/auth/kubernetes
/login": dial tcp: lookup vault.default on 10.96.0.10:53: no such 
host

?