Vault HA Deployment

1. Vault Unseal is the first decision point in our implementation strategy.

HashiCorp does not recommend using the Shamir unseal for enterprise; however, we need to support edge/airgap, as well as, be able to test upgrades.

2. For vault to be considered "production-ready", it should be configured in HA mode. This likely makes our dev init job more cumbersome and is much easier to achieve via AWSKMS auto-unseal.

https://learn.hashicorp.com/tutorials/vault/kubernetes-raft-deployment-guide?in=vault/kubernetes#configure-vault-helm-chart

Currently, when attempting to upgrade vault using the single pod deployment, the stateful set updates and the init container rolls but the vault-vault-0 pod does not update. If the pod is deleted, a new pod spins up but cannot unseal because the init job that unseals vault isn't crafted for upgrades.