Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA

[Neferites]

Describe the bug
The CSI pod sidecar vault agent does not use a custom CA for connecting to an external vault.

To Reproduce
Steps to reproduce the behavior:

1. Install chart with at least:

global:
  enabled: false
  tlsDisable: false
  externalVaultAddr: "https://external-vault.home"
csi:
  enabled: true
  extraArgs: 
    - -vault-tls-ca-cert=/vault/tls/ca.crt
  hmacSecretName: ""
  volumes:
  - name: tls
    secret:
      secretName: vault-ca-cert
  volumeMounts:
  - name: tls
    mountPath: "/vault/tls"
    readOnly: true

Agent pods log :

2024-01-26T21:01:58.757Z [INFO]  agent.apiproxy: received request: method=POST path=/v1/auth/prod-k8s/login
2024-01-26T21:01:58.757Z [INFO]  agent.apiproxy: forwarding request to Vault: method=POST path=/v1/auth/prod-k8s/login
2024-01-26T21:01:58.763Z [ERROR] agent.apiproxy.client: request failed: error="Post \"https://external-vault.home/v1/auth/prod-k8s/login\": tls: failed to verify certificate: x509: certificate signed by unknown authority" method=POST url=https://external-vault.home/v1/auth/prod-k8s/login

Expected behavior
Agent pod should use /vault/tls/ca.crt in order to execute a TLS connection.

Workaround
add csi.agent.enabled=false

Environment

• Kubernetes version: 1.28
  • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): vanilla
• vault-helm version: 0.27