vault/seal
certmanager acme challenge dns01 provider
Vault can optionally be configured to automatically unseal, using a cloud-based KMS. Currently the only configured option is "awskms", which necessitates you setting the following additional parameters
vault/awskms-regionvault/awskms-access-keyvault/awskms-secret-keyvault/awskms-kms-key-id