Kubernetes used to issue long-lived service account tokens. at some point this behavior was changed to issue 1hr tokens. when a token expires, the file contents of the service account token file (/var/run/secrets/kubernetes.io/serviceaccount/token) change.
Spring Vault used to cache the result of reading this file - and I've been able to find these references (the commit and the comment) in the history suggesting that this behavior changed. What I can't do is figure out how to customize/enable it. For me, even if spring.cloud.vault.config.lifecycle.enabled is set to "true" - the services looses authentication with vault at the end of the hour and seems to be unable to re-read the file and re-auth with vault.
Maybe there is some sort of bean or something i have to define as well, but since the above linked github issue comment sounds like it is referring to the same exact think as this question, my question feels like sufficiently like a user error to indeed be a stackoverflow question rather than a github issue comment.