I've not had any success when declaring multiple entrypoints which include both a non-tls and tls endpoint on a single IngressRoute, try splitting this into two manifests, and when declaring the websecure entrypoint, you should also declare a tls certResolver, even if it's default. A good reference for configuring this can be pulled from our docs -- Traefik CRD TLS Documentation - Traefik
Have you configured vault to serve requests from /ui as it's basepath? It appears the front-end is attempting to communicated with the API at /v1/system/health, so unless you have a rule configured to route /v1, that's going to fail.
I'm dealing with this issue right now too (not on kubernetes).
Just to provide more details, vault listens on 8200 as an endpoint for the CLI and API calls, and if configured, it will also serve a web-interface on 8200/ui.
So we need a route to catch the URL of the vault service and route it to the service on port 8200 (this is the default port for Vault)
AND
We need a route to catch URL/ui and route it to 8200/ui
I'm not sure if there is another way to accomplish this