diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go
index 5fd363896f..692b9a568c 100644
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@@ -230,6 +230,10 @@ func (v *VaultProvider) renewToken(ctx context.Context, watcher *vaultapi.Lifeti
 	go watcher.Start()
 	defer watcher.Stop()
 
+	// These values are chosen to start the exponential backoff
+	// immediately. Since the Vault client implements its own
+	// retries, this retry is mostly to avoid resource contention
+	// and log spam.
 	retrier := retry.Waiter{
 		MinFailures: 1,
 		MinWait:     1 * time.Second,