Gist:

We need to come up with sane defaults for the tokenRequests audience in CSIDriver spec, or we need to ensure user configured tokenReques data is not overwritten during upgrade.

Analysis:

As part of SSCSI-183 work, it was observed in Azure Provider code that for the WIF to work on Azure based on ClientId configuration in SecretProviderClass, the SS-CSI driver needs to supply a Service Account Token with an audience of api://AzureADTokenExchange

This would mean that the cluster admin should be able to configure audience in the tokenRequests of the secrets-store.csi.k8s.io CSIDriver.

However "secrets-store.csi.k8s.io CSIDriver" is a static manifest in the operator 

And based on the reconciliation logic changes to the tokenRequests would be overwritten in future upgrade if we change the static manifest in the operator in a later release.

We need to either come up with sane defaults for tokenRequests and update the manifests, or we need to ensure that preset tokenRequest audience are not overwritten during reconciliation.

We need to consider not just Azure but all other supported cloud platforms while developing the solution.