requiresRepublish: true
    storageCapacity: false
    tokenRequests:
    - audience: vault
      expirationSeconds: 600
    volumeLifecycleModes:
    - Ephemeral

--rotation-poll-interval=10080m 

The Pod "busybox" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds`, `spec.tolerations` (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative)
  core.PodSpec{
  	Volumes:        {{Name: "vault-database", VolumeSource: {CSI: &{Driver: "secrets-store.csi.k8s.io", ReadOnly: &true, VolumeAttributes: {"secretProviderClass": "vault-database"}}}}, {Name: "kube-api-access-hzfc8", VolumeSource: {Projected: &{Sources: {{ServiceAccountToken: &{ExpirationSeconds: 3607, Path: "token"}}, {ConfigMap: &{LocalObjectReference: {Name: "kube-root-ca.crt"}, Items: {{Key: "ca.crt", Path: "ca.crt"}}}}, {DownwardAPI: &{Items: {{Path: "namespace", FieldRef: &{APIVersion: "v1", FieldPath: "metadata.namespace"}}}}}}, DefaultMode: &420}}}},
  	InitContainers: nil,
  	Containers: []core.Container{
  		{
  			... // 5 identical fields
  			Ports:   nil,
  			EnvFrom: nil,
- 			Env: []core.EnvVar{
- 				{
- 					Name:      "API_TOKEN",
- 					ValueFrom: &core.EnvVarSource{SecretKeyRef: &core.SecretKeySelector{...}},
- 				},
- 			},
+ 			Env:          nil,
  			Resources:    {Limits: {s"cpu": {i: {...}, s: "200m", Format: "DecimalSI"}, s"memory": {i: {...}, s: "100Mi", Format: "BinarySI"}}, Requests: {s"cpu": {i: {...}, s: "100m", Format: "DecimalSI"}, s"memory": {i: {...}, s: "50Mi", Format: "BinarySI"}}},
  			VolumeMounts: {{Name: "vault-database", ReadOnly: true, MountPath: "/mnt/secrets-store"}, {Name: "kube-api-access-hzfc8", ReadOnly: true, MountPath: "/var/run/secrets/kubernetes.io/serviceaccount"}},
  			... // 12 identical fields
  		},
  	},
  	EphemeralContainers: nil,
  	RestartPolicy:       "Always",
  	... // 25 identical fields
  }

kind: Pod
apiVersion: v1
metadata:
  name: busybox
  namespace: demo
spec:
  serviceAccountName: app-sa
  containers:
  - image: k8s.gcr.io/e2e-test-images/busybox:1.29
    name: busybox
    imagePullPolicy: IfNotPresent
    command:
    - "/bin/sleep"
    - "10000"
    resources:
      requests:
        cpu: 100m
        memory: 50Mi
      limits:
        cpu: 200m
        memory: 100Mi
    volumeMounts:
    - name: vault-database
      mountPath: "/mnt/secrets-store"
      readOnly: true
    # Uncomment after syncing the Vault data with a Kubernetes Secret  
    env:
    - name: API_TOKEN
      valueFrom:
         secretKeyRef:
           name: kvsecret-1
           key: token
  volumes:
    - name: vault-database
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "vault-database"

atael@ATAEL-mac secrets-store-demo % kubectl get pods -n demo
NAME                                               READY   STATUS    RESTARTS   AGE
busybox                                            1/1     Running   0          13m
csi-secrets-store-secrets-store-csi-driver-g6fvn   3/3     Running   0          22m
csi-secrets-store-secrets-store-csi-driver-gkcvm   3/3     Running   0          22m
csi-secrets-store-secrets-store-csi-driver-jrjdm   3/3     Running   0          22m
vault-0                                            1/1     Running   0          37m
vault-csi-provider-2zqb5                           1/1     Running   0          37m
vault-csi-provider-9tnvs                           1/1     Running   0          37m
vault-csi-provider-qdkz2                           1/1     Running   0          37m

atael@ATAEL-mac secrets-store-demo % kubectl get nodes
NAME          STATUS   ROLES   AGE   VERSION
10.0.10.107   Ready    node    12d   v1.22.5
10.0.10.149   Ready    node    12d   v1.22.5
10.0.10.197   Ready    node    12d   v1.22.5