Clarification on Azure Annotations with Secret Store CSI Driver for KeyVault

[kamigerami]

When leveraging the kubernetes.azure.com/tls-cert-keyvault-uri annotation, it appears we can directly reference Azure KeyVault certificates without needing to explicitly define a SecretProviderClass. This process seems straightforward for fetching TLS certificates and auto-mounting them as Kubernetes secrets.

However, for referencing other KeyVault secrets, it seems necessary to create a SecretProviderClass as opposed to just providing a keyvault-uri annotation for that particular secret.

Could you please clarify if my understanding is correct? Specifically, I'm trying to understand why the annotation approach does not require a SecretProviderClass for TLS certificates but does for other types of secrets. Is there an underlying reason for this distinction, or have I perhaps misunderstood how to use the CSI driver for non-TLS secrets?

Thank you in advance for your guidance.