// trust between the target audiences.
  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a
  // client needs to check the 'expiration' field in a response.
  // +optional
  optional int64 expirationSeconds = 4;

  // BoundObjectRef is a reference to an object that the token will be bound to.

  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional
  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3

  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional
  optional int32 expirationSeconds = 8;

  // usages specifies a set of key usages requested in the issued certificate.
  //

  // It will default to the audiences of kube apiserver.
  optional string audience = 1;

  // expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
  // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec"
  //
  // +optional
  optional int64 expirationSeconds = 2;
}

// VolumeAttachment captures the intent to attach or detach the specified volume

  // It will default to the audiences of kube apiserver.
  optional string audience = 1;

  // expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
  // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
  //
  // +optional
  optional int64 expirationSeconds = 2;
}

// VolumeAttachment captures the intent to attach or detach the specified volume

		ObjectMeta: metav1.ObjectMeta{
			Name:      serviceAccount,
			Namespace: wg.Namespace,
		},
		Spec: authenticationv1.TokenRequestSpec{
			Audiences:         []string{"istio-ca"},
			ExpirationSeconds: &tokenDuration,
		},
	}
	tokenReq, err := kubeClient.Kube().CoreV1().ServiceAccounts(wg.Namespace).CreateToken(context.Background(), serviceAccount, token, metav1.CreateOptions{})

  // token, and otherwise should reject the token. The audience defaults to the
  // identifier of the apiserver.
  // +optional
  optional string audience = 1;

  // expirationSeconds is the requested duration of validity of the service
  // account token. As the token approaches expiration, the kubelet volume
  // plugin will proactively rotate the service account token. The kubelet will

- The `CertificateSigningRequest.certificates.k8s.io` API supports an optional expirationSeconds field to allow the client to request a particular duration for the issued certificate.  The default signer implementations provided by the Kubernetes controller manager will honor this field as long as it does not exceed the --cluster-signing-duration...

- The CertificateSigningRequest `spec.expirationSeconds` API field has graduated to GA. The `CSRDuration` feature gate for the field is now unconditionally enabled and will be removed in 1.26. ([#108782](https://github.com/kubernetes/kubernetes/pull/108782), [@cfryanr](https://github.com/cfryanr))...