ECK - Alternative secrets storage using CSI Driver for KeyVault in Azure

I have integrated my AKS cluster with Azure Keyvault CSI Driver for secrets storage.

Link:
GitHub - Azure/secrets-store-csi-driver-provider-azure: Azure Key Vault provider for Secret Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.

Now, after I have configured this (volume mounts in the elasticSearch yaml specs), the creation of a new ElasticSearch resource still creates the secrets (eg elastic username/pass) in the k8s secrets in plaintext (base64 encoded) and not the keyvault

How can I make elastic use the Azure Keyvault CSI driver to store secrets and not the default k8s secrets?

How can I make elastic use the Azure Keyvault CSI driver to store secrets and not the default k8s secrets?

As far as I understand, Azure Keyvault CSI driver doesn't allow to write secret from Kubernetes to the Azure Key Vault instance. It only works the other way around, secrets are retrieved from Vault and then can be used in Kubernetes.

Also, I'm not sure how it is relevant for internal secrets managed by the operator to be stored in Azure Keyvault. This seems more relevant for secrets you provide to your cluster such as secrets to define users and roles. In that case, you might be interested in syncing mounted content with Kubernetes secret.

Thanks for the response.
Here is a bit more detail:

There are secrets "created" by the eck setup as follows:-

namespace: elastic-system
Secrets:

default-token-9q898
elastic-operator-token-pnl5n
elastic-webhook-server-cert

new "Elasticsearch" resource secrets -
quickstart3-es-http-ca-internal
quickstart3-es-http-certs-internal
quickstart3-es-http-certs-public
quickstart3-es-default-es-config
quickstart3-es-default-es-transport-certs
quickstart3-es-elastic-user
quickstart3-es-internal-users
quickstart3-es-remote-ca
quickstart3-es-transport-ca-internal
quickstart3-es-transport-certs-public
quickstart3-es-xpack-file-realm
eck0-quickstart3-kibana-user
quickstart3-kb-es-ca
quickstart3-kibana-user
quickstart3-kb-http-ca-internal
quickstart3-kb-config
quickstart3-kb-http-certs-internal
quickstart3-kb-http-certs-public

It is clear that the azure keyvault CSI drver can be used to only "read" secrets from the keyvault.
However, the secrets I mentioned above are created by the eck instance installation.

Can these secrets be secured/encrypted in some way?