Skip to main content

Documentation Index

Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt

Use this file to discover all available pages before exploring further.

Krane exposes a SecretsService for workloads. Injected pods call this service to decrypt their secrets blob using Vault. Service definition: svc/krane/proto/krane/v1/secrets.proto.

Authentication

Requests are authenticated with a Kubernetes service account token. Krane validates the token with the TokenReview API, resolves the pod from the token details, and verifies the pod labels match the deployment and environment IDs.

DecryptSecretsBlob

DecryptSecretsBlobResponse.env_vars
map<string,string>
Decrypted environment variables.

Decryption flow

The secrets blob contains a map of key names to Vault encrypted values. Krane decrypts each value separately using the environment ID as the keyring, then returns a map of plaintext environment variables.