Krane exposes a SecretsService for workloads. Injected pods call this service to decrypt their secrets blob using Vault.
Service definition: svc/krane/proto/krane/v1/secrets.proto.
Authentication
Requests are authenticated with a Kubernetes service account token. Krane validates the token with the TokenReview API, resolves the pod from the token details, and verifies the pod labels match the deployment and environment IDs.
DecryptSecretsBlob
DecryptSecretsBlobResponse.env_vars
Decrypted environment variables.
Decryption flow
The secrets blob contains a map of key names to Vault encrypted values. Krane decrypts each value separately using the environment ID as the keyring, then returns a map of plaintext environment variables. 
