Examine options, making sure all of our use cases for reading secrets are handled:

• k8s pods
• gitlab jobs (possibly via runner)

Document/POC writing secrets as well.

Ensure we can split permissions (for futureproofing) (k8s pods can't all get to same secrets/use at least namespace for splitting?).
outcome of this story ought to be an ADR