docs: add workload secret section

docs/docs/architecture/secrets.md

@@ -22,3 +22,16 @@ It needs to be provided with the secret seed, from which it can derive the signi
 This procedure is called recovery and is initiated by the workload owner.
 The CLI decrypts the secret seed using the private seed share owner key, verifies the Coordinator and sends the seed through the `Recover` method.
 The Coordinator recovers its key material and verifies the manifest history signature.
+
+## Workload Secrets
+
+The Coordinator provides each workload a secret seed during attestation. This secret can be used by the workload to derive additional secrets for example to
+encrypt persistent data. Like the workload certificates it's mounted in the shared Kubernetes volume `contrast-secrets` in the path `<mountpoint>/secrets/workload-secret`.
+
+:::warning
+
+The data owner shouldn't encrypt data with secrets derived from the workload secret if they want to keep the data private against the workload owner.
+The workload owner can derive the workload secret themself, since it's derived from the secret seed known to the workload owner.
+If the data owner and the workload owner is the same entity, then they can safely use the workload secrets.
+
+:::

docs/docs/examples/emojivoto.md

@@ -193,12 +193,15 @@ the list that already contains the `"web"` DNS entry:
 ```diff
    "Policies": {
      ...
-     "99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": [
-       "web",
--      "*"
-+      "*",
-+      "203.0.113.34"
-     ],
+     "99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
+       "SANs": [
+         "web",
+-        "*"
++        "*",
++        "203.0.113.34"
+       ],
+       "WorkloadSecretID": "web"
+      },
 ```
 
 ### Update the manifest

tools/vale/styles/config/vocabularies/edgeless/accept.txt

@@ -108,6 +108,7 @@ systemd
 tardev
 tarfs
 Terraform
+themself
 Tink
 tmpfs
 TPM