Secrets in a mount or in env is "acceptable" but still pretty amateur-hour. Typically you want the application to have to make a request out to a token exchange endpoint of some sort (using its own identity to authenticate), then keep that secret only in-memory for as long as it's used.

The token exchange endpoint is what assesses risk and decides whether it should grant the secret or not. Think "container X is requesting another secret for service Y, but it didn't restart recently, and the last secret I gave it is not close to expiry yet, hmm".