Recommended way for storing secrets for masterless/serverless puppet
What is the recommended way for storing secrets with a puppet serverless environment?
- The serverless environments run puppet apply without root access.
- I have a local copy of our hiera repository on each server.
Typically I would have used the eyaml extension, but this requires me to keep the private/public key on each server and it needs to be accessible by all the users who could run puppet-apply to decrypt it. The only advantage of this method is the secrets would not be available to those who have access to the hiera git repository, Apart from that I may as well just store the secrets in plain text.
Any suggestions on how to securely store secrets in the above mentioned environment would be greatly appreciated.