consider trocla for secrets management in puppet
secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.
Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.
So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information