Preferred way to go to sync a not public repository via puppet
I'd like to have a secret repository in gitlab where I can keep service properties files. What should be the best way to sync files from this via puppet?
I'd think I should add a ssh key to the gitlab repository. What is the preferred way to do this? The way I'd go would be to create a key on the machine and then read it and add it manually. Is this ok or is it there something else I am not considering?