In order to deploy a fully automated infrastructure, we are using:
There's no technical reason why puppet and ansible co-exist. That happened naturally due to different people working on different things
In all repositories, as they are public, secrets are encrypted (using either ansible-vault or git-crypt). If you do need access to any of them for any reason, please contact infrastructure team.
All our internal documentation for each service is hosted on github wiki, as it needs to be accessed even if confluence is down.