Consider using a custom secret injection (a la vault-k8s)

Vault's integration with Kubernetes support injection of secrets into pods with custom injector. In that way it might be possible to implement similar injector for PassLess. That would remove the need to manage secrets, increasing overall security.

Here a Vault blog post about that: https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar