There's not really good reason why this data only has to live on the bastions and require SSH access to access.
Furthermore it'd be a way of trusting the bastion hosts on initial machine setup, removing a trust dependency there.
config-master.wikimedia.org (served by the puppetmasters) seems like a fine place for it to live, and is already served publicly.