Putting DNS Api keys on every remote install is indeed problematic.

The solution however is pretty trivial. For our setup I just made a very small server with a couple of REST endpoints.

Each customer gets their own login to our REST server. All they do is ask "get a new cert".

The DNS-01 challenge is handled by the REST server, and the cert then supplied to the client install.

So the actual customer install never sees our DNS API keys.