It should be possible to rotate passwords in the control plane and compute nodes, without experiencing any downtime.

The only way to do this is to have at least two credentials (old and new) that are valid at the same time - either using multiple users (A and B user, as is already implemented for the database-operator), or - for keystone authorized service users, using application credentials. Otherwise, with just one credential , we would expect disruption when 1) passwords are updated in keystone but not elsewhere (or visa versa) 2) passwords are updated on the control plane - but not on the compute nodes because a dataplane deployment has not yet been initiated or completed.