once openstack-operator is tasked with producing MariaDBAccount objects consumed by services, the production of these MariaDBAccount objects should be decoupled from osp-secret.    Usernames and passwords should be dynamically generated to enable rotation.  

for usernames, I would propose rotatable naming scheme of the form `<service_username>_<token>`, such as `nova_api_F3A5`

for passwords, I would propose a token generated from https://pkg.go.dev/crypto/rand

this will get us to the point where the combination of mariadb-operator and/or openstack-operator generates random database accounts for all services.     the logic will be centralized so that if and when we want to drop in some external source of u/p combinations, it would only need to happen in one place.

the logic is starting out in mariadb-operator where each consuming operator can gradually take advantage of the new API first, in OSPRH-4095.   when this is fully rolled out and we hopefully can remove all deprecated APIs from mariadb-operator, the logic can be moved up to openstack-operator.