As an operator of a modern openstack cloud i expect that that cloud is secure by default.
That means the secure passwords should be used by defualt and updated automaticaly on a regular basis.

I expect and production grade openstack installer to automatically generate secure password and automate the rotation of the same without service downtime.

Note: that without adopting application credentials https://issues.redhat.com/browse/OSP-24113 we cannot fully remove downtime as we cannot have to active passwords for the same user. for service like mysql and rabbit my this can be mitigated
by generate a new user inaddtion to an new password and rotating both. this would require change to how the mariadb/galara operator functions to not require the username and database name to match.

if we have this capablity we can rotate the password by creating a new account and password, then updating the service config and finally removing the old user/password.

the same can technically be done for openstack services in keystone but it would be cleaner to use application credentials instead as we can have multiple application credentials active at the same time.