Starting with queens (aka the move to containers) we broke changing at least mysqlrootpassword and the rabbitpassword. So as soon as an operator changes them the deployment will fail with messages like:
Error: Failed to apply catalog: Execution of '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe SELECT CONCAT(User, '@',Host) AS User FROM mysql.user'
returned 1: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
First seen in: https://bugzilla.redhat.com/show_bug.cgi?id=1609022
A lot of folks have been hit by this because of https://bugs.launchpad.net/tripleo/+bug/1790580 (i.e. using the derived param workflow would trigger a bunch of password changes)
It's likely that we could solve this by adding a task in Step 1 on stack update to sync the root password with the expected one. This is likely because we have lost the dependency that the password update action (in puppet) is performed prior to the updating of /root/.my.cnf. We'll need to replicate that logic itself in THT now