Ok on second thoughts we'll go with option 2. The service passwords are stored in the leader setting so that charm should easily be able to check whether a password update is necessary. That way we'll avoid service token revocations for any service related to keystone.
Ok on second thoughts we'll go with option 2. The service passwords are stored in the leader setting so that charm should easily be able to check whether a password update is necessary. That way we'll avoid service token revocations for any service related to keystone.