IMHO better write automation as much possible to rotate passwords firsts. Then remove ability for humans to set passwords (if possible). Your automations should store it vault (for machines) or write to 1Password directly (for humans).
Thank you for this, I just used this to create a rust based cli tool to create j2 yamls. This was motivated because we want to not use ansible j2 yaml generation instead to a standalone binary for it.
Now it feel like helm but it’s j2 and outputs a directory of yamls with base and overlays in kustomization way. So they can be iverriden in gitops by sre if needed