How do I handle passwords in Kubernetes charms?

I’ve got a charm that deploys JupyterHub to Kubernetes: https://jujucharms.com/u/kubeflow-charmers/kubeflow-jupyterhub/. It supports password-based authentication, and I would like to know how to handle that. I’ve got two use cases that I’m wondering about:

The user sets the password to some pre-determined value
The charm randomly generates a password and informs the user of what it is

To clarify, the issue is that if the charm generates a password, it needs to communicate it back to the operator. The charm can’t modify the config value that the operator would use to pass a password in, and k8s charms don’t yet support actions, which was historically the way to request the generated password value. Even if actions were available, it’s always felt like quite a hack to need to do that, and both that and modifying the config value (even if it could be done) end up exposing the password on the model forevermore to anyone with read access to the model.