Add documentation for managing ECK file-based password length. (elastic#3339)

The following elastic/cloud-on-k8s#8817 is
planned to be released with the ECK 3.2/Stack 9.2 release.

(replaces elastic#3322 as it was based of the wrong branch)

---------

Signed-off-by: Michael Montgomery <[email protected]>

Author: naemono

deploy-manage/deploy/cloud-on-k8s/configure-eck.md

@@ -97,6 +97,7 @@ data:
     enable-leader-election: true
     elasticsearch-observation-interval: 10s
     ubi-only: false
+    password-length: 24
 ```
 
 Alternatively, you can edit the `elastic-operator` StatefulSet and add flags to the `args` section of the operator container — which will trigger an automatic restart of the operator pod by the StatefulSet controller.

deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md

@@ -50,7 +50,11 @@ spec:
     count: 1
 ```
 
-## Rotate auto-generated credentials [k8s-rotate-credentials]
+## ECK auto-generated credentials
+
+{{eck}} auto-generates credentials for [the `elastic` user](#k8s-default-elastic-user) and other file-based users. These credentials are stored in Kubernetes Secrets and are labeled with `eck.k8s.elastic.co/credentials=true`.
+
+### Rotate auto-generated credentials [k8s-rotate-credentials]
 
 You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the `elastic` user from the [quickstart example](/deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md), use the following command:
 
@@ -62,7 +66,6 @@ kubectl delete secret quickstart-es-elastic-user
 If you are using the `elastic` user credentials in your own applications, they will fail to connect to {{es}} and {{kib}} after you run this command. It is not recommended to use `elastic` user credentials for production use cases. Always [create your own users with restricted roles](../../../deploy-manage/users-roles/cluster-or-deployment-auth/native.md) to access {{es}}.
 ::::
 
-
 To regenerate all auto-generated credentials in a namespace, run the following command:
 
 ```sh
@@ -73,6 +76,20 @@ kubectl delete secret -l eck.k8s.elastic.co/credentials=true
 This command regenerates auto-generated credentials of **all** {{stack}} applications in the namespace.
 ::::
 
+### Control the length of auto-generated passwords
+
+```{applies_to}
+  eck: ga 3.2
+```
+
+:::{note}
+The ability to control the length of passwords generated by {{eck}} requires an Enterprise license.
+:::
+
+You can control the length of auto-generated passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings.
+
+Changing these values does not update existing passwords. To rotate current credentials, refer to the [Rotate auto-generated credentials](#k8s-rotate-credentials)
+
 ## Creating custom users
 
 {{eck}} provides functionality to facilitate custom user creation through various authentication realms. You can create users using the native realm, file realm, or external authentication methods.
@@ -99,4 +116,4 @@ For more information, refer to [External authentication](/deploy-manage/users-ro
 
 ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}.
 
-Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples.
+Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples.