Create cluster password change playbook (escluster)

[cbaxley]

Part of: #737 (Eng Spec: Add clustering support for Elasticsearch)

Branch: cbaxley-737-implement-cluster

Description
As a system administrator, I want to change user passwords across all nodes in an LME cluster so that credentials stay synchronized and services continue to authenticate after a password rotation.

Acceptance criteria

• Playbook exists at ansible/change_passwords.yml
• Playbook accepts lme_user and lme_password as extra vars
• Playbook validates password length (min 12 chars, NIST SP 800-63B)
• Playbook checks password against Have I Been Pwned API (skippable with offline_mode=true)
• Playbook validates username is a known LME user (elastic, kibana_system, wazuh, wazuh_api)
• Playbook changes Elasticsearch user passwords via REST API (cluster-wide, single call)
• Playbook changes Wazuh passwords via RBAC tool (for wazuh/wazuh_api users)
• Playbook updates ansible-vault encrypted files and Podman secrets on master node
• Playbook handles paired Wazuh secrets (changing wazuh also updates wazuh_api and vice versa)
• Playbook distributes updated secrets to all cluster nodes via secrets_distribution role
• Playbook restarts affected services (Kibana for ES users, Wazuh for Wazuh users)
• Playbook verifies cluster health after password change
• Playbook works for both single-node and multi-node deployments
• Test script exists at testing/v2/development/test_change_passwords.sh
• Test script validates password change, secret distribution, old password rejection, and restore

Status: ✅ Complete

[rishagg01]

The test change password script worked for elastic and kibana_systems but failed to do so for wazuh and wazuh_api.