mysql: fix root password update for containerized mysql

Since the mysql service has been containerized, we lost the ability
to update the root password during a stack update.

When the mysql root password in hiera differs from the one currently
set in the mysql DB, connect to the DB with password from .my.cnf and
update credentials of the root user before the puppet mysql module
tries to access the database. Also update other root DB users.

Change-Id: I8fe9a640ba36288a1f9cb18563b363159d4731c0
Depends-On: I5bdbc89897a6dcd5bd57f2132e2acf99702b28ea
Closes-Bug: #1792416

manifests/profile/pacemaker/database/mysql_bundle.pp

@@ -417,10 +417,27 @@ MYSQL_HOST=localhost\n",
       }
       File['/etc/sysconfig/clustercheck'] -> Exec['galera-ready']
 
+      # If the root password is to be updated:
+      #   . hiera contains the new password
+      #   . .my.cnf still contains the current root credentials
+      # so changing the root password can only happen before
+      # .my.cnf is re-generated by puppet
+      mysql_user { 'root@localhost':
+        ensure        => present,
+        password_hash => mysql_password($mysql_root_password),
+      }
+      Mysql_user['root@localhost'] -> File['/root/.my.cnf']
+
+      # make sure to update all root users in the mysql DB
+      mysql_user { 'root@%':
+        ensure        => present,
+        password_hash => mysql_password($mysql_root_password),
+      }
+
       # We create databases and users for services at step 2 as well. This ensures
       # Galera is up and ready before those get created
       File['/root/.my.cnf'] -> Mysql_database<||>
-      File['/root/.my.cnf'] -> Mysql_user<||>
+      File['/root/.my.cnf'] -> Mysql_user<|title!='root@localhost'|>
       File['/root/.my.cnf'] -> Mysql_grant<||>
       Exec['galera-ready'] -> Mysql_database<||>
       Exec['galera-ready'] -> Mysql_user<||>