Description of problem:
Composable-HA deployments with separate DB role are currently broken (depending on the services ordering in the roles file).

When deploying a composable HA overcloud with a database role split off to separate nodes we could observe a deployment failure due to galera never starting up properly.

The reason for this was that instead of having the firewall rules for the galera bundle applied (i.e. those with the extra control-port for the bundle), we would see the firewall rules for the BM galera service. E.g. we would see the following on the host:
tripleo.mysql.firewall_rules: {
  104 mysql galera: {
    dport: [ 873, 3306, 4444, 4567, 4568, 9200 ]

Instead of the correct mysq bundle firewall rules:
tripleo.mysql.firewall_rules:
  104 mysql galera-bundle:
    dport: [ 873, 3123, 3306, 4444, 4567, 4568, 9200 ]

The reason for this is the following piece of code in https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/clustercheck.yaml#L62:
...
  MysqlPuppetBase:
    type: ../../../puppet/services/pacemaker/database/mysql.yaml
    properties:
      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Containerized service clustercheck using composable services.
    value:
      service_name: clustercheck
      config_settings: {get_attr: [MysqlPuppetBase, role_data, config_settings]}
logging_source: {get_attr: [MysqlPuppetBase, role_data, logging_source]}
...

Depending on the ordering of the clustercheck service within the role (before or after the mysql service), the above code will override the tripleo.mysql.firewall_rules with the wrong rules.