upgrades: deploy mod_ssl when upgrading apache

1) When Apache is upgraded, install mod_ssl rpm.
   See https://bugs.launchpad.net/tripleo/+bug/1682448
   to understand why we need mod_ssl.

2) All services that run Apache for API will use the snippet from
   Apache service to deploy mod_ssl, so we don't duplicate the code
   in all services. It's using the same mechanism as ovs upgrade to
   compile upgrade_tasks between both services.

Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503

puppet/services/aodh-api.yaml

@@ -93,6 +93,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.aodh_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            aodh_api_upgrade:
               - name: Stop aodh_api service (running under httpd)
                 tags: step1
                 service: name=httpd state=stopped

puppet/services/apache.yaml

@@ -112,3 +112,6 @@ outputs:
           shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
           when: httpd_enabled.rc == 0
           tags: step0,validation
+        - name: Ensure mod_ssl package is installed
+          tags: step3
+          yum: name=mod_ssl state=latest

puppet/services/barbican-api.yaml

@@ -153,6 +153,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            barbican_api_upgrade:
               - name: Check if barbican_api is deployed
                 command: systemctl is-enabled openstack-barbican-api
                 tags: common

puppet/services/ceilometer-api.yaml

@@ -100,6 +100,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.ceilometer_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            ceilometer_api_upgrade:
               - name: Stop ceilometer_api service (running under httpd)
                 tags: step1
                 service: name=httpd state=stopped

puppet/services/cinder-api.yaml

@@ -159,6 +159,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.cinder_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            cinder_api_upgrade:
               - name: Check if cinder_api is deployed
                 command: systemctl is-enabled openstack-cinder-api
                 tags: common

puppet/services/gnocchi-api.yaml

@@ -133,6 +133,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.gnocchi_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            gnocchi_api_upgrade:
               - name: Stop gnocchi_api service (running under httpd)
                 tags: step1
                 service: name=httpd state=stopped

puppet/services/keystone.yaml

@@ -339,10 +339,15 @@ outputs:
             horizon::keystone_multidomain_support: true
             horizon::keystone_default_domain: 'Default'
           - {}
-      # Ansible tasks to handle upgrade
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.keystone_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            keystone_upgrade:
               - name: Stop keystone service (running under httpd)
                 tags: step1
                 service: name=httpd state=stopped
-      metadata_settings:
-        get_attr: [ApacheServiceBase, role_data, metadata_settings]

puppet/services/panko-api.yaml

@@ -92,6 +92,12 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.panko_api_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            panko_api_upgrade:
               - name: Check if httpd is deployed
                 command: systemctl is-enabled httpd
                 tags: common

puppet/services/releasenotes/notes/mod_ssl-e7fd4db71189242e.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - When a service is deployed in WSGI with Apache, make sure mode_ssl
+    package is deployed during the upgrade process, it's now required
+    by default so Apache can start properly.

puppet/services/zaqar.yaml

@@ -105,6 +105,12 @@ outputs:
       step_config: |
         include ::tripleo::profile::base::zaqar
       upgrade_tasks:
+        yaql:
+          expression: $.data.apache_upgrade + $.data.zaqar_upgrade
+          data:
+            apache_upgrade:
+              get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
+            zaqar_upgrade:
               - name: Check if zaqar is deployed
                 command: systemctl is-enabled openstack-zaqar
                 tags: common