I suspect that the ordering of the calls to juju is significant. i.e. if the juju config keystone is done first and allowed to settle prior to the juju config openstack-service-checks then the keystone will "know" it is SSL prior to the hook from openstack-service-checks firing.
However, there would appear be a race hazard if the above is the case. Probably both code paths (config-changed and identity-credentials-changed) should be investigated so that both end up (on keystone) triggering/writing the correct information to the relation for openstack-service-checks charm to consume properly.
Please could you check to see if keystone is done first (and settles) whether the problem clears or a different issue arises?
I suspect that the ordering of the calls to juju is significant. i.e. if the juju config keystone is done first and allowed to settle prior to the juju config openstack- service- checks then the keystone will "know" it is SSL prior to the hook from openstack- service- checks firing.
However, there would appear be a race hazard if the above is the case. Probably both code paths (config-changed and identity- credentials- changed) should be investigated so that both end up (on keystone) triggering/writing the correct information to the relation for openstack- service- checks charm to consume properly.
Please could you check to see if keystone is done first (and settles) whether the problem clears or a different issue arises?