Comment 2 for bug 2064487

So a little more digging in the charm indicates that the payload needs keystone auth credentials and thus, in a TLS environment, does need a relation to vault in order to get the CA chain so that it can TLS auth the connection to a https endpoint for keystone.

What's wrong is that it shouldn't be trying to set up apache or anything like that, as it doesn't have an API to configure (i.e. it's a service that uses other services, but doesn't extend an API to other services to use; that's done in the manila charm).