Deployment fails when legacy TLS is enabled with selective SSL simultaneously

Fuel 8.0

Environment has "Public TLS" enabled.

At the same time Hiera contains hash 'use_ssl' (data container in case of selective TLS is used), and this 'use_ssl' hash does not have entries for some endpoints. In our case 'use_ssl' contains only swift internal endpoint data:

$ hiera -h use_ssl

use_ssl:
  swift: true
  swift_internal: true
  swift_internal_certdata:
    content: '-----BEGIN CERTIFICATE-----\nMIIEGzCCAwOgAwIBAgIJAJdRP5P2iDYOMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD\nVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl\nMREwDwYDVQQKDAhNaXJhbnRpczEdMBsGA1UECwwUTWlyYW50aXMgRGVwbG95IFRl\nYW0xGTAXBgNVBAMMEHN3aWZ0LmZ1ZWwubG9jYWwxHjAcBgkqhkiG9w0BCQEWD3Jv\nb3RAZnVlbC5sb2NhbDAeFw0xNjAzMTUxNzEyMzZaFw0xNzAzMTUxNzEyMzZaMIGj\nMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vu\nbnl2YWxlMREwDwYDVQQKDAhNaXJhbnRpczEdMBsGA1UECwwUTWlyYW50aXMgRGVw\nbG95IFRlYW0xGTAXBgNVBAMMEHN3aWZ0LmZ1ZWwubG9jYWwxHjAcBgkqhkiG9w0B\nCQEWD3Jvb3RAZnVlbC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAM576MXnR15/x9CGMWck4Bm3GBL4ZVsxT2p0zOyLiRYOnRck3hfqtOw9ToK+\nIsUWo0Og85r/d58LM7mVyppulNih4tnywJlUasyW04uel/TauXeiC021mXrLR419\nuWfGisPfUD2+3JAf1WrKl+WRdMKhT0/DvdY9rHp73yps7iGc4jPPQd3ZrX9lpw7d\nb5eTy5jSvMHmI4wLafkL04mzlME1o0aGB5Ehrzdj83kY4PQo2pbu+sv+nSk8wP/r\nXurukfMd/oxviEKlRjASfvF5PrhvcuJs7sB06qgncernfp+SG2H3nDJHtpUb8LpW\nvCLUiV4icTKQRaYjIM4baupRakUCAwEAAaNQME4wHQYDVR0OBBYEFJCXmSHAB1yl\n5HqCo7ASzPjGjj6GMB8GA1UdIwQYMBaAFJCXmSHAB1yl5HqCo7ASzPjGjj6GMAwG\nA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACuxLr/MxA+vcdIjXB7SHDcl\n6/v0IyFd6efAOWZorNgQyN1tfKrZgUQlTt0her3RMm73LX/cNTaOL1vm4BlH5yzW\nZyIRwt8W9vrytAdM1NN6eUKkWCtXyHQUFoB6bdR3qHe/2j/6RZNjcRJs5Me5h2Qy\ntX72qPaJtGVNiqhdz+ZVofMdev8H4j8V/AYonVHYZh/nGYPkUQYq88cKRSmcoMxU\nw7OsVkKKc/9X22BaongT/636mQZ/5I0RZkPrMD2CQN85t4TT3bqQUdKdVpiqxu3I\nwZhMmqVgwBdm4kK8Py44wK38xDS/Eh4fWYuQsDXRaOufDmZN+D6jebXmO3/AavI=\n-----END CERTIFICATE-----\n'
    name: swiftstack.pem
  swift_internal_hostname: swift.fuel.local
  swift_internal_ip: 192.168.1.100

At the same time:

$hiera -h public_ssl

{"hostname"=>"public.fuel.local",
 "horizon"=>false,
 "services"=>false,
 "cert_data"=>"",
 "cert_source"=>"self_signed",
 "metadata"=>{"group"=>"security", "weight"=>110, "label"=>"Public TLS"}}

Most of Fuel Library code will switch to hash 'public_ssl' when it tries to determine public address for such service, if hash 'use_ssl' does not contain such address/hostname

F.e.

osnailyfacter/modular/keystone/keystone.pp
$public_ssl_hash = hiera('public_ssl')
$ssl_hash = hiera_hash('use_ssl', {})
...
$public_address = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'hostname', [$public_vip])

So in case described above, $ssl_hash does not contain any 'keystone_public' entries, so manifest keystone.pp will get hostname from $public_ssl_hash, e.g. will try to use 'public.fuel.local' for Keystone public endpoint.

But task 'ssl_dns_setup' which should add these hostnames to /etc/hosts on Openstack nodes, has the following code

osnailyfacter/modular/ssl/ssl_dns_setup.pp:

if !empty($ssl_hash) {

  hosts { $services:
    ssl_hash => $ssl_hash,
  }
} elsif !empty($public_ssl_hash) {
  host { $public_ssl_hash['hostname']:
    ensure => present,
    ip => $public_vip,

So when 'use_ssl' hash in Hiera is not empty (and it is not in our case), use_ssl data will be used as hostname source for Keystone and other services. But here is no Keystone hostname there, and puppet code expects, that hostname 'public.fuel.local' from 'public_ssl' Hiera hash should be used.

So in fact 'public.fuel.local' never will be added to /etc/hosts if Selective TLS hash 'use_ssl' is not empty. This cause expected deployment failures like this

ERROR: Unable to establish connection to https://public.fuel.local:5000/v2.0/tokens

Please, sychronize 2 approaches between each other