STATUS: DRAFT for operator submission (Launchpad: charm-openstack-dashboard). Prepared 2026-07-05 from the ops-update-20260705 RCA (repo changelog addendum 15, D-072). ASCII-only. No site secrets: addresses below are RFC1918 lab values.
Multi-space deployment: haproxy https backend rendered on cluster-binding address, which never receives an apache SSL vhost; L4 health check masks the dead TLS path
charm-openstack-dashboard 2024.1/stable (observed rev 728 and rev 750; render logic identical across both -- charmhelpers get_network_addresses + haproxy context). Reactive charm generation; juju 3.6.
Charmed OpenStack Caracal (jammy), MAAS spaces deployment. Application bindings: default ('') = space A (admin), cluster = space B (internal), public = space C (provider). hacluster VIPs on all three planes. vault:certificates TLS.
Either the SSL vhost set includes every address the charm itself renders as an HTTPS backend target, or the https backend uses an address from the vhost set (default-binding address), or the health check is HTTPS-aware so the breakage is at least visible.
Bind cluster to the same space as the application default binding. Verified: backends re-render onto a vhost-served address and VIP https serves immediately.
charm rev 728 vs 750 full diff (no vhost-logic change); charmhelpers get_network_addresses trail log (LP:1952414 style) showing identical tuple sets across 2800+ renders since deploy; apache2ctl -S vhost list vs haproxy.cfg backend; plaintext-200-on-ssl-port probe; post-rebind verification.