I found out that setting kolla_external_vip_address = kolla_internal_vip_address sets haproxy_enable_external_vip to "no" which disables the creation of external listeners in HAproxy. This means tls_bind_info in haproxy.cfg is never used, so we don't get any SSL termination. This essentially disables SSL all together.
Horizons local_settings file states
{% if kolla_enable_tls_external | bool %}
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
The kolla_enable_tls_external is completely independent of the kolla_external_vip_address or kolla_internal_vip_address variable. As a result, when disabling SSL by setting internal and external VIP to the same value, Horizon is still configured for HTTPS. Connecting to Port 80 works, but we are redirected to "https://" which fails.
This is "working" (or breaking) as designed, perhaps it needs to be documented better?
Or, is the ask for Kolla to fail to deploy with this configuration?
TLS is not supported on the internal network, so the case where the all API requests with TLS go to the internal VIP is not a valid configuration.
A wish list item should be to add TLS support to the internal network.