OpenID Connect certifiate file is optional

oneswig · markgoddard · commit 905df8b6c4c7 · 2022-01-12T09:26:30.000Z
Some ID provider configurations do not require a certificate file. Change the logic to allow this, and update documentation accordingly. Change-Id: I2c34a6b5894402bbebeb3fb96768789bc3c7fe84 (cherry picked from commit 78f29fd)
diff --git a/ansible/roles/keystone/tasks/config-federation-oidc.yml b/ansible/roles/keystone/tasks/config-federation-oidc.yml
@@ -52,6 +52,7 @@
   with_items: "{{ keystone_identity_providers }}"
   when:
     - item.protocol == 'openid'
+    - item.certificate_file is defined
     - inventory_hostname in groups[keystone.group]
 
 - name: Copying OpenStack Identity Providers attribute mappings
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
@@ -247,8 +247,8 @@ Identity provider's endpoint:
 certificate_file
 ****************
 
-Path to the Identity Provider certificate file, the file must be named as
-'certificate-key-id.pem'. E.g.
+Optional path to the Identity Provider certificate file.  If included,
+the file must be named as 'certificate-key-id.pem'. E.g.:
 
 .. code-block::
 
