OpenID Connect certifiate file is optional

Some ID provider configurations do not require a certificate file. Change the logic to allow this, and update documentation accordingly. Change-Id: I2c34a6b5894402bbebeb3fb96768789bc3c7fe84
2022-01-09 21:55:34 +00:00 · 2022-01-09 21:55:34 +00:00 · 78f29fdc5d
commit 78f29fdc5d
parent dc5eaa4ec7
2 changed files with 3 additions and 2 deletions
--- a/ansible/roles/keystone/tasks/config-federation-oidc.yml
+++ b/ansible/roles/keystone/tasks/config-federation-oidc.yml
@ -52,6 +52,7 @@
  with_items: "{{ keystone_identity_providers }}"
  when:
    - item.protocol == 'openid'
+    - item.certificate_file is defined
    - inventory_hostname in groups[keystone.group]

 - name: Copying OpenStack Identity Providers attribute mappings
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@ -247,8 +247,8 @@ Identity provider's endpoint:
 certificate_file
 ****************

-Path to the Identity Provider certificate file, the file must be named as
-'certificate-key-id.pem'. E.g.
+Optional path to the Identity Provider certificate file.  If included,
+the file must be named as 'certificate-key-id.pem'. E.g.:

 .. code-block::