From 78f29fdc5deecdf00e86930ca7737b3e67fc9eed Mon Sep 17 00:00:00 2001
From: Stig Telfer <stig@stackhpc.com>
Date: Sun, 9 Jan 2022 21:55:34 +0000
Subject: [PATCH] OpenID Connect certifiate file is optional

Some ID provider configurations do not require a certificate file.
Change the logic to allow this, and update documentation accordingly.

Change-Id: I2c34a6b5894402bbebeb3fb96768789bc3c7fe84
---
 ansible/roles/keystone/tasks/config-federation-oidc.yml | 1 +
 doc/source/reference/shared-services/keystone-guide.rst | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/keystone/tasks/config-federation-oidc.yml b/ansible/roles/keystone/tasks/config-federation-oidc.yml
index 4171283273..81384931d0 100644
--- a/ansible/roles/keystone/tasks/config-federation-oidc.yml
+++ b/ansible/roles/keystone/tasks/config-federation-oidc.yml
@@ -52,6 +52,7 @@
   with_items: "{{ keystone_identity_providers }}"
   when:
     - item.protocol == 'openid'
+    - item.certificate_file is defined
     - inventory_hostname in groups[keystone.group]
 
 - name: Copying OpenStack Identity Providers attribute mappings
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index 126e53c3d9..e5b9b286ce 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -247,8 +247,8 @@ Identity provider's endpoint:
 certificate_file
 ****************
 
-Path to the Identity Provider certificate file, the file must be named as
-'certificate-key-id.pem'. E.g.
+Optional path to the Identity Provider certificate file.  If included,
+the file must be named as 'certificate-key-id.pem'. E.g.:
 
 .. code-block::