SSO Identity provider for openshift not configured properly when you do not set eval_self_signed_certs=true

[rafaeltuelho]

Description

the default value for the var eval_self_signed_certs is false. It causes the SSO provisioning to not set the ca: ca.crt property when it adds the OpenID connect IdentityProvider in the /etc/origin/master/master-config.yaml file.

look at roles/rhsso/tasks/indetityprovider.yml

- set_fact:
    rhsso_identity_provider_ca_cert_path: ""
  when: not (eval_self_signed_certs | bool)

Expected Behavior

Authentication through SSO to be working.

Actual Behavior

The following authentication error appears on Master API logs:

E0924 12:22:51.686524       1 errorpage.go:26] AuthenticationError: Post https://sso-integr8tly-sso.apps.tjpe-fef2.open.redhat.com/auth/realms/openshift/protocol/openid-connect/token: x509: certificate signed by unknown authority

Environment

• Operating system: RHEL 7.6
• OpenShift version: 3.11.104

oc v3.11.104
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server 
openshift v3.11.104
kubernetes v1.11.0+d4cacc0

• Ansible version:

ansible 2.6.18
  config file = /root/integr8tly/installation/ansible.cfg
  configured module search path = [u'/root/integr8tly/installation/library']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jun 11 2019, 12:19:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

• Project Version/Tag: release-1.5.0

Steps to reproduce

1. run the install playbook with eval_self_signed_certs default value which is false
2. after installation is completed try to authenticate through SSO using some of the provided integr8tly users.
3. You should see authentication error on master api logs like this:

E0924 12:22:51.686524       1 errorpage.go:26] AuthenticationError: Post https://sso-integr8tly-sso.apps.tjpe-fef2.open.redhat.com/auth/realms/openshift/protocol/openid-connect/token: x509: certificate signed by unknown authority