cannot start a kubernetes cluster with openstack_ca_file and SSL keystone

Hi,

Using openstack rocky (CentOS7) and fedora-atomic 2019-04-29.

I have enabled SSL on keystone and some openstack endpoints.
Using a non-standard CA, but one that I don't control neither which is member of the IGTF.

That CA is a sub CA of another one :
ROOT CA -> Service CA
(and I have other CAs I'd like to include, but see below)

My keystone endpoint (and others) has a certificate issued from the "Service CA".

In order for authentication to work, I have to create a CA bundle which contains at least the root CA and its sub-CA certs, in PEM format.

File is then 5838 octets big and is assigned to the openstack magnum configuration parameter "openstack_ca_file".

=> trying to create a kubernetes cluster using magnum then stalls because the user_data is too big. Looks like this is because the user_data is limited to 64K, and including the CA bundle inside is blowing the thing up.

Heat-enging reports in its logs :
Invalid input for field/attribute user_data. Value: Q29udGVudC1UeXBlOiBtd... 64K+ chars...9LS0=' is too long (HTTP 400)

=> removing the openstack_ca_file param and setting verify_ca=false in magnum : fails too, because THEN, inside the kube master, a heat-container-agent daemon is started . And that one fails while connecting to the HTTPS/SSL Keystone endpoint because... it doesn't know my CA.

Error then is:

Authorization failed: SSL exception connecting to https://xxxyyyzzz:5000/v3/auth/tokens: (...) (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)

This then makes it impossible to start a kubernetes cluster on my openstack installation.
My next try will be to try to modify the fedora-atomic image in order to include myself the CA bundle :'(

Best regards