horizon image upload failing (multible issues)

For legacy mode and https://bugs.launchpad.net/glance/+bug/1916482 - disabling uwsgi for glance should work nicely. For that you can simply set `glance_use_uwsgi: false` in user_variables.

Out of the tests we had, we spotted issue with python-glanceclient, that does not handle chunking. Issue doesn't exist with openstacksdk/python-openstackclient. They have quite different implementations and way of image upload. I can imagine, that glanceclient just missing chunking implementation, that causes the issue.

Regarding CSP/CORS I guess there's a valid points for fixing that. Eventually we suppose that outside of AIO, external_lb_vip_address as FQDN if you intend to access cluster through domain name and not IP address. Then CORS would be set correctly as well as all public endpoints would be created with same fqdn in them. Otherwise clients would still access endpoints by IP and not by domain.

Due to a comment in https://bugs.launchpad.net/openstack-ansible/+bug/1971175 I retested this with external_lb_vip_address set to the FQDN instead of IP. This set the CSP header mostly correct for default settings (direct mode upload) and also does still suffer from https://github.com/haproxy/haproxy/issues/1597

my current workaround for both is:
haproxy_horizon_csp: http-response set-header Content-Security-Policy "default-src 'self' {{ external_lb_vip_address }}:*; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"

note that this does not solve volume to image upload issue. related to https://bugs.launchpad.net/glance/+bug/1916482 . This is likely the glanceclient bug you mentioned.
I did not retest legacy mode.

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842111

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842111
Committed: https://opendev.org/openstack/openstack-ansible/commit/0feafaf1be73e1eb96f001e56cb6db83defb02aa
Submitter: "Zuul (22348)"
Branch: master

commit 0feafaf1be73e1eb96f001e56cb6db83defb02aa
Author: Andrew Bonney <email address hidden>
Date: Tue May 17 14:42:56 2022 +0100

    haproxy: fix csp for glance image uploads via horizon

    Connections to port 9292 by Horizon were blocked by content
    security policy. This patch permits connections to API services
    running on the same host as Horizon.

    Change-Id: I17d3f079ddbd4f0150c4b01f822818db52083d21
    Related-Bug: #1971179

Related fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842914

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842914
Committed: https://opendev.org/openstack/openstack-ansible/commit/f67ed4e49aaa9419eaaa7dbc06d4042af92e3b6d
Submitter: "Zuul (22348)"
Branch: stable/xena

commit f67ed4e49aaa9419eaaa7dbc06d4042af92e3b6d
Author: Andrew Bonney <email address hidden>
Date: Tue May 17 14:42:56 2022 +0100

    haproxy: fix csp for glance image uploads via horizon

    Connections to port 9292 by Horizon were blocked by content
    security policy. This patch permits connections to API services
    running on the same host as Horizon.

    Change-Id: I17d3f079ddbd4f0150c4b01f822818db52083d21
    Related-Bug: #1971179