Enable HSTS on OCP route

This change adds the required annotation to the OCP route to enable HSTS headers as per: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/configuring-routes\#nw-enabling-hsts_route-configuration Signed-off-by: Brendan Shephard <[email protected]>
bshephar · May 30, 2024 · 76f346b · 76f346b
1 parent 63e2b64
commit 76f346b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/pkg/openstack/horizon.go b/pkg/openstack/horizon.go
@@ -22,6 +22,15 @@ import (
 
 // ReconcileHorizon -
 func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (ctrl.Result, error) {
+	const (
+		HorizonHSTSHeaderAnnotation      string = "haproxy.router.openshift.io/hsts_header"
+		HorizonHSTSHeaderAnnotationValue string = "max-age=31536000;includeSubDomains;preload"
+	)
+
+	var HSTSAnnotation map[string]string = map[string]string{
+		HorizonHSTSHeaderAnnotation: HorizonHSTSHeaderAnnotationValue,
+	}
+
 	horizon := &horizonv1.Horizon{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "horizon",
@@ -73,6 +82,9 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 		return ctrl.Result{}, err
 	}
 
+	// Set HSTS Headers for Horizon Route
+	instance.Spec.Horizon.APIOverride.Route.Annotations = HSTSAnnotation
+
 	// make sure to get to EndpointConfig when all service got created
 	if len(svcs.Items) == 1 {
 		endpointDetails, ctrlResult, err := EnsureEndpointConfig(
@@ -117,7 +129,6 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 		}
 		return nil
 	})
-
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			corev1beta1.OpenStackControlPlaneHorizonReadyCondition,