Skip to content

Commit

Permalink
Enable HSTS on OCP route
Browse files Browse the repository at this point in the history
This change adds the required annotation to the OCP route to enable HSTS
headers as per:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/configuring-routes\#nw-enabling-hsts_route-configuration

Signed-off-by: Brendan Shephard <[email protected]>
  • Loading branch information
bshephar committed May 30, 2024
1 parent 63e2b64 commit 1ded290
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions pkg/openstack/horizon.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ import (

// ReconcileHorizon -
func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (ctrl.Result, error) {
const (
HorizonHSTSHeaderAnnotation string = "haproxy.router.openshift.io/hsts_header"
HorizonHSTSHeaderAnnotationValue string = "max-age=31536000;includeSubDomains;preload"
)

horizon := &horizonv1.Horizon{
ObjectMeta: metav1.ObjectMeta{
Name: "horizon",
Expand Down Expand Up @@ -73,6 +78,14 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
return ctrl.Result{}, err
}

// Set HSTS Headers for Horizon Route
//
apiOverrides := instance.Spec.Horizon.APIOverride

if _, ok := apiOverrides.Route.Annotations[HorizonHSTSHeaderAnnotation]; !ok {
apiOverrides.Route.Annotations[HorizonHSTSHeaderAnnotation] = HorizonHSTSHeaderAnnotationValue
}

// make sure to get to EndpointConfig when all service got created
if len(svcs.Items) == 1 {
endpointDetails, ctrlResult, err := EnsureEndpointConfig(
Expand All @@ -82,7 +95,7 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
horizon,
svcs,
serviceOverrides,
instance.Spec.Horizon.APIOverride,
apiOverrides,
corev1beta1.OpenStackControlPlaneExposeHorizonReadyCondition,
false, // TODO (mschuppert) could be removed when all integrated service support TLS
tls.API{
Expand Down Expand Up @@ -117,7 +130,6 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
}
return nil
})

if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
corev1beta1.OpenStackControlPlaneHorizonReadyCondition,
Expand Down

0 comments on commit 1ded290

Please sign in to comment.