From 1ded2906cc7f981e4e938b8528b8c9a534c290e3 Mon Sep 17 00:00:00 2001
From: Brendan Shephard <bshephar@redhat.com>
Date: Thu, 30 May 2024 14:56:31 +1000
Subject: [PATCH] Enable HSTS on OCP route

This change adds the required annotation to the OCP route to enable HSTS
headers as per:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/configuring-routes\#nw-enabling-hsts_route-configuration

Signed-off-by: Brendan Shephard <bshephar@redhat.com>
---
 pkg/openstack/horizon.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/pkg/openstack/horizon.go b/pkg/openstack/horizon.go
index f450bca21..e6e072220 100644
--- a/pkg/openstack/horizon.go
+++ b/pkg/openstack/horizon.go
@@ -22,6 +22,11 @@ import (
 
 // ReconcileHorizon -
 func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (ctrl.Result, error) {
+	const (
+		HorizonHSTSHeaderAnnotation      string = "haproxy.router.openshift.io/hsts_header"
+		HorizonHSTSHeaderAnnotationValue string = "max-age=31536000;includeSubDomains;preload"
+	)
+
 	horizon := &horizonv1.Horizon{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "horizon",
@@ -73,6 +78,14 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 		return ctrl.Result{}, err
 	}
 
+	// Set HSTS Headers for Horizon Route
+	//
+	apiOverrides := instance.Spec.Horizon.APIOverride
+
+	if _, ok := apiOverrides.Route.Annotations[HorizonHSTSHeaderAnnotation]; !ok {
+		apiOverrides.Route.Annotations[HorizonHSTSHeaderAnnotation] = HorizonHSTSHeaderAnnotationValue
+	}
+
 	// make sure to get to EndpointConfig when all service got created
 	if len(svcs.Items) == 1 {
 		endpointDetails, ctrlResult, err := EnsureEndpointConfig(
@@ -82,7 +95,7 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 			horizon,
 			svcs,
 			serviceOverrides,
-			instance.Spec.Horizon.APIOverride,
+			apiOverrides,
 			corev1beta1.OpenStackControlPlaneExposeHorizonReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 			tls.API{
@@ -117,7 +130,6 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 		}
 		return nil
 	})
-
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			corev1beta1.OpenStackControlPlaneHorizonReadyCondition,