Merge "Horizon: Support Strict-Transport-Security header"

2022-06-09 21:16:50 +00:00 · 2022-06-09 21:16:50 +00:00 · 1694f72a32
parent 415d176eb6 dee269d7a5
commit 1694f72a32
2 changed files with 16 additions and 0 deletions
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@ -145,6 +145,10 @@ parameters:
    default: 0
    description: Number of workers for Horizon service.
    type: number
+  HorizonHstsHeaderValue:
+    default: []
+    description: Enables HTTP Strict-Transport-Security header in response.
+    type: comma_delimited_list

 parameter_groups:
 - label: deprecated
@ -168,6 +172,8 @@ conditions:
      - {get_param: HorizonDebug}
  horizon_workers_set:
    not: {equals : [{get_param: HorizonWorkers}, 0]}
+  horizon_hsts_header_value_set:
+    not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}

 resources:

@ -281,6 +287,10 @@ outputs:
              data:
                sources:
                  - {get_param: HorizonLoggingSource}
+        haproxy:
+          if:
+            - horizon_hsts_header_value_set
+            - tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: horizon
--- a/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
+++ b/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``HorizonHstsHeaderValue`` parameter has been added. When this
+    parameter is set, haproxy adds HTTP Strict-Transport-Security header to
+    HTTP response to enforce SSL.