Horizon: Support Strict-Transport-Security header

This allows operators to enable HTTP Strict-Transport-Security (HSTS) for Horizon endpoint, to enforce usage of SSL. Depends-on: https://review.opendev.org/841194 Change-Id: I79432830cf76b29834927944ee04705f057e58df
2022-05-10 11:44:42 +09:00 · 2022-05-10 11:44:42 +09:00 · dee269d7a5
commit dee269d7a5
parent a5d7c2f02a
2 changed files with 16 additions and 0 deletions
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@ -145,6 +145,10 @@ parameters:
    default: 0
    description: Number of workers for Horizon service.
    type: number
+  HorizonHstsHeaderValue:
+    default: []
+    description: Enables HTTP Strict-Transport-Security header in response.
+    type: comma_delimited_list

 parameter_groups:
 - label: deprecated
@ -168,6 +172,8 @@ conditions:
      - {get_param: HorizonDebug}
  horizon_workers_set:
    not: {equals : [{get_param: HorizonWorkers}, 0]}
+  horizon_hsts_header_value_set:
+    not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}

 resources:

@ -277,6 +283,10 @@ outputs:
              data:
                sources:
                  - {get_param: HorizonLoggingSource}
+        haproxy:
+          if:
+            - horizon_hsts_header_value_set
+            - tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: horizon
--- a/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
+++ b/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``HorizonHstsHeaderValue`` parameter has been added. When this
+    parameter is set, haproxy adds HTTP Strict-Transport-Security header to
+    HTTP response to enforce SSL.