Merge "Horizon: Support Strict-Transport-Security header" into stable/wallaby

2023-09-18 15:10:37 +00:00 · 2023-09-18 15:10:37 +00:00 · f2b651ab6c
commit f2b651ab6c
parent 33b774a0e7 998aa37ef2
2 changed files with 16 additions and 0 deletions
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@ -141,6 +141,10 @@ parameters:
    default:
      tag: openstack.horizon
      file: /var/log/containers/horizon/horizon.log
+  HorizonHstsHeaderValue:
+    default: []
+    description: Enables HTTP Strict-Transport-Security header in response.
+    type: comma_delimited_list

 parameter_groups:
 - label: deprecated
@ -162,6 +166,8 @@ conditions:
    or:
      - {get_param: Debug}
      - {get_param: HorizonDebug}
+  horizon_hsts_header_value_set:
+    not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}

 resources:

@ -271,6 +277,10 @@ outputs:
              data:
                sources:
                  - {get_param: HorizonLoggingSource}
+        haproxy:
+          if:
+            - horizon_hsts_header_value_set
+            - tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: horizon
--- a/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
+++ b/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``HorizonHstsHeaderValue`` parameter has been added. When this
+    parameter is set, haproxy adds HTTP Strict-Transport-Security header to
+    HTTP response to enforce SSL.