support HSTS header

[thetechnick]

To enable HSTS for a resource, we have to send a extra header entry.
In most cases the responsibility for sending extra headers lies by the backend service, but because the ingress controller is already responsible for SSL termination it would be nice to configure HSTS in the ingress object itself.

# ingress annotations
annotations:
  nginx.org/hsts: 'True' # default 'False'
  nginx.org/hsts-max-age: '31536000'
  nginx.org/hsts-include-subdomains: 'True' # default 'False'

# configmap
data:
  hsts: 'True' # default 'False'
  hsts-max-age: '31536000'
  hsts-include-subdomains: 'True' # default 'False'

Will result in the following config entry for servers with ssl enabled:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

As far as I was able to see there is no reason to exclude the 'preload' directive, because it is ignored if the hostname is not in the HSTS preload list:
https://hstspreload.appspot.com/

Open for discussion is the default 'max-age' in the header entry.

[pleshakov]

@thetechnick
Looks good to me.

Note that the add_header directive doesn't override the header if it's already present in the response from the backend: it adds another header.

According to RFC 6786:

If a UA receives more than one STS header field in an HTTP
response message over secure transport, then the UA MUST process
only the first such header field.

In case of multiple STS headers, the browser must use the first one. So the one set by the backend will be used if the backend also sets this header.