1. Proposed title of this feature request
Configure operator managed route to enable HSTS annotation

2. What is the nature and description of the request?
IBM Cloud offers managed OpenShift instances for IBM Cloud customers. IBM Cloud security standards require us to enable HSTS for product endpoints, this includes the default OpenShift endpoints (for example the console endpoint).

The default OpenShift endpoints are exposed with Route resources, which are supervised by OpenShift operators, for example:

• openshift-console/console
• openshift-console/downloads
• openshift-monitoring/alertmanager-main
• openshift-monitoring/prometheus-k8s
• openshift-monitoring/prometheus-k8s-federate
• openshift-monitoring/thanos-querier

As of OpenShift 4.12, the only way to enable HSTS for a specific endpoint is by applying the "haproxy.router.openshift.io/hsts_header" annotation on the corresponding Route resource. [1]

The above mentioned Route resources are managed by OpenShift operators and we are not supposed to change these managed resources manually. [2]

We are looking for a way to enable HSTS for the default OpenShift endpoints. One way could be to introduce a new cluster-level configuration option which would change the behavior of the operators to deploy the Route resources with the "haproxy.router.openshift.io/hsts_header" annotation applied by default.

[1] https://docs.openshift.com/container-platform/4.12/networking/routes/route-configuration.html#nw-enabling-hsts_route-configuration
[2] https://docs.openshift.com/container-platform/4.12/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration

3. Why does the customer need this? (List the business requirements here)
IBM Cloud security standards require us to enable HSTS for product endpoints.
This limitation affects all the Red Hat OpenShift on IBM Cloud deployments.

4. List any affected packages or components.

• https://github.com/openshift/console-operator
• https://github.com/openshift/cluster-monitoring-operator