From 68baf376272365ec46b37008f364e2eebc7c535e Mon Sep 17 00:00:00 2001
From: Oleksandr Berezovskyi <berezovskyi.oleksandr@gmail.com>
Date: Mon, 16 Mar 2026 00:29:11 +0200
Subject: [PATCH] feat(k8s/infrastructure/traefik): add HSTS middleware on
 websecure entrypoint

---
 .../controllers/traefik/middleware-hsts.yaml         | 12 ++++++++++++
 .../infrastructure/controllers/traefik/release.yaml  |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 kubernetes/infrastructure/controllers/traefik/middleware-hsts.yaml

diff --git a/kubernetes/infrastructure/controllers/traefik/middleware-hsts.yaml b/kubernetes/infrastructure/controllers/traefik/middleware-hsts.yaml
new file mode 100644
index 0000000..5897ca0
--- /dev/null
+++ b/kubernetes/infrastructure/controllers/traefik/middleware-hsts.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: hsts
+  namespace: traefik
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    forceSTSHeader: true
diff --git a/kubernetes/infrastructure/controllers/traefik/release.yaml b/kubernetes/infrastructure/controllers/traefik/release.yaml
index 966bccb..0461119 100644
--- a/kubernetes/infrastructure/controllers/traefik/release.yaml
+++ b/kubernetes/infrastructure/controllers/traefik/release.yaml
@@ -28,6 +28,8 @@ spec:
     ingressRoute:
       dashboard:
         enabled: true
+    additionalArguments:
+      - "--entryPoints.websecure.http.middlewares=traefik-hsts@kubernetescrd"
     service:
       type: ClusterIP
     ports: