HSTS enablement communication and migration for next release

[Adam-D-Lewis]

Context

We've added HSTS (HTTP Strict Transport Security) support to Nebari in #3165, which will be enabled by default for cloud deployments with valid certificates (Let's Encrypt or existing certs).

Tasks Before Next Release

1. User Communication

Explain default behavior:

• Enabled by default: Cloud providers (AWS/GCP/Azure) with lets-encrypt or existing certificates
• Disabled by default: local provider or selfsigned certificates
• User override: Users can explicitly configure ingress.hsts in nebari-config.yaml

2. Configuration Migration

• During upgrade process, prompt users to add HSTS config explicitly to their nebari-config.yaml
• Allow users to decline if they want
• If accepted, add configuration block:

  ingress:
    hsts:
      enabled: true
      max_age: 31536000  # 1 year recommended for production
      include_subdomains: true
      preload: false

3. User Guidance

• Provide guidance on testing HSTS before increasing max_age
• Explain the progression: 300s (initial) → test → 31536000 (production)
• Document browser HSTS clearing procedures if needed

Related Files

• src/_nebari/stages/kubernetes_ingress/__init__.py
• src/_nebari/stages/kubernetes_ingress/template/modules/kubernetes/ingress/hsts-middleware.tf
• src/_nebari/upgrade.py