To enable HSTS for a resource, we have to send a extra header entry.
In most cases the responsibility for sending extra headers lies by the backend service, but because the ingress controller is already responsible for SSL termination it would be nice to configure HSTS in the ingress object itself.

# ingress annotations
annotations:
  nginx.org/hsts: 'True' # default 'False'
  nginx.org/hsts-max-age: '31536000'
  nginx.org/hsts-include-subdomains: 'True' # default 'False'

# configmap
data:
  hsts: 'True' # default 'False'
  hsts-max-age: '31536000'
  hsts-include-subdomains: 'True' # default 'False'

Will result in the following config entry for servers with ssl enabled:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

As far as I was able to see there is no reason to exclude the 'preload' directive, because it is ignored if the hostname is not in the HSTS preload list:
https://hstspreload.appspot.com/

Open for discussion is the default 'max-age' in the header entry.