HTTP to HTTPS auto redirection

[goblain]

As I understand, the serve mode is now used to serve acme-challenge and redirect other requests to from HTTP to HTTPS.

I think that this expands the responsibility above the required minimum. For starters, to keep backwards compatibility I'd suggest simply switching the default example to something like :

...
# We add this to any ingress we want to use acme-secrets for
# acme-secrets will 301 redirect traffic to the https scheme
# if your ingress controller doesn't already
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-acme
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: https-redirect.kube-system
          servicePort: 80
      - path: /.well-known/acme-challenge/
        backend:
          serviceName: acme-secrets.kube-system
          servicePort: 80

where https-redirect service is obviously responsible for the actual redirects if they are required. In the long run I would suggest the path for /.well-known/acme-challenge/ be created in a completely automatic way without need to specify it in the ingress, and if http ingress does not exist it can create a whole temporary ingress.

[munnerz]

Agreed. The 301 redirect in serve was a temporary measure and is less than ideal.

I think the best solution moving forward is as you say, automatically configuring the Ingress resource to add and remove the /.well-known/acme-challenge/ as this pushes the onus for redirecting onto the ingress controller or ingress definition.