From 49eac4f9452ef02597dae54eb34d0f24e0cc9a96 Mon Sep 17 00:00:00 2001
From: Donavan Fritz <dfritz@netflix.com>
Date: Wed, 27 May 2026 16:30:31 -0500
Subject: [PATCH] include https-redirect middleware on generated Ingresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds https-redirect@file to the router.middlewares annotation so static
sites force HTTP → HTTPS automatically. The middleware is defined in
fritzlab/apps/sjc001/infra/traefik/manifests/dynamic-config.yaml and
uses redirectScheme (permanent 308). Safe with cert-manager HTTP-01:
the solver pod's Ingress is generated separately and doesn't pick up
this annotation, so /.well-known/acme-challenge/* on port 80 continues
to reach the solver directly.
---
 templates/ingress.yaml.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ingress.yaml.j2 b/templates/ingress.yaml.j2
index d4e3478..5d47238 100644
--- a/templates/ingress.yaml.j2
+++ b/templates/ingress.yaml.j2
@@ -5,7 +5,7 @@ metadata:
   namespace: {{ namespace }}
 {%- if site_type != "docker" %}
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: retry-upstream@file
+    traefik.ingress.kubernetes.io/router.middlewares: https-redirect@file,retry-upstream@file
 {%- endif %}
 spec:
   ingressClassName: traefik