Ingress-nginx: v0.9 breaks server-side HTTPS enforcement default

Expected behavior:

As documented here, I expect an nginx Controller to 301 redirect HTTP traffic to HTTPS for Ingress that have TLS enabled. I'd expect it to be implemented by this stanza in the nginx template appearing.

Actual behavior:

nginx config does not include expected redirect stanza. For an Ingress defined as:

kind: Ingress
metadata:
  name: foo
  namespace: foo
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - foo.example.com
    secretName: foo-tls
  rules:
  - host: foo.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: foo
          servicePort: 80

I get this nginx server config by using the gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.1 image:

server {
  server_name foo.example.com;
  listen [::]:80;
  listen 442   ssl http2;
  ssl_certificate /ingress-controller/ssl/foo-foo-tls.pem;
  ssl_certificate_key /ingress-controller/ssl/foo-foo-tls.pem;

  more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";

  location /.well-known/acme-challenge {
    # acme location omitted for brevity
  }

  location / {
    set $proxy_upstream_name "foo-foo-80";

    port_in_redirect off;
    client_max_body_size                    "1m";

    proxy_set_header Host                   $host;

    # Pass Real IP
    proxy_set_header X-Real-IP              $remote_addr;

    # Allow websocket connections
    proxy_set_header                        Upgrade           $http_upgrade;
    proxy_set_header                        Connection        $connection_upgrade;

    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host       $host;
    proxy_set_header X-Forwarded-Port       $pass_port;
    proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

    # mitigate HTTPoxy Vulnerability
    # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
    proxy_set_header Proxy                  "";

    proxy_connect_timeout                   5s;
    proxy_send_timeout                      60s;
    proxy_read_timeout                      60s;

    proxy_redirect                          off;
    proxy_buffering                         off;
    proxy_buffer_size                       "4k";

    proxy_http_version                      1.1;
    proxy_pass http://foo-foo-80;
  }
}

and I get this nginx server config by using the gcr.io/google_containers/nginx-ingress-controller:0.8.3 image:

server {
  server_name foo.example.com;
  listen 80;
  listen 443  ssl spdy http2;

  ssl_certificate /etc/nginx-ssl/foo-foo-tls.pem;
  ssl_certificate_key /etc/nginx-ssl/foo-foo-tls.pem;

  more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";

  location /.well-known/acme-challenge {
    # acme location omitted for brevity
  }

  location / {
    # enforce ssl on server side
    if ($scheme = http) {
      return 301 https://$host$request_uri;
    }

    proxy_set_header Host                   $host;

    # Pass Real IP
    proxy_set_header X-Real-IP              $remote_addr;

    # Allow websocket connections
    proxy_set_header                        Upgrade           $http_upgrade;
    proxy_set_header                        Connection        $connection_upgrade;

    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host       $host;
    proxy_set_header X-Forwarded-Port       $server_port;
    proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

    # mitigate HTTPoxy Vulnerability
    # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
    proxy_set_header Proxy                  "";

    proxy_connect_timeout                   5s;
    proxy_send_timeout                      60s;
    proxy_read_timeout                      60s;

    proxy_redirect                          off;
    proxy_buffering                         off;

    proxy_http_version                      1.1;
    proxy_pass http://foo-foo-80;
  }
}

I believe this is caused by the changes to ParseAnnotations in this commit: https://github.com/kubernetes/ingress/commit/597a0e691a128a971632246699865e2dd960734b#diff-c69f163272df3ff5a4835b0880a4483b Notably in that change, the function goes from allowing the ingress.kubernetes.io/rewrite-target annotations to return an error without failing the whole function to requiring it in all cases.