Apparently the primary ingress rule for www.workbench.nationaldataservice.org is not redirecting to HTTPS for "/" or "/api". Other rules look OK. According to the documentation, it should redirect if TLS is configured on the ingress rule (which it is). I was able to force this in the beta configuration by changing /tmp/ndslabs-ingress.yaml and adding the following annotation (which should be the default behavior, anyway):

metadata:

  name: ndslabs-ingress

  annotations:

    ingress.kubernetes.io/ssl-redirect: "true"

This results in the following block in the nginx.conf for both the UI and API server locations:

            # enforce ssl on server side

            if ($scheme = http) {

                return 301 https://$host$request_uri;

            }

Workaround: modify the ndslabs-ingress.yml on the deployed cluster and delete/create.