IBM has done a very good job on their Ingress Documentation.

These are the annotations needed.

For HTTPS Redirection

ingress.bluemix.net/redirect-to-https: "True"

To handle HTTPS Traffic in Upstream

ingress.bluemix.net/ssl-services: "ssl-service=api-manager;ssl-service=is-as-km;ssl-service=am-analytics;"

To maintain a sticky session with the Upstream. A Cookie named route will be added to the request with an expiry of 43800h only if more than one replica is in the Deployment.

ingress.bluemix.net/sticky-cookie-services: "serviceName=api-manager name=route expires=43800h path=/ hash=sha1;"

Here is the entire Ingress.

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
    name: apifest-ingress
    annotations:
      ingress.bluemix.net/redirect-to-https: "True"
      ingress.bluemix.net/ssl-services: "ssl-service=api-manager;ssl-service=is-as-km;ssl-service=am-analytics;"
      ingress.bluemix.net/sticky-cookie-services: "serviceName=api-manager name=route expires=43800h path=/ hash=sha1;"
spec:
    tls:
    -   hosts:
        - apim-portal.yourdomain.com
        - apim-gateway.yourdomain.com
        - apim-key-manager.yourdomain.com
        - apim-analytics.yourdomain.com
        secretName: tls-secret
    rules:
    -   host: apim-portal.yourdomain.com
        http:
            paths:
            -   path: /
                backend:
                    serviceName: api-manager
                    servicePort: 9443
    -   host: apim-gateway.yourdomain.com
        http:
            paths:
            -   path: /
                backend:
                    serviceName: api-manager
                    servicePort: 8243 
    -   host: apim-key-manager.yourdomain.com
        http:
            paths:
            -   path: /
                backend:
                    serviceName: is-as-km
                    servicePort: 9443 
    -   host: apim-analytics.yourdomain.com
        http:
            paths:
            -   path: /
                backend:
                    serviceName: am-analytics
                    servicePort: 9444 

I am using this script to deploy it.

#!/bin/bash

# Deploys the Ingress

# Create a Secret to Store TLS Key and Cert
kubectl create secret tls tls-secret --key ./tls/tls.key --cert ./tls/tls.crt

# Add Ingresses 
kubectl create -f ./kubectl/tls-ingress.yaml