Bind Responder Policy to Content Switch instead of Load Balancer

[siegenthalerroger]

Describe the bug

Redirecting from http to https with a Responder Policy results in a browser error with "Too many redirects". This appears to be the case due to responder policy being bound to the load balancer instead of the content switch.

To Reproduce

1. Steps

• We have a Netscaler VPX in front of a AKS cluster with overlay networking, as well as cert-manager with HTTP ACME challenges.
• We have a rewritepolicy to enforce SSL for everything except the HTTP01 challenge routes required by cert-manager.

apiVersion: citrix.com/v1
kind: rewritepolicy
metadata:
  name: httpsredirect
spec:
  responder-policies:
  - responder-policy:
      redirect:
        url: '"https://" +http.req.HOSTNAME.SERVER+":"+"443"+http.req.url'
      comment: 'Redirect HTTP to HTTPS'
      respond-criteria: 'http.req.is_valid && HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/") && HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/.well-known/acme-challenge/").NOT'

• We attach this policy to the ingress with the annnotation ingress.citrix.com/rewrite-responder_crd: httpsredirect
• A request to http://hostname.com/.well-known/acme-challenge/... functions as expected. A request to http://hostname.com/... is redirected to https://... correctly but then there is an endless loop of redirects that result in a browser error.

2. Version of the NetScaler Ingress Controller

• 2.2.10

3. Version of MPX/VPX/CPX

4. Environment variables (minus secrets)

• Nothing special, deployed with helm, NS_IP and credential secret set.

Expected behavior

If the responder policy were set on the content switch it should work from what I understand.