add 1st draft for charm architecture docs#534
Draft
Thanhphan1147 wants to merge 2 commits into
Draft
Conversation
Thanhphan1147
added
documentation
github-actions
Bot
added
Libraries: OK
Libraries: Out of sync
and removed
Libraries: OK
Libraries: Out of sync
labels
erinecon
reviewed
Jun 4, 2026
erinecon
left a comment
erinecon
left a comment
Contributor
There was a problem hiding this comment.
Thanks so much for drafting this Explanation page 🎉 some initial thoughts from me
github-actions
Bot
added
Libraries: OK
Libraries: Out of sync
and removed
Libraries: Out of sync
Libraries: OK
labels
erinecon
reviewed
Jun 8, 2026
erinecon
left a comment
erinecon
left a comment
Contributor
There was a problem hiding this comment.
Thanks so much for adding more information to this page! This round of comments contains nits + questions about the ddos-configurator
Comment on lines
+15
to
+17
| 1. `haproxy`: A machine charm managing HAProxy. See the [haproxy README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-operator) for more information. | ||
| 2. `haproxy-spoe-auth-operator`: A machine charm deploying an SPOE agent that serves as an authentication proxy. See the [haproxy-spoe-auth-operator README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-spoe-auth-operator) for more information. | ||
| 3. `haproxy-route-policy-operator`: A machine charm deploying the `haproxy-route-policy` application for controlling the data from different `haproxy-route` relations. See the [haproxy-route-policy-operator README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-route-policy-operator) for more information. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. `haproxy`: A machine charm managing HAProxy. See the [haproxy README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-operator) for more information. | |
| 2. `haproxy-spoe-auth-operator`: A machine charm deploying an SPOE agent that serves as an authentication proxy. See the [haproxy-spoe-auth-operator README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-spoe-auth-operator) for more information. | |
| 3. `haproxy-route-policy-operator`: A machine charm deploying the `haproxy-route-policy` application for controlling the data from different `haproxy-route` relations. See the [haproxy-route-policy-operator README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-route-policy-operator) for more information. | |
| 1. `haproxy`: A machine charm managing HAProxy. See the [`haproxy` README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-operator) for more information. | |
| 2. `haproxy-spoe-auth-operator`: A machine charm deploying an SPOE agent that serves as an authentication proxy. See the [`haproxy-spoe-auth-operator` README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-spoe-auth-operator) for more information. | |
| 3. `haproxy-route-policy-operator`: A machine charm deploying the `haproxy-route-policy` application for controlling the data from different `haproxy-route` relations. See the [`haproxy-route-policy-operator` README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-route-policy-operator) for more information. |
Nits for code-formatting the (CLI) charm names
| 1. `haproxy-spoe-auth-snap`: A snap of the SPOE agent made for the haproxy-spoe-auth-operator charm. See the [haproxy-spoe-auth-snap README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-spoe-auth-snap) for more information. | ||
| 2. `haproxy-route-policy-snap`: A snap of the `haproxy-route-policy` app made for the `haproxy-route-policy-operator` charm. See the [haproxy-route-policy-snap README](https://github.com/canonical/haproxy-operator/tree/main/haproxy-route-policy) for more information. | ||
|
|
||
| ## Architecture diagram |
Contributor
There was a problem hiding this comment.
I would either remove this header entirely or update to something like
Suggested change
| ## Architecture diagram | |
| ## High-level overview of deployment |
Comment on lines
+38
to
+40
| Container_Boundary(ddos, "ddos-configurator") { | ||
| Component(ddos, "ddos-configurator charm") | ||
| } |
Contributor
There was a problem hiding this comment.
Any relations we can show between the ddos-configurator and any of the other charms? If they're optional, then we can explicitly state that in the text.
Comment on lines
+53
to
+57
| The `haproxy` charm is the central component, responsible for configuring and running the HAProxy reverse proxy on machine. It receives routing information from related applications via `haproxy-route` (HTTP) and `haproxy-route-tcp` (TCP) relations and generates the appropriate HAProxy configuration. | ||
|
|
||
| The `haproxy` charm can be deployed with the `haproxy-spoe-auth-operator` charm to add an authentication layer via an SPOE (Stream Processing Offload Engine) agent packaged in `haproxy-spoe-auth-snap`. HAProxy delegates authentication decisions to this agent which is integrated with an OIDC (OpenID Connect) provider charm. | ||
|
|
||
| The `haproxy` charm can also be deployed with the `haproxy-route-policy-operator` charm to control which backends are permitted to be routed through `haproxy-route` relations. The workload of the `haproxy-route-policy-operator` charm is a Django application packaged as a snap. It evaluates incoming requests against configured rules and accepts or rejects them accordingly. It's deployed together with a PostgreSQL database. |
Contributor
There was a problem hiding this comment.
Should we include information about the ddos-configurator here?
| C4Component | ||
| title Component diagram for HAProxy Charm | ||
|
|
||
| Container_Boundary(haproxy, "HAProxy charm monorepo") { |
Contributor
There was a problem hiding this comment.
Suggested change
| Container_Boundary(haproxy, "HAProxy charm monorepo") { | |
| Container_Boundary(haproxy, "HAProxy deployment") { |
|
|
||
| The `haproxy` charm is the central component, responsible for configuring and running the HAProxy reverse proxy on machine. It receives routing information from related applications via `haproxy-route` (HTTP) and `haproxy-route-tcp` (TCP) relations and generates the appropriate HAProxy configuration. | ||
|
|
||
| The `haproxy` charm can be deployed with the `haproxy-spoe-auth-operator` charm to add an authentication layer via an SPOE (Stream Processing Offload Engine) agent packaged in `haproxy-spoe-auth-snap`. HAProxy delegates authentication decisions to this agent which is integrated with an OIDC (OpenID Connect) provider charm. |
Contributor
There was a problem hiding this comment.
Suggested change
| The `haproxy` charm can be deployed with the `haproxy-spoe-auth-operator` charm to add an authentication layer via an SPOE (Stream Processing Offload Engine) agent packaged in `haproxy-spoe-auth-snap`. HAProxy delegates authentication decisions to this agent which is integrated with an OIDC (OpenID Connect) provider charm. | |
| The `haproxy` charm can be deployed with the `haproxy-spoe-auth-operator` charm to add an authentication layer via a Stream Processing Offload Engine (SPOE) agent packaged in `haproxy-spoe-auth-snap`. HAProxy delegates authentication decisions to this agent which is integrated with an OpenID Connect (OIDC) provider charm. |
nitpick
Comment on lines
+59
to
+65
| ## Integrations | ||
|
|
||
| See the Integrations section on each of the component's Charmhub page for more details: | ||
|
|
||
| 1. [Integrations for haproxy-operator](https://charmhub.io/haproxy/integrations?channel=2.8/edge) | ||
| 2. [Integrations for haproxy-spoe-auth-operator](https://charmhub.io/haproxy-spoe-auth/integrations?channel=latest/edge) | ||
| 3. [Integrations for haproxy-route-policy-operator](https://charmhub.io/haproxy-route-policy/integrations?channel=latest/edge) |
Contributor
There was a problem hiding this comment.
Should this section also link to the ddos-configurator charm's integrations tab?
Comment on lines
+59
to
+61
| ## Integrations | ||
|
|
||
| See the Integrations section on each of the component's Charmhub page for more details: |
Contributor
There was a problem hiding this comment.
I feel like this section could be enhanced. The basic question: What do we want readers to know about the available integrations?
Some additional questions: Did we make any explicit design choices or enforce any opinions with the integrations that we want to highlight here (e.g., did we design the integrations so that they all feed back into haproxy)? Are any of the integrations required for a basic deployment? What integrations are required when the user wants DDOS protection, or OIDC?
Comment on lines
+47
to
+50
| Rel(charm, spoe_auth, "SPOE protocol", "Authentication offload") | ||
| Rel(haproxy_route_policy_charm, charm, "haproxy-route-policy", "Route approval") | ||
| Rel(spoe_auth, spoe_auth_snap, "Manages") | ||
| Rel(haproxy_route_policy_charm, haproxy_route_policy_snap, "Manages") |
Contributor
There was a problem hiding this comment.
Suggested change
| Rel(charm, spoe_auth, "SPOE protocol", "Authentication offload") | |
| Rel(haproxy_route_policy_charm, charm, "haproxy-route-policy", "Route approval") | |
| Rel(spoe_auth, spoe_auth_snap, "Manages") | |
| Rel(haproxy_route_policy_charm, haproxy_route_policy_snap, "Manages") | |
| Rel(charm, spoe_auth, "SPOE protocol", "Authentication offload") | |
| Rel(haproxy_route_policy_charm, charm, "haproxy-route-policy", "Route approval") | |
| Rel(spoe_auth, spoe_auth_snap, "Manages") | |
| Rel(haproxy_route_policy_charm, haproxy_route_policy_snap, "Manages") | |
| UpdateRelStyle(haproxy_route_policy_charm, charm, $offsetY="-60", $offsetX="-130") | |
| UpdateRelStyle(charm, spoe_auth, $offsetY="10", $offsetX="-50") | |
| UpdateRelStyle(spoe_auth, spoe_auth_snap, $offsetX="10") | |
| UpdateRelStyle(haproxy_route_policy_charm, haproxy_route_policy_snap, $offsetX="10") |
Nitpick, to move the relation labels around so they're easier to read
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Why we need it
Checklist
docs/changelog.mdwith user-relevant changesdocs/release-notes/artifacts. If no change artifact is necessary, I tagged the PR with the labelno-release-note.(e.g., in
.github/workflows/integration_tests.yaml, ensure themoduleslist is correct)terraform fmtpasses andtflintreports no errors