canonical · Thanhphan1147 · Nov 27, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -15,6 +15,7 @@ jobs:
       juju-channel: 3/stable
       self-hosted-runner: true
       charmcraft-channel: latest/edge
+      working-directory: ./haproxy-operator
       modules: '["test_action.py","test_actions.py","test_charm.py","test_config.py","test_cos.py","test_ha.py","test_haproxy_route.py","test_http_interface.py","test_ingress.py",
         "test_ingress_per_unit.py", "test_haproxy_route_tcp.py"]'
       with-uv: true
@@ -23,3 +24,15 @@ jobs:
     needs:
     - integration-tests
     uses: canonical/operator-workflows/.github/workflows/allure_report.yaml@main
+  haproxy-spoe-auth-operator:
+    name: Integration tests for the haproxy-spoe-auth-operator charm
+    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
+    secrets: inherit
+    with:
+      juju-channel: '3/stable'
+      provider: lxd
+      self-hosted-runner: true
+      charmcraft-channel: latest/edge
+      working-directory: ./haproxy-spoe-auth-operator
+      with-uv: True
+      modules: '["test_charm.py",]'
@@ -23,6 +23,7 @@ jobs:
     with:
       origin-channel: ${{ github.event.inputs.origin-channel }}
       destination-channel: ${{ github.event.inputs.destination-channel }}
+      working-directory: ./haproxy-operator
       base-channel: 24.04
       base-name: ubuntu
       base-architecture: amd64

@@ -16,3 +16,4 @@ jobs:
     secrets: inherit
     with:
       channel: 2.8/edge
+      working-directory: ./haproxy-operator
@@ -6,7 +6,7 @@ on:
     branches:
       - main
     paths:
-      - spoe_auth_snap/**
+      - haproxy-spoe-auth-snap/**
 
 jobs:
   build:
@@ -16,7 +16,7 @@ jobs:
     - uses: snapcore/action-build@v1.3.0
       id: build
       with:
-        path: ./spoe_auth_snap
+        path: ./haproxy-spoe-auth-snap
     - uses: snapcore/action-publish@v1.2.0
       env:
         SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.STORE_LOGIN }}

@@ -10,5 +10,15 @@ jobs:
     with:
       self-hosted-runner: true
       self-hosted-runner-image: "noble"
-      charmcraft-channel: latest/edge
+      working-directory: ./haproxy-operator
+      with-uv: true
+  haproxy-spoe-auth-operator:
+    name: Unit tests for the haproxy-spoe-auth-operator charm
+    uses: canonical/operator-workflows/.github/workflows/test.yaml@main
+    secrets: inherit
+    with:
+      self-hosted-runner: true
+      self-hosted-runner-image: "noble"
+      python-version: 3.12
+      working-directory: ./haproxy-spoe-auth-operator
       with-uv: true
@@ -1,16 +1,18 @@
-venv/
-build/
-*.charm
-.tox/
-.coverage
+**/venv/
+**/build/
+**/*.charm
+**/*.snap
+**/.tox/
+**/.coverage
 __pycache__/
-*.py[cod]
-.idea
-.vscode
-.mypy_cache
+**/*.py[cod]
+**/.idea
+**/.vscode
+**/.mypy_cache
+**/.ruff_cache
 *.egg-info/
 */*.rock
-.venv/
+**/.venv/
 
 # BEGIN VALE WORKFLOW IGNORE
 .vale/styles/*
@@ -24,7 +26,6 @@ __pycache__/
 !.vale/styles/config/vocabularies/local
 # END VALE WORKFLOW IGNORE
 
-**/*.snap
 terraform/**/.terraform*
 terraform/**/.tfvars
 terraform/**/*.tfstate*
@@ -24,8 +24,10 @@ header:
     - 'lib/**'
     - '.woke.yaml'
     - 'templates/**'
-    - 'src/loki_alert_rules/*.rule'
+    - '**/src/loki_alert_rules/*.rule'
     - 'docs/release-notes/**/*.yaml'
     - '**/*.md.j2'
-    - 'uv.lock'
+    - '**/lib/**'
+    - '**/uv.lock'
+    - '**/templates/**'
   comment: on-failure
@@ -1,38 +1,20 @@
-This is the repository for the new HAProxy charm supporting HAProxy v2.8 and published in the [2.8/edge](https://charmhub.io/haproxy?channel=2.8/edge) channel. For the legacy charm in the [latest/edge](https://charmhub.io/haproxy?channel=latest/edge) channel please refer to the [legacy/main](https://github.com/canonical/haproxy-operator/tree/legacy/main) branch.
+# HAProxy operator
 
-# Overview
+This repository provides a collection of operators related to HAproxy
 
-A Juju charm that deploys and manages HAProxy on machine. HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. It features connection persistence through HTTP cookies, load balancing, header addition, modification, deletion both ways. It has request blocking capabilities and provides interface to display server status.
+This repository contains the code for the following charms:
+1. `haproxy`: A machine charm managing HAproxy. See the [haproxy README](haproxy-operator/README.md) for more information.
+2. `haproxy-spoe-auth-operator`: A machine charm deploying an SPOE agent that serves as an authentication proxy. See the [haproxy-spoe-auth-operator README](haproxy-spoe-auth-operator/README.md) for more information.
 
-# Usage
-
-Deploy the HAProxy charm and integrate it with a certificate provider charm
-```
-juju deploy haproxy --channel=2.8/edge
-juju config haproxy external-hostname="fqdn.example"
-
-juju deploy self-signed-certificates
-juju integrate haproxy self-signed-certificates
-```
-
-# HAProxy project information
-
-- [HAProxy Homepage](http://haproxy.1wt.eu/)
-- [HAProxy mailing list](http://haproxy.1wt.eu/#tact)
+The repository also contains the snapped workload of some charms:
+1. `haproxy-spoe-auth-snap`: A snap of the SPOE agent made for the haproxy-spoe-auth-operator charm. See the [haproxy-spoe-auth-snap README](haproxy-spoe-auth-snap/README.md) for more information.
 
 ## Project and community
 
-The HAProxy Operator is a member of the Ubuntu family. It's an
-open source project that warmly welcomes community projects, contributions,
-suggestions, fixes and constructive feedback.
+The haproxy-operator project is a member of the Ubuntu family. It is an open source project that warmly welcomes community projects, contributions, suggestions, fixes and constructive feedback.
+
 * [Code of conduct](https://ubuntu.com/community/code-of-conduct)
 * [Get support](https://discourse.charmhub.io/)
-* [Join our online chat](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)
-* [Contribute](https://charmhub.io/chrony/docs/contributing)
-* [Roadmap](https://charmhub.io/haproxy/docs/roadmap)
-Thinking about using the HAProxy charm for your next project? [Get in touch](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)!
-
----
-
-For further details,
-[see the charm's detailed documentation](https://charmhub.io/haproxy/docs).
+* [Issues](https://github.com/canonical/haproxy-operator/issues)
+* [Matrix](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)
+* [Contribute](https://github.com/canonical/haproxy-operator/blob/main/CONTRIBUTING.md)
@@ -7,7 +7,7 @@ changes:
     type: major
     description: |
       Add the `charms.haproxy.v0.spoe_auth` library to enable SPOE authentication integration.
-    urls: 
+    urls:
       pr: https://github.com/canonical/haproxy-operator/pull/229
       related_doc:
       related_issue:

@@ -0,0 +1,15 @@
+# --- Release notes change artifact ----
+
+schema_version: 1
+changes:
+  - title: Add HAProxy SPOE Auth Charm
+    author: tphan025
+    type: major
+    description: |
+      Added a new charm for HAProxy SPOE authentication.
+    urls: 
+      pr: https://github.com/canonical/haproxy-operator/pull/232
+      related_doc:
+      related_issue:
+    visibility: public
+    highlight: false
@@ -0,0 +1,38 @@
+This is the repository for the new HAProxy charm supporting HAProxy v2.8 and published in the [2.8/edge](https://charmhub.io/haproxy?channel=2.8/edge) channel. For the legacy charm in the [latest/edge](https://charmhub.io/haproxy?channel=latest/edge) channel please refer to the [legacy/main](https://github.com/canonical/haproxy-operator/tree/legacy/main) branch.
+
+# Overview
+
+A Juju charm that deploys and manages HAProxy on machine. HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. It features connection persistence through HTTP cookies, load balancing, header addition, modification, deletion both ways. It has request blocking capabilities and provides interface to display server status.
+
+# Usage
+
+Deploy the HAProxy charm and integrate it with a certificate provider charm
+```
+juju deploy haproxy --channel=2.8/edge
+juju config haproxy external-hostname="fqdn.example"
+
+juju deploy self-signed-certificates
+juju integrate haproxy self-signed-certificates:certificates
+```
+
+# HAProxy project information
+
+- [HAProxy Homepage](http://haproxy.1wt.eu/)
+- [HAProxy mailing list](http://haproxy.1wt.eu/#tact)
+
+## Project and community
+
+The HAProxy Operator is a member of the Ubuntu family. It's an
+open source project that warmly welcomes community projects, contributions,
+suggestions, fixes and constructive feedback.
+* [Code of conduct](https://ubuntu.com/community/code-of-conduct)
+* [Get support](https://discourse.charmhub.io/)
+* [Join our online chat](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)
+* [Contribute](https://charmhub.io/chrony/docs/contributing)
+* [Roadmap](https://charmhub.io/haproxy/docs/roadmap)
+Thinking about using the HAProxy charm for your next project? [Get in touch](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)!
+
+---
+
+For further details,
+[see the charm's detailed documentation](https://charmhub.io/haproxy/docs).
@@ -121,7 +121,7 @@ namespace_packages = true
 
 [[tool.mypy.overrides]]
 disallow_untyped_defs = false
-module = "tests.*"
+module = ["tests.*"]
 
 [tool.bandit]
 exclude_dirs = [ "/venv/" ]

@@ -86,6 +86,7 @@ commands = [
     "-m",
     "pytest",
     "--ignore={[vars]tst_path}integration",
+    "--ignore={toxinidir}/haproxy_spoe_auth_operator",
     "-v",
     "--tb",
     "native",
@@ -119,6 +120,7 @@ commands = [
     "--tb",
     "native",
     "--ignore={[vars]tst_path}unit",
+    "--ignore={toxinidir}/haproxy_spoe_auth_operator",
     "--log-cli-level=INFO",
     "-s",
     { replace = "posargs", extend = "true" },

@@ -0,0 +1,27 @@
+# HAProxy SPOE Auth Operator
+
+A Juju charm that deploys and manages HAProxy SPOE Auth on machines.
+
+## Overview
+
+HAProxy SPOE Auth is a Stream Processing Offload Engine (SPOE) agent for HAProxy that provides authentication capabilities. This charm simplifies the deployment and management of the agent.
+
+
+## Usage
+
+Deploy the charm:
+
+```bash
+juju deploy haproxy_spoe_auth_operator --channel=latest/edge --config hostname=auth.example.com
+```
+
+Integrate with an OAuth provider:
+
+```bash
+juju relate haproxy-spoe-auth oauth-provider
+```
+
+Integrate with haproxy
+```bash
+juju relate haproxy-spoe-auth haproxy
+```
@@ -0,0 +1,71 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+type: charm
+base: ubuntu@24.04
+build-base: ubuntu@24.04
+
+platforms:
+  amd64:
+
+parts:
+  charm:
+    source: .
+    plugin: uv
+    build-snaps:
+    - astral-uv
+    build-packages:
+    - git
+  templates:
+    plugin: dump
+    source: .
+    stage:
+    - templates
+
+name: haproxy-spoe-auth
+title: HAProxy SPOE Auth charm
+description: |
+  A [Juju](https://juju.is/) [charm](https://juju.is/docs/olm/charmed-operators)
+  deploying and managing [HAProxy SPOE Auth](https://github.com/criteo/haproxy-spoe-auth) on machines.
+
+  HAProxy SPOE Auth is a Stream Processing Offload Engine agent for HAProxy that provides
+  authentication capabilities including OAuth support.
+
+  This charm simplifies initial deployment and "day N" operations of HAProxy SPOE Auth on 
+  VMs and bare metal.
+summary: HAProxy SPOE authentication agent
+links:
+  documentation: https://discourse.charmhub.io/t/haproxy-spoe-auth-documentation-overview/
+  issues: https://github.com/canonical/haproxy-operator/issues
+  source: https://github.com/canonical/haproxy-operator
+  contact:
+  - https://launchpad.net/~canonical-is-devops
+
+assumes:
+- juju >= 3.3
+
+requires:
+  oauth:
+    interface: oauth
+    description: OAuth authentication provider integration
+    limit: 1
+    optional: false
+provides:
+  spoe-auth:
+    interface: spoe-auth
+    description: Relation to provide authentication proxy to HAProxy.
+    limit: 1
+    optional: false
+
+config:
+  options:
+    hostname:
+      type: string
+      description: |
+        Public hostname of the agent. Used to store client credentials
+        and to build the redirect URI
+
+charm-libs:
+- lib: hydra.oauth
+  version: "0"
+- lib: haproxy.spoe_auth
+  version: "0"