Add haproxy-spoe-auth-operator charm MVP

[Copilot]

Applicable spec: ISD-257 ( internal )

New charm managing the haproxy-spoe-auth snap to provide authentication proxy functionalities. The MVP implements the oauth relation as well as the provider side of the spoe-auth relation.

This PR also moves the main code of the haproxy-operator charm to its dedicated folder in the monorepo. CI is also adapted to take this into account.

No changes to the code of the haproxy charm.

Checklist

• The charm style guide was applied
• The contributing guide was applied
• The changes are compliant with ISD054 - Managing Charm Complexity
• The documentation for charmhub is updated
• A change artifact was added for user-relevant changes in docs/release-notes/artifacts
• The PR is tagged with appropriate label (urgent, trivial, complex)
• The changelog is updated with user-relevant changes in the format of keep a changelog v1.1.0

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[copilot] MVP for the haproxy-spoe-auth charm</issue_title>
<issue_description>### Enhancement Proposal

Create an MVP for the haproxy-spoe-auth-operator charm. The charm will be under a new folder called haproxy_spoe_auth_operator and follow the platform-engineering-charm template. https://github.com/canonical/http-proxy-operators/pull/46/files is an example of onboarding a new charm to a monorepo, use it as a reference. Only keep files that are necessary, files handled globally by the monorepo should not be added from the template.

The charm will install and manage the haproxy-spoe-auth snap and its configuration file at /var/snap/haproxy-spoe-auth/current/config.yaml. The charm will first implement only the oauth relation and use jinja2 to manage the configuration file. The structure of the charm code should be similar to the haproxy charm or the asciinema-server charm. Unit tests should use scenario ( ops[testing] ) and integration tests should use jubilant. References can be found in this repo. Tests for the charm state should not use scenario.

Use ubuntu:24.04 as base for the charm</issue_description>

<agent_instructions>Stick to the style guideline and managing charm complexity document. Don't add more than what's necessary</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [copilot] MVP for the haproxy-spoe-auth charm #231

[Thanhphan1147]

@copilot An example of adding the oauth library and using the requirer class is here: https://github.com/canonical/synapse-operator/pull/621/files

Update the code to declare the library in charm-lib and use the correct requirer class. Don't add the library for now, I'll fetch it locally

[Copilot]

@copilot An example of adding the oauth library and using the requirer class is here: https://github.com/canonical/synapse-operator/pull/621/files

Update the code to declare the library in charm-lib ...

Updated the code to declare the OAuth library and prepare for the requirer class (commit ffa22f6):

1. Added hydra.oauth library declaration in charmcraft.yaml under charm-libs
2. Added placeholder in charm __init__ for OAuth requirer initialization (commented out)
3. Updated oauth.py with detailed comments showing the library integration pattern
4. Kept temporary implementation until you fetch the library locally

The code is ready for the library to be added - just uncomment the requirer initialization and update OAuthInformation.from_charm() to use the library methods.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/canonical/synapse-operator/pulls/621/files
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

license-eye has checked 185 files.

Valid	Invalid	Ignored	Fixed
79	2	104	0

Click to see the invalid file list

• haproxy_spoe_auth_operator/lib/charms/hydra/v0/oauth.py
• haproxy_spoe_auth_operator/uv.lock

Use this command to fix any missing license headers

```bash

docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header fix

</details>

[seb4stien]

Left some comments. Ping me on MM for second review please.

[github-actions]

Test results for commit d4f1a57

Test coverage for d4f1a57

Name                                         Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------------------------------------
lib/charms/haproxy/v0/haproxy_route_tcp.py     379    169     76      8    51%   197, 200, 248, 257-260, 264-267, 285-288, 303, 309-314, 414, 419, 796-799, 803, 820-841, 859-874, 888-895, 904, 1009-1050, 1054-1060, 1064, 1133-1162, 1233-1272, 1302-1304, 1329-1331, 1353-1357, 1376-1378, 1396-1398, 1405-1411, 1419-1421, 1429-1430, 1441-1448, 1461-1472, 1480-1501, 1514-1515, 1526-1527, 1538-1541, 1552-1553, 1582-1591, 1607-1610, 1626-1637, 1653-1656, 1674-1685, 1696-1697, 1705-1706, 1714-1715, 1726-1729
lib/charms/haproxy/v0/spoe_auth.py             163     82     34      2    44%   174-177, 192, 195, 285-287, 296, 331-356, 367-377, 420-426, 437-438, 442-443, 447, 455-468, 480-497, 513-528, 542-549
lib/charms/haproxy/v1/haproxy_route.py         363     53     88     26    81%   179, 237, 246-249, 274-277, 298-303, 647-648, 791->exit, 798, 824-835, 858-861, 865-867, 886-888, 1060-1066, 1070, 1262->1264, 1266->1268, 1268->1270, 1270->1272, 1272->1274, 1274->1277, 1311, 1319, 1324, 1327, 1352, 1380, 1384, 1388, 1411, 1431, 1440-1441, 1443->exit, 1479-1481, 1501, 1515, 1520-1522
src/charm.py                                   251     71     66      9    66%   91, 205, 213-226, 231, 236, 253, 264, 270-271, 299-319, 364-367, 373->372, 419-427, 455-468, 481-486, 495, 507-521, 526, 536, 542-548, 564
src/haproxy.py                                  98     22      2      1    77%   107-113, 131-145, 219-220, 223, 231-237, 265, 289-291
src/http_interface.py                           73     25      4      0    62%   74, 83, 92, 106-108, 126, 138, 150, 162, 170-175, 187, 194, 202, 217-227
src/state/charm_state.py                        73     15     14      4    78%   90-92, 97-98, 101, 142-147, 156, 201-203, 215-216
src/state/exception.py                           1      0      0      0   100%
src/state/ha.py                                 30      1      2      1    94%   50
src/state/haproxy_route.py                     137     11     42      8    88%   126, 143, 173-178, 245, 292-294, 311, 317, 334->336, 336->338
src/state/haproxy_route_tcp.py                  50     18     18      1    51%   74-76, 91->94, 116, 129-142
src/state/ingress.py                            35      0      4      0   100%
src/state/ingress_per_unit.py                   31      0      4      0   100%
src/state/tls.py                                40      7     12      4    79%   80, 83-84, 133-140, 146-147
src/state/validation.py                         46     23      8      1    44%   66-67, 71-98
src/tls_relation.py                             56      5     12      4    87%   83-84, 86->85, 113-123, 135->137
----------------------------------------------------------------------------------------
TOTAL                                         1826    502    386     69    68%

Static code analysis report

Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Run started:2025-11-27 16:40:12.136079+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 6662
  Total lines skipped (#nosec): 9
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 11

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[github-actions]

Test results for commit d4f1a57

Test coverage for d4f1a57

Name                               Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------------------
src/charm.py                          40      9      2      0    74%   60-84, 89-91
src/haproxy_spoe_auth_service.py      42     16      2      0    59%   51-60, 72-76, 85-109
src/state.py                          55     15      6      1    67%   64-66, 79, 125-146
------------------------------------------------------------------------------
TOTAL                                137     40     10      1    67%

Static code analysis report

Run started:2025-11-27 16:56:57.149478

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 398
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):