canonical · Thanhphan1147 · Apr 22, 2026 · Mar 17, 2026 · Apr 2, 2026 · Apr 2, 2026
@@ -0,0 +1,21 @@
+version_schema: 2
+
+changes:
+  - title: Publish proxied endpoint URL to policy provider and auto-add host to
+      allowed-hosts
+    author: tphan025
+    type: minor
+    description: >
+      Add a new proxied_endpoint field on the requirer app data. The
+      haproxy-operator now publishes the generated hostname. On the
+      policy-operator side, the charm extracts the host from the proxied
+      endpoint and appends it to the Django allowed-hosts list. Refactored
+      HaproxyRoutePolicyInformation to rename allowed_hosts to
+      extra_allowed_hosts. Updated unit tests accordingly.
+    urls:
+      pr:
+        - https://github.com/canonical/haproxy-operator/pull/475
+      related_doc:
+      related_issue:
+    visibility: public
+    highlight: false
@@ -40,7 +40,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 4
+LIBPATCH = 8
 
 
 def valid_domain_with_wildcard(value: str) -> str:
@@ -61,6 +61,17 @@ def valid_domain_with_wildcard(value: str) -> str:
     return value
 
 
+def valid_domain(value: str) -> str:
+    """Validate if value is a valid domain without wildcards.
+
+    Raises:
+        ValueError: When value is not a valid domain.
+    """
+    if not bool(domain(value)):
+        raise ValueError(f"Invalid domain: {value}")
+    return value
+
+
 logger = logging.getLogger(__name__)
 HAPROXY_ROUTE_POLICY_RELATION_NAME = "haproxy-route-policy"
 
@@ -101,6 +112,9 @@ class HaproxyRoutePolicyRequirerAppData:
     backend_requests: list[HaproxyRoutePolicyBackendRequest] = Field(
         description="List of backends to be evaluated by the policy service."
     )
+    proxied_endpoint: Annotated[str, BeforeValidator(valid_domain)] | None = Field(
+        description=("URL for the proxied endpoint that's exposing the Django web UI."),
+    )
 
     @model_validator(mode="after")
     def validate_unique_backend_names(self):
@@ -201,15 +215,20 @@ def relation(self) -> Relation | None:
         return self.charm.model.get_relation(self._relation_name)
 
     def provide_haproxy_route_policy_requests(
-        self, backend_requests: list[HaproxyRoutePolicyBackendRequest]
+        self,
+        backend_requests: list[HaproxyRoutePolicyBackendRequest],
+        proxied_endpoint: str | None,
     ) -> None:
         """Set and publish route policy requests."""
         relation = self.relation
         if not relation or not self.charm.unit.is_leader():
             return
 
         try:
-            app_data = HaproxyRoutePolicyRequirerAppData(backend_requests=backend_requests)
+            app_data = HaproxyRoutePolicyRequirerAppData(
+                backend_requests=backend_requests,
+                proxied_endpoint=proxied_endpoint,
+            )
             relation.save(app_data, self.charm.app)
         except (
             ValidationError,

@@ -369,7 +369,10 @@ def _configure_haproxy_route(
         )
         if self.unit.is_leader() and self.haproxy_route_policy.relation is not None:
             self.haproxy_route_policy.provide_haproxy_route_policy_requests(
-                haproxy_route_requirers_information.backend_requests_for_policy
+                haproxy_route_requirers_information.backend_requests_for_policy,
+                haproxy_route_requirers_information.policy_provider_backend.hostname
+                if haproxy_route_requirers_information.policy_provider_backend
+                else None,
             )
         # We ONLY allow the charm to run with no certificate requested if:
         # 1. there's only haproxy-route-tcp relations
@@ -409,9 +412,6 @@ def _configure_haproxy_route(
             ),
         )
         if self.unit.is_leader():
-            self.haproxy_route_policy.provide_haproxy_route_policy_requests(
-                haproxy_route_requirers_information.backend_requests_for_policy
-            )
             self._publish_haproxy_route_proxied_endpoints(haproxy_route_requirers_information)
             self._publish_haproxy_route_tcp_proxied_endpoints(
                 haproxy_route_requirers_information, ha_information

@@ -40,7 +40,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 4
+LIBPATCH = 8
 
 
 def valid_domain_with_wildcard(value: str) -> str:
@@ -61,6 +61,17 @@ def valid_domain_with_wildcard(value: str) -> str:
     return value
 
 
+def valid_domain(value: str) -> str:
+    """Validate if value is a valid domain without wildcards.
+
+    Raises:
+        ValueError: When value is not a valid domain.
+    """
+    if not bool(domain(value)):
+        raise ValueError(f"Invalid domain: {value}")
+    return value
+
+
 logger = logging.getLogger(__name__)
 HAPROXY_ROUTE_POLICY_RELATION_NAME = "haproxy-route-policy"
 
@@ -101,6 +112,9 @@ class HaproxyRoutePolicyRequirerAppData:
     backend_requests: list[HaproxyRoutePolicyBackendRequest] = Field(
         description="List of backends to be evaluated by the policy service."
     )
+    proxied_endpoint: Annotated[str, BeforeValidator(valid_domain)] | None = Field(
+        description=("URL for the proxied endpoint that's exposing the Django web UI."),
+    )
 
     @model_validator(mode="after")
     def validate_unique_backend_names(self):
@@ -201,15 +215,20 @@ def relation(self) -> Relation | None:
         return self.charm.model.get_relation(self._relation_name)
 
     def provide_haproxy_route_policy_requests(
-        self, backend_requests: list[HaproxyRoutePolicyBackendRequest]
+        self,
+        backend_requests: list[HaproxyRoutePolicyBackendRequest],
+        proxied_endpoint: str | None,
     ) -> None:
         """Set and publish route policy requests."""
         relation = self.relation
         if not relation or not self.charm.unit.is_leader():
             return
 
         try:
-            app_data = HaproxyRoutePolicyRequirerAppData(backend_requests=backend_requests)
+            app_data = HaproxyRoutePolicyRequirerAppData(
+                backend_requests=backend_requests,
+                proxied_endpoint=proxied_endpoint,
+            )
             relation.save(app_data, self.charm.app)
         except (
             ValidationError,

@@ -5,6 +5,7 @@
 
 """haproxy-route-policy-operator charm."""
 
+import json
 import logging
 from typing import Any
 
@@ -22,6 +23,7 @@
     configure_snap,
     create_or_update_user,
     install_snap,
+    is_service_active,
     run_migrations,
     start_gunicorn_service,
 )
@@ -94,9 +96,24 @@ def _reconcile(self, _: ops.EventBase) -> None:
         self.unit.status = ops.MaintenanceStatus("configuring haproxy-route-policy")
         database_information = DatabaseInformation.from_requirer(self, self.database)
         haproxy_route_policy_information = HaproxyRoutePolicyInformation.from_charm(self)
+
+        allowed_hosts = haproxy_route_policy_information.allowed_hosts_configuration
+        if relation := self.haproxy_route_policy.relation:
+            haproxy_route_policy_requirer_data = relation.load(
+                HaproxyRoutePolicyRequirerAppData, relation.app
+            )
+            if is_service_active():
+                # We can only send requests to the policy API if the service is active.
+                self._fetch_and_refresh_backend_requests(
+                    haproxy_route_policy_information, haproxy_route_policy_requirer_data
+                )
+
+            if proxied_endpoint := haproxy_route_policy_requirer_data.proxied_endpoint:
+                allowed_hosts.append(proxied_endpoint)
+
         configure_snap(
             {
-                **haproxy_route_policy_information.allowed_hosts_snap_configuration,
+                **{"allowed-hosts": json.dumps(allowed_hosts)},
                 **database_information.haproxy_route_policy_snap_configuration,
             }
         )
@@ -116,9 +133,6 @@ def _reconcile(self, _: ops.EventBase) -> None:
 
         self.unit.open_port("tcp", HAPROXY_ROUTE_POLICY_PORT)
 
-        if relation := self.haproxy_route_policy.relation:
-            self._fetch_and_refresh_backend_requests(haproxy_route_policy_information, relation)
-
         self.unit.status = ops.ActiveStatus()
 
     def _on_get_admin_credentials_action(self, event: ops.ActionEvent) -> None:
@@ -140,12 +154,10 @@ def _on_get_admin_credentials_action(self, event: ops.ActionEvent) -> None:
     def _fetch_and_refresh_backend_requests(
         self,
         haproxy_route_policy_information: HaproxyRoutePolicyInformation,
-        haproxy_route_policy_relation: ops.Relation,
+        haproxy_route_policy_requirer_data: HaproxyRoutePolicyRequirerAppData,
     ) -> None:
         """Fetch backend requests from relation and refresh their status via the policy API."""
-        backend_requests = haproxy_route_policy_relation.load(
-            HaproxyRoutePolicyRequirerAppData, haproxy_route_policy_relation.app
-        ).backend_requests
+        backend_requests = haproxy_route_policy_requirer_data.backend_requests
 
         client = HaproxyRoutePolicyClient(
             username=haproxy_route_policy_information.admin_username,

@@ -59,6 +59,12 @@ def start_gunicorn_service() -> None:
     package.start()
 
 
+def is_service_active() -> bool:
+    """Check if the snap gunicorn app is active."""
+    package = snap.SnapCache()[SNAP_NAME]
+    return package.services["haproxy-route-policy"].get("active", False)
+
+
 def create_or_update_user(username: str, password: str) -> None:
     """Create or update the HTTP proxy policy superuser.
 

@@ -5,7 +5,6 @@
 
 """Charm state for HAProxy route policy information."""
 
-import json
 import secrets
 from typing import Annotated, cast
 
@@ -66,19 +65,19 @@ class HaproxyRoutePolicyInformation:
         secret_key: Django secret key.
     """
 
-    allowed_hosts: list[FQDN | IPvAnyAddress] = Field()
+    extra_allowed_hosts: list[FQDN | IPvAnyAddress] = Field()
     admin_username: str = Field()
     admin_password: str = Field()
     secret_key: str = Field()
 
     @property
-    def allowed_hosts_snap_configuration(self) -> dict[str, str]:
-        """Return snap configuration keys and values."""
-        return {
-            "allowed-hosts": json.dumps(
-                DEFAULT_ALLOWED_HOSTS + [str(host) for host in self.allowed_hosts]
-            ),
-        }
+    def allowed_hosts_configuration(self) -> list[str]:
+        """Get the allowed hosts snap configuration.
+
+        Returns:
+            list: The allowed hosts to set in snap configuration.
+        """
+        return DEFAULT_ALLOWED_HOSTS + [str(host) for host in self.extra_allowed_hosts]
 
     @classmethod
     def from_charm(cls, charm: ops.CharmBase) -> "HaproxyRoutePolicyInformation":
@@ -94,7 +93,7 @@ def from_charm(cls, charm: ops.CharmBase) -> "HaproxyRoutePolicyInformation":
         if not peer_relation:
             raise PeerRelationMissingError("Peer relation is missing.")
 
-        allowed_hosts = (
+        extra_allowed_hosts = (
             [
                 cast(IPvAnyAddress | FQDN, address)
                 for address in cast(str, charm.config.get("extra-allowed-hosts")).split(",")
@@ -109,7 +108,7 @@ def from_charm(cls, charm: ops.CharmBase) -> "HaproxyRoutePolicyInformation":
             )
         secret_key = _get_django_secret_key(charm, peer_relation)["secret-key"]
         return cls(
-            allowed_hosts=allowed_hosts,
+            extra_allowed_hosts=extra_allowed_hosts,
             admin_username=credentials["username"],
             admin_password=credentials["password"],
             secret_key=secret_key,

@@ -14,7 +14,7 @@
 def _build_state(allowed_hosts: list[str]) -> HaproxyRoutePolicyInformation:
     """Build a valid state instance with overridable allowed hosts."""
     return HaproxyRoutePolicyInformation(
-        allowed_hosts=cast(list[Any], allowed_hosts),
+        extra_allowed_hosts=cast(list[Any], allowed_hosts),
         admin_username="admin",
         # Ignore bandit warning as this is for testing.
         admin_password="secret",  # nosec
@@ -25,15 +25,15 @@ def _build_state(allowed_hosts: list[str]) -> HaproxyRoutePolicyInformation:
 @pytest.mark.parametrize(
     "allowed_hosts, expected_allowed_hosts",
     [
-        pytest.param([], [], id="empty-list"),
-        pytest.param(["example.com"], ["example.com"], id="single-fqdn"),
+        pytest.param([], ["localhost"], id="empty-list"),
+        pytest.param(["example.com"], ["localhost", "example.com"], id="single-fqdn"),
         pytest.param(
             ["example.com", "api.example.com"],
-            ["example.com", "api.example.com"],
+            ["localhost", "example.com", "api.example.com"],
             id="multiple-fqdn",
         ),
-        pytest.param(["10.0.0.10"], ["10.0.0.10"], id="ipv4-address"),
-        pytest.param(["2001:db8::1"], ["2001:db8::1"], id="ipv6-address"),
+        pytest.param(["10.0.0.10"], ["localhost", "10.0.0.10"], id="ipv4-address"),
+        pytest.param(["2001:db8::1"], ["localhost", "2001:db8::1"], id="ipv6-address"),
     ],
 )
 def test_haproxy_route_policy_information_init_valid_allowed_hosts(
@@ -46,7 +46,7 @@ def test_haproxy_route_policy_information_init_valid_allowed_hosts(
     """
     state = _build_state(allowed_hosts)
 
-    assert [str(host) for host in state.allowed_hosts] == expected_allowed_hosts
+    assert [str(host) for host in state.allowed_hosts_configuration] == expected_allowed_hosts
 
 
 @pytest.mark.parametrize(
@@ -94,25 +94,3 @@ def test_haproxy_route_policy_information_init_rejects_none_string_fields(
 
     with pytest.raises(ValidationError):
         HaproxyRoutePolicyInformation(**payload)
-
-
-@pytest.mark.parametrize(
-    "allowed_hosts, expected",
-    [
-        pytest.param([], {"allowed-hosts": '["localhost"]'}, id="empty"),
-        pytest.param(
-            ["example.com", "api.example.com"],
-            {"allowed-hosts": '["localhost", "example.com", "api.example.com"]'},
-            id="multiple-fqdn",
-        ),
-    ],
-)
-def test_allowed_hosts_snap_configuration(allowed_hosts: list[str], expected: dict[str, str]):
-    """
-    arrange: initialize state with valid allowed hosts.
-    act: read snap configuration property.
-    assert: allowed-hosts is serialized to expected JSON string.
-    """
-    state = _build_state(allowed_hosts)
-
-    assert state.allowed_hosts_snap_configuration == expected
@@ -100,7 +100,9 @@ def test_requirer_app_data_model_accepts_valid_payload():
     assert: payload is validated and fields are preserved.
     """
     request = HaproxyRoutePolicyBackendRequest(**VALID_BACKEND_REQUEST)
-    app_data = HaproxyRoutePolicyRequirerAppData(backend_requests=[request])
+    app_data = HaproxyRoutePolicyRequirerAppData(
+        backend_requests=[request], proxied_endpoint="example.com"
+    )
 
     assert len(app_data.backend_requests) == 1
     assert app_data.backend_requests[0].backend_name == "backend-a"
@@ -142,4 +144,6 @@ def test_requirer_app_data_rejects_duplicate_backend_names():
     ]
 
     with pytest.raises(ValidationError):
-        HaproxyRoutePolicyRequirerAppData(backend_requests=duplicated_requests)
+        HaproxyRoutePolicyRequirerAppData(
+            backend_requests=duplicated_requests, proxied_endpoint=None
+        )