File talk:PAWS Design.png

The diagram looks great! Some comments on things I would change (I could update it myself if I get access):

I would wrap the haproxy cluster in a square, to better reflect it is indeed a cluster.
The haproxy setup uses a manually-allocated IP address from a neutron port (172.16.1.171/32). The floating IP points to that address. I believe it is important to reflect this in the diagram, because we will forget how this was done soon :-P
I wouldn't mind if we hardcode both important IP addresses, the internal neutron port using for keepalived (172.16.1.171/32) and the public floating IP that NATs that address (185.15.56.57/32).
Similarly, I would simply hardcode the main FQDN that resolve to the floating IP: paws.wmcloud.org
the internal API server FQDN is k8s.svc.paws.eqiad1.wikimedia.cloud (i.e, 172.16.1.171/32) and not k8s.svc.paws.wmcloud.org. Interestingly, there is a DNS wildcard A record that makes it work. If we don't expect users to have their own domains in the public stuff, we may better drop the wildcard record and just create named records for the 3 involved:

aborrero@paws-k8s-haproxy-1:~$ host k8s.svc.paws.wmcloud.org
k8s.svc.paws.wmcloud.org has address 185.15.56.57

we do TLS termination in haproxy. I would mark it in the diagram somehow. Perhaps just with a small text box TLS termination.
we could include some info on the TCP ports used, but perhaps it is better to have that in the docs and not overload the diagram?

- Good idea on the cluster thing.
- You are totally right about the the k8s address. I just mixed that up :)
- I like the specific DNS vs wildcard.
- TLS! Yes I should add that.
- I think I'll keep the ports to the narrative description, yeah.

Thanks!!