From 60d3206d778fcfb72c15de3a863ec1f5eb649829 Mon Sep 17 00:00:00 2001 From: rahul810050 Date: Sat, 13 Dec 2025 12:03:14 +0530 Subject: [PATCH] docs(helm): document default Spark UI ingress TLS and annotations Adds documentation and examples for the default Spark UI ingress TLS and annotations configuration Signed-off-by: rahul810050 --- .../spark-operator/getting-started.md | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/content/en/docs/components/spark-operator/getting-started.md b/content/en/docs/components/spark-operator/getting-started.md index 5db9d2cdfd..8eb233e0c4 100644 --- a/content/en/docs/components/spark-operator/getting-started.md +++ b/content/en/docs/components/spark-operator/getting-started.md @@ -293,6 +293,99 @@ spec: kubernetes.io/ingress.class: nginx ``` +## Default Spark UI Ingress TLS and Annotations + +Starting from the release that includes PR #2513, the Spark Operator supports **default TLS configuration and default annotations for the Spark UI Ingress** via Helm values. + +This is useful when you want **all SparkApplications to share a common TLS or annotation configuration** without having to repeat the same settings in every SparkApplication spec. + +### How It Works + +There are **two levels of configuration** for Spark UI ingress: + +1. **Application-level configuration** + + Defined in the SparkApplication spec under: + +```shell + spec: + sparkUIOptions: + ingressTLS: [] + ingressAnnotations: {} +``` + +2. **Helm-level default configuration (NEW FEATURE)** + + Defined in the Helm values under: + +```shell + controller: + uiIngress: + tls: [] + annotations: {} +``` +Precedence rule: + +- If a SparkApplication explicitly sets `spec.sparkUIOptions.ingressTLS` or `ingressAnnotations`, those values are used. +- Otherwise, the operator falls back to the Helm defaults defined in: + - `controller.uiIngress.tls` + - `controller.uiIngress.annotations` + +### Example: Configure Default TLS via Helm +This example enables TLS for **all Spark UI ingresses by default**: +```shell + controller: + uiIngress: + enable: true + urlFormat: "{{ .Name }}.spark.example.com" + tls: + - secretName: spark-ui-tls + hosts: + - "*.spark.example.com" +``` +With this configuration: +- Every SparkApplication UI ingress will use the TLS secret `spark-ui-tls` +- Unless explicitly overridden in the SparkApplication spec + +### Example: Configure Default Ingress Annotations via Helm + +```shell + controller: + uiIngress: + enable: true + urlFormat: "{{ .Name }}.spark.example.com" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/ssl-redirect: "true" +``` +These annotations will be applied to all Spark UI ingress resources by default. + +### Example: Overriding Defaults in a SparkApplication +You can override the Helm defaults at the application level: + +```shell + apiVersion: sparkoperator.k8s.io/v1beta2 + kind: SparkApplication + metadata: + name: spark-pi + spec: + sparkUIOptions: + ingressTLS: + - secretName: custom-ui-tls + hosts: + - spark-pi.custom.example.com + ingressAnnotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" +``` +In this case: +- The Helm defaults are ignored +- The SparkApplication uses its own TLS and annotation settings + +### Important Notes +- `controller.uiIngress.enable` must be set to true for ingress to be created. +- `controller.uiIngress.urlFormat` is required when enabling ingress. +- Helm defaults apply only when **the SparkApplication does not define its own ingress TLS or annotations**. + ## About the Mutating Admission Webhook The Kubernetes Operator for Apache Spark comes with an optional mutating admission webhook for customizing Spark driver and executor pods based on the specification in `SparkApplication` objects, e.g., mounting user-specified ConfigMaps and volumes, and setting pod affinity/anti-affinity, and adding tolerations.