docs(helm): document default Spark UI ingress TLS and annotations

content/en/docs/components/spark-operator/getting-started.md

@@ -293,6 +293,99 @@ spec:
         kubernetes.io/ingress.class: nginx
 ```
 
+## Default Spark UI Ingress TLS and Annotations
+
+Starting from the release that includes PR #2513, the Spark Operator supports **default TLS configuration and default annotations for the Spark UI Ingress** via Helm values.
+
+This is useful when you want **all SparkApplications to share a common TLS or annotation configuration** without having to repeat the same settings in every SparkApplication spec.
+
+### How It Works
+
+There are **two levels of configuration** for Spark UI ingress:
+
+1. **Application-level configuration**  
+
+    Defined in the SparkApplication spec under:
+
+```shell
+   spec:
+     sparkUIOptions:
+       ingressTLS: []
+       ingressAnnotations: {}
+```
+
+2. **Helm-level default configuration (NEW FEATURE)**
+
+    Defined in the Helm values under:
+
+```shell
+    controller:
+        uiIngress:
+            tls: []
+            annotations: {}
+```
+Precedence rule:
+
+- If a SparkApplication explicitly sets `spec.sparkUIOptions.ingressTLS` or `ingressAnnotations`, those values are used.
+- Otherwise, the operator falls back to the Helm defaults defined in:
+  - `controller.uiIngress.tls`
+  - `controller.uiIngress.annotations`
+
+### Example: Configure Default TLS via Helm
+This example enables TLS for **all Spark UI ingresses by default**:
+```shell
+    controller:
+        uiIngress:
+            enable: true
+            urlFormat: "{{ .Name }}.spark.example.com"
+            tls:
+            - secretName: spark-ui-tls
+                hosts:
+                - "*.spark.example.com"
+```
+With this configuration:
+- Every SparkApplication UI ingress will use the TLS secret `spark-ui-tls`
+- Unless explicitly overridden in the SparkApplication spec
+
+### Example: Configure Default Ingress Annotations via Helm
+
+```shell
+    controller:
+        uiIngress:
+            enable: true
+            urlFormat: "{{ .Name }}.spark.example.com"
+            annotations:
+            nginx.ingress.kubernetes.io/rewrite-target: /
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+```
+These annotations will be applied to all Spark UI ingress resources by default.
+
+### Example: Overriding Defaults in a SparkApplication
+You can override the Helm defaults at the application level:
+
+```shell
+    apiVersion: sparkoperator.k8s.io/v1beta2
+        kind: SparkApplication
+        metadata:
+        name: spark-pi
+        spec:
+        sparkUIOptions:
+            ingressTLS:
+            - secretName: custom-ui-tls
+                hosts:
+                - spark-pi.custom.example.com
+            ingressAnnotations:
+            nginx.ingress.kubernetes.io/ssl-redirect: "false"
+```
+In this case:
+- The Helm defaults are ignored
+- The SparkApplication uses its own TLS and annotation settings
+
+### Important Notes
+- `controller.uiIngress.enable` must be set to true for ingress to be created.
+- `controller.uiIngress.urlFormat` is required when enabling ingress.
+- Helm defaults apply only when **the SparkApplication does not define its own ingress TLS or annotations**.
+
 ## About the Mutating Admission Webhook
 
 The Kubernetes Operator for Apache Spark comes with an optional mutating admission webhook for customizing Spark driver and executor pods based on the specification in `SparkApplication` objects, e.g., mounting user-specified ConfigMaps and volumes, and setting pod affinity/anti-affinity, and adding tolerations.