Make default ingress tls and annotations congurable in the helm config (#2513)

Tom-Newton · web-flow · commit 8dd8db45a32d · 2025-06-10T16:02:49.000Z
* Initial attempt at passing the info through the CLI Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Working getting ingressTLS config from helm yaml into a `[]networkingv1.IngressTLS` Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Vaguely correct adding TLS options to UI ingress Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * First test passing Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Pass through argument where I had forgotten Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Implement IngressAnnotations Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Add "default" to some variable names Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Update helm and CLI parsing, including adding annotations Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Sufficient unit tests Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Tests and documentation for helm Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Minor adjustments to test strings Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * PR comments Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Fix rebase Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Avoid manually constructing the expected ingress name in tests Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Quote and rename on the helm side Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Avoid using pointers Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * More renaming to remove "default" Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Revert helm quote on json strings Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Tidy imports Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Fix tests after #2554 moved the ingress creation to be on submitted spark applications Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> * Re-generate helm docs Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com> --------- Signed-off-by: Thomas Newton <thomas.w.newton@gmail.com>
diff --git a/charts/spark-operator-chart/README.md b/charts/spark-operator-chart/README.md
@@ -93,6 +93,8 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum
 | controller.uiIngress.enable | bool | `false` | Specifies whether to create ingress for Spark web UI. `controller.uiService.enable` must be `true` to enable ingress. |
 | controller.uiIngress.urlFormat | string | `""` | Ingress URL format. Required if `controller.uiIngress.enable` is true. |
 | controller.uiIngress.ingressClassName | string | `""` | Optionally set the ingressClassName. |
+| controller.uiIngress.tls | list | `[]` | Optionally set default TLS configuration for the Spark UI's ingress. `ingressTLS` in the SparkApplication spec overrides this. |
+| controller.uiIngress.annotations | object | `{}` | Optionally set default ingress annotations for the Spark UI's ingress. `ingressAnnotations` in the SparkApplication spec overrides this. |
 | controller.batchScheduler.enable | bool | `false` | Specifies whether to enable batch scheduler for spark jobs scheduling. If enabled, users can specify batch scheduler name in spark application. |
 | controller.batchScheduler.kubeSchedulerNames | list | `[]` | Specifies a list of kube-scheduler names for scheduling Spark pods. |
 | controller.batchScheduler.default | string | `""` | Default batch scheduler to be used if not specified by the user. If specified, this value must be either "volcano" or "yunikorn". Specifying any other value will cause the controller to error on startup. |
diff --git a/charts/spark-operator-chart/templates/controller/deployment.yaml b/charts/spark-operator-chart/templates/controller/deployment.yaml
@@ -72,6 +72,12 @@ spec:
         {{- with .Values.controller.uiIngress.ingressClassName }}
         - --ingress-class-name={{ . }}
         {{- end }}
+        {{- with .Values.controller.uiIngress.tls }}
+        - --ingress-tls={{ . | toJson }}
+        {{- end }}
+        {{- with .Values.controller.uiIngress.annotations }}
+        - --ingress-annotations={{ . | toJson }}
+        {{- end }}
         {{- end }}
         {{- if .Values.controller.batchScheduler.enable }}
         - --enable-batch-scheduler=true
diff --git a/charts/spark-operator-chart/tests/controller/deployment_test.yaml b/charts/spark-operator-chart/tests/controller/deployment_test.yaml
@@ -184,6 +184,37 @@ tests:
           path: spec.template.spec.containers[?(@.name=="spark-operator-controller")].args
           content: --ingress-class-name=nginx
 
+  - it: Should contain `--ingress-tls` arg if `controller.uiIngress.enable` is set to `true` and `controller.uiIngress.tls` is set
+    set:
+      controller:
+        uiService:
+          enable: true
+        uiIngress:
+          enable: true
+          tls:
+            - hosts:
+                - "*.test.com"
+              secretName: test-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[?(@.name=="spark-operator-controller")].args
+          content: '--ingress-tls=[{"hosts":["*.test.com"],"secretName":"test-secret"}]'
+
+  - it: Should contain `--ingress-annotations` arg if `controller.uiIngress.enable` is set to `true` and `controller.uiIngress.annotations` is set
+    set:
+      controller:
+        uiService:
+          enable: true
+        uiIngress:
+          enable: true
+          annotations:
+            cert-manager.io/cluster-issuer: "letsencrypt"
+            kubernetes.io/ingress.class: nginx
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[?(@.name=="spark-operator-controller")].args
+          content: '--ingress-annotations={"cert-manager.io/cluster-issuer":"letsencrypt","kubernetes.io/ingress.class":"nginx"}'
+
   - it: Should contain `--enable-batch-scheduler` arg if `controller.batchScheduler.enable` is `true`
     set:
       controller:
@@ -246,7 +277,7 @@ tests:
       - contains:
           path: spec.template.spec.containers[?(@.name=="spark-operator-controller")].args
           content: --leader-election-lock-namespace=spark-operator
-  
+
   - it: Should disable leader election if `controller.leaderElection.enable` is set to `false`
     set:
       controller:
diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml
@@ -74,6 +74,15 @@ controller:
     urlFormat: ""
     # -- Optionally set the ingressClassName.
     ingressClassName: ""
+    # -- Optionally set default TLS configuration for the Spark UI's ingress. `ingressTLS` in the SparkApplication spec overrides this.
+    tls: []
+    # - hosts:
+    #   - "*.example.com"
+    #   secretName: "example-secret"
+    # -- Optionally set default ingress annotations for the Spark UI's ingress. `ingressAnnotations` in the SparkApplication spec overrides this.
+    annotations: {}
+      # key1: value1
+      # key2: value2
 
   batchScheduler:
     # -- Specifies whether to enable batch scheduler for spark jobs scheduling.
diff --git a/cmd/operator/controller/start.go b/cmd/operator/controller/start.go
@@ -18,7 +18,9 @@ package controller
 
 import (
 	"crypto/tls"
+	"encoding/json"
 	"flag"
+	"fmt"
 	"os"
 	"slices"
 	"time"
@@ -33,6 +35,7 @@ import (
 	"go.uber.org/zap/zapcore"
 	"golang.org/x/time/rate"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -87,9 +90,11 @@ var (
 	defaultBatchScheduler string
 
 	// Spark web UI service and ingress
-	enableUIService  bool
-	ingressClassName string
-	ingressURLFormat string
+	enableUIService    bool
+	ingressClassName   string
+	ingressURLFormat   string
+	ingressTLS         []networkingv1.IngressTLS
+	ingressAnnotations map[string]string
 
 	// Leader election
 	enableLeaderElection        bool
@@ -126,11 +131,25 @@ func init() {
 }
 
 func NewStartCommand() *cobra.Command {
+	var ingressTLSstring string
+	var ingressAnnotationsString string
 	var command = &cobra.Command{
 		Use:   "start",
 		Short: "Start controller and webhook",
-		PreRun: func(_ *cobra.Command, args []string) {
+		PreRunE: func(_ *cobra.Command, args []string) error {
 			development = viper.GetBool("development")
+
+			if ingressTLSstring != "" {
+				if err := json.Unmarshal([]byte(ingressTLSstring), &ingressTLS); err != nil {
+					return fmt.Errorf("failed parsing ingress-tls JSON string from CLI: %v", err)
+				}
+			}
+			if ingressAnnotationsString != "" {
+				if err := json.Unmarshal([]byte(ingressAnnotationsString), &ingressAnnotations); err != nil {
+					return fmt.Errorf("failed parsing ingress-annotations JSON string from CLI: %v", err)
+				}
+			}
+			return nil
 		},
 		Run: func(_ *cobra.Command, args []string) {
 			sparkoperator.PrintVersion(false)
@@ -154,6 +173,8 @@ func NewStartCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableUIService, "enable-ui-service", true, "Enable Spark Web UI service.")
 	command.Flags().StringVar(&ingressClassName, "ingress-class-name", "", "Set ingressClassName for ingress resources created.")
 	command.Flags().StringVar(&ingressURLFormat, "ingress-url-format", "", "Ingress URL format.")
+	command.Flags().StringVar(&ingressTLSstring, "ingress-tls", "", "JSON format string for the default TLS config on the Spark UI ingresses. e.g. '[{\"hosts\":[\"*.example.com\"],\"secretName\":\"example-secret\"}]'. `ingressTLS` in the SparkApplication spec will override this value.")
+	command.Flags().StringVar(&ingressAnnotationsString, "ingress-annotations", "", "JSON format string for the default ingress annotations for the Spark UI ingresses. e.g. '[{\"cert-manager.io/cluster-issuer\": \"letsencrypt\"}]'. `ingressAnnotations` in the SparkApplication spec will override this value.")
 
 	command.Flags().BoolVar(&enableLeaderElection, "leader-election", false, "Enable leader election for controller manager. "+
 		"Enabling this will ensure there is only one active controller manager.")
@@ -403,6 +424,8 @@ func newSparkApplicationReconcilerOptions() sparkapplication.Options {
 		EnableUIService:              enableUIService,
 		IngressClassName:             ingressClassName,
 		IngressURLFormat:             ingressURLFormat,
+		IngressTLS:                   ingressTLS,
+		IngressAnnotations:           ingressAnnotations,
 		DefaultBatchScheduler:        defaultBatchScheduler,
 		DriverPodCreationGracePeriod: driverPodCreationGracePeriod,
 		SparkApplicationMetrics:      sparkApplicationMetrics,
diff --git a/internal/controller/sparkapplication/controller.go b/internal/controller/sparkapplication/controller.go
@@ -61,6 +61,8 @@ type Options struct {
 	EnableUIService       bool
 	IngressClassName      string
 	IngressURLFormat      string
+	IngressTLS            []networkingv1.IngressTLS
+	IngressAnnotations    map[string]string
 	DefaultBatchScheduler string
 
 	DriverPodCreationGracePeriod time.Duration
@@ -323,7 +325,7 @@ func (r *Reconciler) reconcileSubmittedSparkApplication(ctx context.Context, req
 						app.Spec.SparkConf[common.SparkUIProxyBase] = ingressURL.Path
 						app.Spec.SparkConf[common.SparkUIProxyRedirectURI] = "/"
 					}
-					ingress, err := r.createWebUIIngress(app, *service, ingressURL, r.options.IngressClassName)
+					ingress, err := r.createWebUIIngress(app, *service, ingressURL, r.options.IngressClassName, r.options.IngressTLS, r.options.IngressAnnotations)
 					if err != nil {
 						return fmt.Errorf("failed to create web UI ingress: %v", err)
 					}
diff --git a/internal/controller/sparkapplication/controller_test.go b/internal/controller/sparkapplication/controller_test.go
diff --git a/internal/controller/sparkapplication/driveringress.go b/internal/controller/sparkapplication/driveringress.go
diff --git a/internal/controller/sparkapplication/web_ui.go b/internal/controller/sparkapplication/web_ui.go
