Skip to content

feat: add oauth2-proxy sidecar support #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dejanzele merged 3 commits into from
Jan 19, 2026
Merged

feat: add oauth2-proxy sidecar support #77

dejanzele merged 3 commits into from
Jan 19, 2026

Conversation

@dejanzele
Copy link
Member

@dejanzele dejanzele commented Oct 20, 2025

What type of PR is this?

Enhancement

What this PR does / why we need it:

Adds comprehensive oauth2-proxy sidecar support for Spark Driver UI authentication.

OAuth2-proxy Integration: Implements native OAuth2-proxy sidecar containers with 35+ configuration options, supporting OIDC discovery, custom providers, and secure cookie management. Enables authenticated access to Spark Driver UI through configurable authentication providers.

Ingress Support: Adds TLS-enabled ingress configuration with intelligent port routing - OAuth proxy serves on port 4180, Spark UI on port 4040, with proper precedence resolution (CLI > Template > Default).

Does this PR introduce a user-facing change?

Check the docs/architecture.md and docs/ui.md for changes.

spark.armada.oauth contains configuration settings for the oauth proxy.

EnricoMi
EnricoMi reviewed Oct 21, 2025
View reviewed changes
src/main/scala/org/apache/spark/deploy/armada/submit/ArmadaClientApplication.scala Outdated

val finalPodSpecWithOAuth = currentPodSpec
.withRestartPolicy("Never")
.withTerminationGracePeriodSeconds(0)
Copy link
Collaborator

@EnricoMi EnricoMi Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to use the value of spark.kubernetes.appKillPodDeletionGracePeriod here.

Copy link
Member Author

@dejanzele dejanzele Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add it, but in the long run, I don't like the pattern where we reuse kubernetes configs as we do a mix-and-match between spark.armada and spark.kubernetes

src/test/scala/org/apache/spark/deploy/armada/e2e/featurestep/DriverFeatureStep.scala
Comment on lines 33 to 42
val resources = new ResourceRequirements()
val limits = new HashMap[String, Quantity]()
limits.put("cpu", new Quantity("64m"))
limits.put("memory", new Quantity("64Mi"))
resources.setLimits(limits)

val requests = new HashMap[String, Quantity]()
requests.put("cpu", new Quantity("64m"))
requests.put("memory", new Quantity("64Mi"))
resources.setRequests(requests)
Copy link
Collaborator

@EnricoMi EnricoMi Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 64m looks unusual for CPU resource:

Suggested change
val resources = new ResourceRequirements()
val limits = new HashMap[String, Quantity]()
limits.put("cpu", new Quantity("64m"))
limits.put("memory", new Quantity("64Mi"))
resources.setLimits(limits)
val requests = new HashMap[String, Quantity]()
requests.put("cpu", new Quantity("64m"))
requests.put("memory", new Quantity("64Mi"))
resources.setRequests(requests)
val resources = new ResourceRequirements()
val limits = new HashMap[String, Quantity]()
limits.put("cpu", new Quantity("100m"))
limits.put("memory", new Quantity("64Mi"))
resources.setLimits(limits)
val requests = new HashMap[String, Quantity]()
requests.put("cpu", new Quantity("100m"))
requests.put("memory", new Quantity("64Mi"))
resources.setRequests(requests)

Copy link
Member Author

@dejanzele dejanzele Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need a lot of CPU for the oauth proxy, it works just fine with 64m, doesn't get any benefit with the additional 36 millicores, nor it helps accounting in Armada.

Only benefit would be cosmetic due to a round number.

@dejanzele dejanzele force-pushed the feat/oauth-sidecar-support branch from b2b084f to 7e12f10 Compare November 3, 2025 17:19
@dejanzele dejanzele force-pushed the feat/oauth-sidecar-support branch 4 times, most recently from 60163cb to 87da29f Compare December 11, 2025 11:21
@dejanzele dejanzele force-pushed the feat/oauth-sidecar-support branch 5 times, most recently from 4552e2d to cb8faad Compare January 15, 2026 16:38
@dejanzele
feat: add oauth2-proxy sidecar support
fbf6726 
Signed-off-by: Dejan Zele Pejchev <pejcev.dejan@gmail.com>
@dejanzele dejanzele force-pushed the feat/oauth-sidecar-support branch 2 times, most recently from a30b0ff to cf86a08 Compare January 15, 2026 17:28
@dejanzele
align oauth changes with latest changes and add tests
2b7f3b1 
Signed-off-by: Dejan Zele Pejchev <pejcev.dejan@gmail.com>
@dejanzele dejanzele force-pushed the feat/oauth-sidecar-support branch from cf86a08 to 2b7f3b1 Compare January 15, 2026 17:38
GeorgeJahad
GeorgeJahad reviewed Jan 15, 2026
View reviewed changes
src/main/scala/org/apache/spark/deploy/armada/submit/ArmadaClientApplication.scala
val allInitContainers = currentPodSpec.initContainers
val sidecars = extractSidecarContainers(Some(currentPodSpec))
val oauthSidecar = OAuthSidecarBuilder.buildOAuthSidecar(conf)
val allInitContainers = currentPodSpec.initContainers ++ oauthSidecar.toSeq
Copy link
Collaborator

@GeorgeJahad GeorgeJahad Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oauth is a sidecar container, but it is being added as an init container? why?

Copy link
Member Author

@dejanzele dejanzele Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Native sidecars are configured as init containers with restartPolicy: Always which starts them during init phase but their lifecycle continues along the main container - https://kubernetes.io/blog/2023/08/25/native-sidecar-containers/#what-are-sidecar-containers-in-1-28

GeorgeJahad
GeorgeJahad reviewed Jan 15, 2026
View reviewed changes
@dejanzele
update ui docs with latest spark submit command
9a30f68 
Signed-off-by: Dejan Zele Pejchev <pejcev.dejan@gmail.com>
GeorgeJahad
GeorgeJahad approved these changes Jan 19, 2026
View reviewed changes
Copy link
Collaborator

@GeorgeJahad GeorgeJahad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @dejanzele

@dejanzele dejanzele merged commit 271a002 into master Jan 19, 2026
12 checks passed
@dejanzele dejanzele deleted the feat/oauth-sidecar-support branch January 19, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EnricoMi EnricoMi EnricoMi left review comments

@GeorgeJahad GeorgeJahad GeorgeJahad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dejanzele @GeorgeJahad @EnricoMi