# SpicepodCluster A `SpicepodCluster` deploys a distributed query cluster with dedicated scheduler and executor nodes. The operator automatically manages mTLS certificate provisioning, child `SpicepodSet` resources, and cluster topology. ## Architecture ``` ┌─────────────────────┐ │ Load Balancer │ └─────────────────────┘ │ ┌──────────────────┼──────────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌──────────┐ │Scheduler │ │Scheduler │ │Scheduler │◄──► Object Store (S3) └──────────┘ └──────────┘ └──────────┘ ▲ ▲ ▲ │ (executor-initiated connections) │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ Executor │ │ Executor │ │ Executor │────► Object Store (shuffle) └──────────┘ └──────────┘ └──────────┘ ``` Schedulers coordinate query planning and execution; executors perform the compute work. Executors initiate connections to all schedulers and are shared across them. ## Example ```yaml apiVersion: spice.ai/v1alpha1 kind: SpicepodCluster metadata: name: my-cluster namespace: default spec: schedulerSetSpec: replicas: 1 spicepod: | version: v1 kind: Spicepod name: my-cluster-scheduler resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi executorSetSpec: replicas: 3 resources: requests: cpu: 200m memory: 512Mi limits: cpu: "1" memory: 2Gi ``` ## Multi-Replica Schedulers For high availability, deploy multiple schedulers: ```yaml spec: schedulerSetSpec: replicas: 2 ``` Each scheduler independently accepts and distributes work. Shared state is maintained in an S3-compatible object store. ## Automatic mTLS The operator automatically: 1. Generates a self-signed root CA certificate. 2. Issues per-node leaf certificates with appropriate SANs. 3. Configures mTLS between all cluster nodes. 4. Stores certificates in Kubernetes Secrets. 5. Tracks certificate expiry via Prometheus metrics. ### Development Mode For development and testing, mTLS can be disabled: ```yaml spec: allowInsecureConnections: true ``` {% hint style="danger" %} Never use `allowInsecureConnections: true` in production. All inter-node communication will be unencrypted. {% endhint %} ## Port Separation | Port | Visibility | Services | mTLS Required | | ----- | ------------ | ------------------------------- | ------------- | | 50051 | Public | Arrow Flight, OpenTelemetry | Optional | | 8090 | Public | HTTP API | Optional | | 9090 | Public | Prometheus metrics | No | | 50052 | **Internal** | Scheduler gRPC, Cluster Service | **Required** | The internal port (50052) carries cluster coordination traffic: * **`GetAppDefinition`** — Executors fetch the full Spicepod configuration from the scheduler. * **`ExpandSecret`** — Executors request secret values from the scheduler's secret store. ## Verification ```bash # Check cluster status kubectl get spicepodcluster my-cluster # List child SpicepodSets kubectl get spicepodset # Check pods by role kubectl get pods -l spice.ai/cluster=my-cluster kubectl get pods -l spice.ai/cluster-role=scheduler kubectl get pods -l spice.ai/cluster-role=executor ``` ## Configuration Inheritance `SpicepodCluster` creates child `SpicepodSet` resources for schedulers and executors. All `SpicepodSet` configuration options (resources, volumes, service accounts, update strategies, health probes, pod scheduling) are available in `schedulerSetSpec` and `executorSetSpec`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spice.ai/docs/enterprise/kubernetes-operator/spicepodcluster.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.