This solution can support the use of private TLS certificates to secure your Seqera Platform (SP) instance endpoints, but requires some minor one-time setup by you prior to deployment.
Two flows are supported:
- Bootstrapping a self-signed Certificate Authority (CA) and creating a new leaf certificate.
- Use of a pre-existing leaf certificate signed by your own private CA.
NOTE: Seqera strongly recommends you use a traditional ALB with public certificate approach, if possible, as this will simplify your experience getting other parts of the Seqera ecosystem to connect to your SP instance.
- You will need an S3 bucket to store your certificates & keys.
- NOTE: You are responsible for implementing necessary security restrictions on the prefix where the certs and keys will be stored.
The provided solution assumes the following:
- Root CA files will be called
rootCA.crtandrootCA.key. - Leaf files will be called
<YOUR_SP_DOMAIN>.crtand<YOUR_SP_DOMAIN>.key. - All Root CA & Leaf files will be stored in the same S3 prefix.
In this flow, we create a new self-signed Certificate Authority and issue a leaf cert to cover your Seqera Platform instance.
-
Collect DNS names.
-
SP (mandatory)
- The value specified in terraform.tfvars
tower_server_url.
- The value specified in terraform.tfvars
-
Studios (optional)
- If using subdomain routing, the value will be
*.<VALUE_OF_tower_server_url>
(Project hardcodesconnect.<VALUE_OF_tower_server_url>and actual Studios use<RANDOM_ALPHANUMERIC>.<VALUE_OF_tower_server_url>). - If using path-based routing (available v25.2.0+), it is the value specified in terraform.tfvars
data_studio_path_routing_url.
- If using subdomain routing, the value will be
-
Wave-Lite (optional)
- The value specified in terraform.tfvars
wave_server_url(whenflag_use_wave_lite = true).
- The value specified in terraform.tfvars
-
-
Create certificate assets.
-
Within the project, navigate via commandline to
assets/src/customcert. -
Execute the following (omit the Studios and/or Wave-Lite entries if not applicable):
./create_self_signed_cert.sh <SP_DNS> <STUDIOS_DNS> <WAVE_LITE_DNS>. This will create your certificate assets.Example:
./create_self_signed_cert.sh autodc.dev-seqera.net autoconnect.dev-seqera.net autowave.dev-seqera.netwill create the following (these will be used for illustration purposes in the rest of the steps):rootCA.crtrootCA.keyautodc.dev-seqera.net.crtautodc.dev-seqera.net.key
-
Copy the following files to the chosen S3 prefix (e.g. s3://example_bucket/sp_cert_files):
rootCA.crtrootCA.keyautodc.dev-seqera.net.crtautodc.dev-seqera.net.key
-
Delete all generated files:
rootCA.crtrootCA.keyautodc.dev-seqera.net.crtautodc.dev-seqera.net.key
-
-
Update terraform.tfvars
private_cacert_bucket_prefixwith the S3 prefix (e.g. s3://example_bucket/sp_cert_files).
In this flow, you use a leaf certificate issued by an existing private CA managed by your organization. Assumption: You previously evaluated what DNS names were required and included them in the certificate request.
-
Load certificate assets to S3.
-
Copy the following files to the chosen S3 prefix (e.g. s3://example_bucket/sp_cert_files):
rootCA.crtautodc.dev-seqera.net.crtautodc.dev-seqera.net.key
-
-
Update terraform.tfvars
private_cacert_bucket_prefixwith the S3 prefix (e.g. s3://example_bucket/sp_cert_files).
Manually update the IAM permissions granted to the EC2 instance so it can access your certificate-holding Bucket.
-
Update
assets/src/aws/iam_role_policy_ec2.json.tpl:- Modify Sid
AllObjectActions, adding another ARN entry for your S3 prefix (_e.g.arn:aws:s3::example_bucket/sp_cert_files/*).
- Modify Sid
When using private certificates with Studios, you must create custom container images that include your root CA certificate. This project provides a helper script to automate this process.
Prerequisites:
- Docker installed and running
- AWS CLI configured with appropriate permissions
- An AWS ECR repository created for your custom Studios images
Process:
-
Navigate to the certificate assets directory:
cd assets/src/customcerts -
Use the provided helper script to bake your root CA certificate into the Studios image:
./studios-private-cert-helper.sh <base-image> <cert-file> [new-tag] [alias] [ecr-uri]
Examples:
-
Local build only:
./studios-private-cert-helper.sh public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.8 ./rootCA.crt
-
Build and push to ECR:
./studios-private-cert-helper.sh \ public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.8 \ ./rootCA.crt \ seqera/xpra:with-ca \ corp_ca \ 123456789012.dkr.ecr.eu-west-1.amazonaws.com/xpra:with-ca
-
Important Notes:
- ECR Support Only: The script currently supports AWS ECR repositories only. You must create an ECR repository before using the push functionality.
- Custom Image Configuration: After creating your custom image, you'll need to configure Studios to use it. See the Seqera Platform Enterprise documentation on custom containers for detailed instructions.
- Multiple Image Types: You may need to create custom images for different Studios environments (e.g., Jupyter, RStudio, VSCode) if you use multiple types.
- TODO: Bake cert into Nextflow worker nodes using Wave-Lite.
At runtime, if you make flag_use_private_cacert = true, the preloaded certificate files will be pulled during the deployment and made available to your SP instance.