SSL/TLS
HTTP must not be used in production environments. An SSL certificate is required for your Seqera instance to handle HTTPS traffic. Private certificates are supported, but require additional configuration during Seqera Enterprise installation and Nextflow execution.
AWS deployments: Manage SSL certificates with Amazon Certificate Manager (ACM)
Use Amazon Certificate Manager (ACM) to apply SSL certificates to your AWS deployment:
-
If you have an existing SSL certificate, see Importing certificates into AWS Certificate Manager.
-
If you don't have an existing SSL certificate, see Issuing and managing certificates.
Configure Seqera to trust your private certificate
If you secure related infrastructure (such as private Git repositories) with certificates issued by a private Certificate Authority, these certificates must be loaded into the Seqera Enterprise containers. You can achieve this in several ways.
Configure private certificate trust
- This guide assumes you're using the original containers supplied by Seqera.
- Replace
TARGET_HOSTNAME
,TARGET_ALIAS
, andPRIVATE_CERT.pem
with your unique values. - Previous instructions advised using
openssl
. The nativekeytool
utility is preferred as it simplifies steps and better accommodates private CA certificates.
Use Docker volume
- Retrieve the private certificate on your Seqera container host:
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > $HOME/PRIVATE_CERT.pem
- Modify the
backend
andcron
container configuration blocks indocker-compose.yml
:
CONTAINER_NAME:
# -- Other keys here like `image` and `networks`--
# Add a new mount for the downloaded certificate
volumes:
- $HOME/tower.yml:/tower.yml
- $HOME/PRIVATE_CERT.pem:/etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
# Add a new keytool import line PRIOR to 'update-ca-trust' for the certificate
command: -c "keytool -import -trustcacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem &&
update-ca-trust &&
/wait-for-it.sh db:3306 -t 60 &&
/tower.sh"
Use K8s ConfigMap
- Retrieve the private certificate on a machine with CLI access to your Kubernetes cluster:
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem
- Load the certificate as a
ConfigMap
in the same namespace where your Seqera instance will run:
kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem
- Modify both the
backend
andcron
Deployment objects:
-
Define a new volume based on the certificate
ConfigMap
:spec:
template:
spec:
volumes:
- name: private-cert-pemstore
configMap:
name: private-cert-pemstore -
Add a volumeMount entry into the container definition:
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
volumeMounts:
- name: private-cert-pemstore
mountPath: /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
subPath: PRIVATE_CERT.pem -
Modify the container start command to load the certificate prior to running your Seqera instance:
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
command: ["/bin/sh"]
args:
- -c
- |
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem;
./tower.sh
Download on Pod start
- Modify both the
backend
andcron
Deployment objects to retrieve and load the certificate prior to running your Seqera instance:
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
command: ["/bin/sh"]
args:
- -c
- |
keytool -printcert -rfc -sslserver TARGET_HOST:443 > /PRIVATE_CERT.pem;
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem;
./tower.sh
Configure the Nextflow launcher image to trust your private certificate
If you secure infrastructure such as private Git repositories or your Seqera Enterprise instance with certificates issued by a private Certificate Authority, these certificates must also be loaded into the Nextflow launcher container.
Import private certificates via pre-run script
- This configuration assumes you're using the default
nf-launcher
image supplied by Seqera. - Replace
TARGET_HOSTNAME
,TARGET_ALIAS
, andPRIVATE_CERT.pem
with your unique values. - Previous instructions advised using
openssl
. The nativekeytool
utility is preferred as it simplifies steps and better accommodates private CA certificates.
Add the following to your compute environment pre-run script:
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem
cp /PRIVATE_CERT.pem /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
update-ca-trust
Configure Seqera to present a SSL/TLS certificate
You can secure your Seqera instance with a TLS certificate in several ways.
Load balancer (recommended)
Place a load balancer, configured to present a certificate and act as a TLS termination point, in front of your Seqera instance.
This solution is likely already implemented for cloud-based Kubernetes implementations and can be easily implemented for Docker Compose-based stacks. See this example.
Reverse proxy container
This solution works well for Docker Compose-based stacks to avoid the additional cost and maintenance of a load balancer. See this example.
Modify frontend
container
Due to complications that can be encountered during upgrades, this approach is not recommended.
Show me anyway
This example assumes deployment on an Amazon Linux 2 AMI.
-
Install NGINX and other required packages:
sudo amazon-linux-extras install nginx1.12
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum repolist all
sudo amazon-linux-extras install epel -y -
Generate a private certificate and key.
-
Make a local copy of the
/etc/nginx/templates/tower.conf.template
file from thefrontend
container, or create a ConfigMap to store it if you're using Kubernetes. -
Replace the
listen
directives in theserver
block with the following:listen ${NGINX_LISTEN_PORT} ssl default_server;
listen [::]:${NGINX_LISTEN_PORT_IPV6} ssl default_server;
ssl_certificate /etc/ssl/testcrt.crt;
ssl_certificate_key /etc/ssl/testkey.key; -
Modify the
frontend
container definition in yourdocker-compose.yml
file or Kubernetes manifest:frontend:
image: cr.seqera.io/frontend:${TAG}
networks:
- frontend
environment:
NGINX_LISTEN_PORT: 8081
NGINX_LISTEN_PORT_IPV6: 8443
ports:
- 8000:8081
- 443:8443
volumes:
- $PWD/tower.conf.template:/etc/nginx/templates/tower.conf.template
- $PWD/cert/testcrt.crt:/etc/ssl/testcrt.crt
- $PWD/cert/testkey.key:/etc/ssl/testkey.key
restart: always
depends_on:
- backend
TLS version support
Seqera Enterprise versions 22.3.2 and earlier rely on Java 11 (Amazon Corretto). You may encounter issues when integrating with third-party services that enforce TLS v1.2 (such as Azure Active Directory OIDC).
TLS v1.2 can be explicitly enabled by default using JDK environment variables:
_JAVA_OPTIONS="-Dmail.smtp.ssl.protocols=TLSv1.2"