Studios: Kubernetes

This guide describes how to deploy Studios for Seqera Platform Enterprise on Kubernetes.

Prerequisites

Before you begin, you need:

• A running Seqera Platform Enterprise Kubernetes deployment
• A wildcard TLS certificate for your domain (e.g., *.example.com)
• A wildcard DNS record (e.g., *.example.com)

Procedure

1. Download the Kubernetes manifests for the Studios service:

   • Proxy
   • Server

2. Change your Kubernetes context to the namespace where your Platform instance runs:

   kubectl config set-context --current --namespace=<namespace>

3. Edit the server.yml file and set the CONNECT_REDIS_ADDRESS environment variable to the hostname or IP address of the Redis server configured for Platform.

4. Create an initial OIDC registration token:

   oidc_registration_token=$(openssl rand -base64 32 | tr -d /=+ | cut -c -32)

5. Edit the proxy.yml file and set the following variables:

   • CONNECT_REDIS_ADDRESS: The hostname or IP address of the Redis server configured for Seqera.
   • CONNECT_PROXY_URL: A URL for the connect proxy subdomain (e.g., https://connect.example.com).
   • PLATFORM_URL: The base URL for your installation (e.g., https://example.com/).
   • CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN: The same value as the oidc_registration_token value created previously.

6. Edit your ingress.eks.yml file:

   • Uncomment the host section at the bottom of the file.
   • Replace <YOUR-TOWER-HOST-NAME> with the base domain of your installation.

7. Generate an RSA public/private key pair:

   openssl genrsa -out private.pem 2048
   openssl rsa -pubout -in private.pem -out public.pem

8. Download the data-studios-rsa.pem file and replace its contents with the content of your private and public key files (private key on top, public key directly beneath it).

9. Apply a base64 encoding to the PEM file:

   base64_pem=$(cat data-studios-rsa.pem | base64 -w0)

10. Create a secret file named secret.yml:

    apiVersion: v1
    kind: Secret
    metadata:
      name: platform-oidc-certs
      namespace: platform-stage
    data:
      oidc.pem: <BASE64_ENCODED_PEM_FILE>

11. Create the secret:

    kubectl apply -f secret.yml

12. Edit the tower-svc.yml file and uncomment the volumes.cert-volume, volumeMounts.cert-volume, and env.TOWER_OIDC_PEM_PATH fields.

13. Edit the ConfigMap named platform-backend-cfg in the configmap.yml:

    • TOWER_DATA_STUDIO_CONNECT_URL: The URL of the Studios connect proxy (e.g., https://connect.example.com/).
    • TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN: The same value as the oidc_registration_token value created previously.

14. Edit the ConfigMap named tower-yml in the configmap.yml:

    data:
      tower.yml: |-
        tower:
          data-studio:
            allowed-workspaces: null

15. Apply the updated configuration:

    kubectl apply -f configmap.yml
    kubectl apply -f tower-svc.yml

16. Restart the cron and backend services:

    kubectl rollout restart deployment/backend deployment/cron

17. Apply the Studios manifests:

    kubectl apply -f ingress.aks.yml proxy.yml server.yml

18. Verify Studios is available by logging into Seqera and navigating to an organizational workspace. The Studios tab should be displayed.

Configuration

See Studios deployment for DNS configuration, workspace availability, and environment image options.