diff --git a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md index d8f169e0b..6f0eedba4 100644 --- a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md +++ b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md @@ -19,6 +19,10 @@ Use [Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/) (A If you secure related infrastructure (such as private Git repositories) with certificates issued by a private Certificate Authority, these certificates must be loaded into the Seqera Enterprise containers. You can achieve this in several ways. +:::note +If your deployment uses self-hosted Wave, install the same private CA root certificate in every service that must initiate TLS connections to those endpoints. At minimum, this includes the `backend`, `cron`, and self-hosted Wave containers. If you terminate TLS with an NGINX reverse proxy, make the required certificate material available to that proxy container as part of the same setup. +::: + **Configure private certificate trust** 1. This guide assumes you're using the original containers supplied by Seqera. @@ -33,7 +37,7 @@ If you secure related infrastructure (such as private Git repositories) with cer keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem ``` -2. Modify the `backend` and `cron` container configuration blocks in `docker-compose.yml`: +2. Modify the `backend`, `cron`, and any self-hosted Wave service container configuration blocks in `docker-compose.yml`: ```yaml CONTAINER_NAME: @@ -67,7 +71,7 @@ keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem ``` -3. Modify both the `backend` and `cron` Deployment objects: +3. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects: - Define a new volume based on the certificate `ConfigMap`: @@ -113,7 +117,7 @@ kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem **Download on Pod start** -1. Modify both the `backend` and `cron` Deployment objects to retrieve and load the certificate prior to running your Seqera instance: +1. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects to retrieve and load the certificate prior to running your Seqera instance: ```yaml spec: diff --git a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md index 8d84565f1..83da89856 100644 --- a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md +++ b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md @@ -64,16 +64,19 @@ Wave features are available on the compute environment creation page after integ ## Limitations -- Wave does not support container repositories with private CA SSL certificates +- The Seqera-hosted Wave service does not support container repositories with private CA SSL certificates. ## Self-hosted Wave deployment For enterprises requiring full control over container builds, caching, and security scanning, Wave can be deployed in your own infrastructure. Self-hosted Wave supports: + - **Wave Lite**: Container augmentation and inspection capabilities (AWS, Azure, GCP) - **Full Wave**: Complete build capabilities including Conda-based containers and security scanning (requires AWS EKS with EFS storage) +If your self-hosted deployment uses a private Certificate Authority, import the same private CA root certificate into the Platform `backend`, `cron`, and Wave containers. See [SSL/TLS](./ssl_tls#configure-seqera-to-trust-your-private-certificate) for guidance. + See the [Wave documentation](https://docs.seqera.io/wave) for installation and configuration guidance. ## Additional resources