From b31f5aa90ffaeb5c363c4f295d30806ea8b5c240 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Mon, 6 Apr 2026 21:10:08 -0400 Subject: [PATCH] EDU-890 clarify private CA setup for Wave --- .../version-25.3/enterprise/configuration/ssl_tls.md | 10 +++++++--- .../version-25.3/enterprise/configuration/wave.md | 5 ++++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md index d4123130f..3b47ce178 100644 --- a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md +++ b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md @@ -20,6 +20,10 @@ Use [Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/) (A If you secure related infrastructure (such as private Git repositories) with certificates issued by a private Certificate Authority, these certificates must be loaded into the Seqera Enterprise containers. You can achieve this in several ways. +:::note +If your deployment uses self-hosted Wave, install the same private CA root certificate in every service that must initiate TLS connections to those endpoints. At minimum, this includes the `backend`, `cron`, and self-hosted Wave containers. If you terminate TLS with an NGINX reverse proxy, make the required certificate material available to that proxy container as part of the same setup. +::: + **Configure private certificate trust** 1. This guide assumes you're using the original containers supplied by Seqera. @@ -34,7 +38,7 @@ If you secure related infrastructure (such as private Git repositories) with cer keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem ``` -2. Modify the `backend` and `cron` container configuration blocks in `docker-compose.yml`: +2. Modify the `backend`, `cron`, and any self-hosted Wave service container configuration blocks in `docker-compose.yml`: ```yaml CONTAINER_NAME: @@ -68,7 +72,7 @@ keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem ``` -3. Modify both the `backend` and `cron` Deployment objects: +3. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects: - Define a new volume based on the certificate `ConfigMap`: @@ -114,7 +118,7 @@ kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem **Download on Pod start** -1. Modify both the `backend` and `cron` Deployment objects to retrieve and load the certificate prior to running your Seqera instance: +1. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects to retrieve and load the certificate prior to running your Seqera instance: ```yaml spec: diff --git a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md index 8d84565f1..83da89856 100644 --- a/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md +++ b/platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md @@ -64,16 +64,19 @@ Wave features are available on the compute environment creation page after integ ## Limitations -- Wave does not support container repositories with private CA SSL certificates +- The Seqera-hosted Wave service does not support container repositories with private CA SSL certificates. ## Self-hosted Wave deployment For enterprises requiring full control over container builds, caching, and security scanning, Wave can be deployed in your own infrastructure. Self-hosted Wave supports: + - **Wave Lite**: Container augmentation and inspection capabilities (AWS, Azure, GCP) - **Full Wave**: Complete build capabilities including Conda-based containers and security scanning (requires AWS EKS with EFS storage) +If your self-hosted deployment uses a private Certificate Authority, import the same private CA root certificate into the Platform `backend`, `cron`, and Wave containers. See [SSL/TLS](./ssl_tls#configure-seqera-to-trust-your-private-certificate) for guidance. + See the [Wave documentation](https://docs.seqera.io/wave) for installation and configuration guidance. ## Additional resources