Skip to content

Kubernetes

This guide assumes that all prerequisites have been met. Visit the corresponding Prerequisites page for your infrastructure provider.

You may also use this guide for deployments to other cloud platforms. However, you must satisfy any prerequisites for those platforms. Use at your own risk.

Deploy Seqera Platform Enterprise on Kubernetes#

Complete the following procedures to install Seqera Enterprise on a Kubernetes cluster:

Create a namespace#

Create a namespace for the Seqera resources.

  1. Create the namespace (e.g., seqera-nf):

    1
    kubectl create namespace seqera-nf

  2. Switch to the namespace:

    1
    kubectl config set-context --current --namespace=seqera-nf

Configure container registry credentials#

Seqera Platform Enterprise is distributed as a collection of Docker containers available through the Seqera container registry cr.seqera.io. Contact support to get your container access credentials. After you've received your credentials, grant your cluster access to the registry:

  1. Retrieve the name and secret values from the JSON file that you received from Seqera support.

  2. Create a secret with the name and secret values retrieved in the previous step:

    1
2
3
4
    kubectl create secret docker-registry cr.seqera.io \
  --docker-server=cr.seqera.io \
  --docker-username='<YOUR NAME>' \
  --docker-password='<YOUR SECRET>'

    The credential name contains a dollar $ character. To prevent the Linux shell from interpreting this value as an environment variable, you must wrap it in single quotes.

  3. Configure the Seqera cron service and the application frontend and backend to use the secret created in the previous step (see tower-cron.yml and tower-svc.yml):

    1
2
    imagePullSecrets:
- name: "cr.seqera.io"

    This parameter is already included in the templates linked above. If you use a name other than cr.seqera.io for the secret, update this value accordingly in the configuration files.

Seqera ConfigMap#

  1. Download and configure a ConfigMap as detailed on the configuration page.

  2. Deploy the ConfigMap to your cluster:

    1
    kubectl apply -f configmap.yml

The configmap.yml manifest includes both the tower.env file and tower.yml file. These files are made available to the other containers through volume mounts.

Redis#

Seqera Enterprise requires a Redis database for caching purposes. Configure Redis manually by deploying a manifest to your cluster, or configure a managed Redis service.

Deploy a Redis manifest to your cluster

  1. Download the appropriate manifest for your infrastructure:

  2. Deploy to your cluster:

    1
    kubectl apply -f redis.*.yml
Managed Redis services

Seqera supports managed Redis services such as Amazon ElastiCache, Azure Cache for Redis, or Google Memorystore.

  • Use a single-node cluster, as multi-node clusters are not supported
  • Use an instance with at least 6GB capacity (cache.m4.large or greater)

  • Specify your private ElastiCache instance in the Seqera environment variables:

    1
    TOWER_REDIS_URL=redis://<redis private IP>:6379
  • Use a single-node cluster, as multi-node clusters are not supported
  • Use an instance with at least 6GB capacity (C3 or greater)

  • Specify your private Azure Cache for Redis instance in the Seqera environment variables:

    1
    TOWER_REDIS_URL=redis://<redis private IP>:6379
  • Use a single-node cluster, as multi-node clusters are not supported
  • Use an instance with at least 6GB capacity (M2 or greater)

  • Specify your private Memorystore instance in the Seqera environment variables:

    1
    TOWER_REDIS_URL=redis://<redis private IP>:6379

Seqera cron service#

  1. Download the cron service manifest file.

  2. Deploy the manifest to your cluster:

    1
    kubectl apply -f tower-cron.yml

This container creates the required database schema the first time it instantiates. This process can take a few minutes to complete and must finish before you instantiate the Seqera backend. Ensure this container is in the READY state before proceeding to the next step.

Seqera frontend and backend#

  1. Download the manifest.

  2. Deploy the manifest to your cluster:

    1
    kubectl apply -f tower-svc.yml

Seqera frontend unprivileged#

An unprivileged version of the Seqera frontend image is also available. This image listens on an unprivileged port and therefore doesn't need to be run as the root user.

Replace the tag of the frontend image cr.seqera.io/private/nf-tower-enterprise/frontend:v23.x.x with cr.seqera.io/private/nf-tower-enterprise/frontend:v23.x.x-unprivileged. In the frontend service below, specify the targetPort to match the environment variable NGINX_LISTEN_PORT (see below):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
  labels:
    app: frontend
spec:
  ...
      containers:
        - name: frontend
          image: cr.seqera.io/private/nf-tower-enterprise/frontend:v23.2.0-unprivileged
          env:
            - name: NGINX_LISTEN_PORT  # If not defined, defaults to 8080.
              value: 8081
---
apiVersion: v1
kind: Service
metadata:
  name: frontend
spec:
  type: LoadBalancer
  ports:
    - port: 80
      containerPort: 8081
  selector:
    app: "frontend"

The unprivileged Seqera image will soon deprecate the current image that requires root. The unprivileged image can be easily customized using environment variables:

  • NGINX_LISTEN_PORT (default 8000): The port the NGINX process will listen on inside the container. The containerPort on the frontend service must match the value defined in the environment variable.
  • NGINX_LISTEN_PORT_IPV6 (default 8000): The NGINX listening port to open on the IPv6 address.
  • NGINX_UPSTREAM_HOST (default backend): The hostname of the backend service to which the NGINX process will route requests.
  • NGINX_UPSTREAM_PORT (default 8080): The port where the backend service is exposed.

If further customization of the config file is needed, mount a config map/secret over the templated NGINX configuration file at /etc/nginx/templates/tower.conf.template. See SSL/TLS for an example.

Seqera ingress#

An ingress is used to make Seqera Enterprise publicly accessible, load-balance traffic, terminate TLS, and offer name-based virtual hosting. The included ingress will create an external IP address and forward HTTP traffic to the Seqera frontend.

Download the appropriate manifest and configure it according to your infrastructure:

Deploy the manifest to your cluster:

1
kubectl apply -f ingress.*.yml

See the Kubernetes documentation on the ingress resource for more information. If you don't need to make Seqera externally accessible, you can also use a service resource to expose a node port or a load balancer service to make it accessible within your intranet.

See the relevant documentation for configuring an ingress service on each cloud provider:

Check status#

Make sure that all services are up and running:

1
kubectl get pods

Test the application#

To confirm that Seqera Enterprise is properly configured, follow these steps:

  1. Log in to your Seqera instance.

  2. Create an organization.

  3. Create a workspace within that organization.

  4. Create a new Compute environment. See Compute environments for detailed instructions.

  5. Select Quick Launch from the Launchpad tab in your workspace.

  6. Enter the repository URL for the nf-core/rnaseq pipeline (https://github.com/nf-core/rnaseq).

  7. In the Config profiles dropdown, select the test profile.

  8. In Pipeline parameters, change the output directory to a location based on your compute environment:

    1
2
3
4
5
    # save to S3 bucket
outdir: s3://<your-bucket>/results

# save to scratch directory (Kubernetes)
outdir: /scratch/results

  9. Select Launch; you'll be redirected to the Runs tab for the workflow. After a few minutes, progress logs will be listed in that workflow's Execution log tab.

Optional addons#

Database console#

The included dbconsole.yml manifest can be used to deploy a simple web frontend to the Seqera database. Though not required, this can be useful for administrative purposes.

  1. Deploy the database console:

    1
    kubectl apply -f dbconsole.yml

  2. Enable a port-forward for the database console to your local machine:

    1
    kubectl port-forward deployment/dbconsole 8080:8080

  3. Access the database console in a web browser at http://localhost:8080.

High availability#

To configure Seqera Enterprise for high availability, note that:

  • The cron service may only have a single instance

  • The backend service can be run in multiple replicas

  • The frontend service is replicable, however in most scenarios this is not necessary

Back to top