Skip to main content
Version: 25.3

Studios: Kubernetes

This guide describes how to deploy Studios for Seqera Platform Enterprise on Kubernetes.

Prerequisites

Other than the basic requirements already listed in the Studios installation overview, you will need:

  • A Kubernetes cluster
  • kubectl installed locally

Tool configuration

This procedure describes how to configure Studios for Seqera Enterprise deployments in Kubernetes. If you were using Studios prior to GA (v25.1) please review the configmap.yaml file and make sure you are using the latest version which includes a new variable TOWER_DATA_STUDIO_TEMPLATES_<TEMPLATE_NAME>_TOOL. This variable needs to be added to the default/Seqera-provided Studio templates:

TOWER_DATA_STUDIO_TEMPLATES_<TEMPLATE_KEY>_TOOL: '<TOOL_NAME>'

The TEMPLATE_KEY can be any string, but the TOOL_NAME has to be the template name (jupyter/vscode/rstudio/xpra).

You can also check the current template configuration using https://towerurl/api/studios/templates?workspaceId=<WORKSPACE_ID>. The response should include the TOOL configuration and template name (jupyter/vscode/rstudio/xpra) - not custom.

Procedure

  1. Download the Kubernetes manifests for the Studios service:

  2. Change your Kubernetes context to the namespace where your Platform instance runs:

    kubectl config set-context --current --namespace=<namespace>

  3. Edit the server.yml file and set the CONNECT_REDIS_ADDRESS environment variable to the hostname or IP address of the Redis server configured for Platform.

  4. Create an initial OIDC registration token, which can be any secure random string. For example, using openssl:

    oidc_registration_token=$(openssl rand -base64 32 | tr -d /=+ | cut -c -32)

  5. Edit the proxy.yml file and set the following variables:

    • CONNECT_REDIS_ADDRESS: The hostname or IP address of the Redis server configured for Seqera.
    • CONNECT_PROXY_URL: A URL for the connect proxy subdomain (e.g., https://connect.example.com).
    • PLATFORM_URL: The base URL for your installation (e.g., https://platform.example.com/ or https://example.com/).
    • CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN: The same value as the oidc_registration_token value created previously.

  6. Edit the ingress.<YOUR-INGRESS-FILE>.yml file appropriate for your Kubernetes environment:

    • Uncomment the host section at the bottom of the file.
    • Replace <YOUR-TOWER-HOST-NAME> with the base domain of your installation.
    note

    In the case you're using AWS EKS, this assumes that you have an existing Seqera ingress already configured with the following fields:

    • alb.ingress.kubernetes.io/certificate-arn: The ARN of a wildcard TLS certificate that secures the Platform URL and connect proxy URL. For example, if TOWER_SERVER_URL=https://example.com and CONNECT_PROXY_URL=https://connect.example.com, the certificate must secure example.com, and *.example.com at the same time; otherwise, you may need to create a second ingress resource specifically for Studios.

  7. Generate an RSA public/private key pair. A key size of at least 2048 bits is recommended. In the following example, the openssl command is used to generate the key pair:

    openssl genrsa -out private.pem 2048
    openssl rsa -pubout -in private.pem -out public.pem

  8. Download the data-studios-rsa.pem file and replace its contents with the content of your private and public key files created in the previous step, in the same order (private key on top, public key directly beneath it).

  9. Apply a base64 encoding to the PEM file:

    base64_pem=$(cat data-studios-rsa.pem | base64 -w0)

  10. Create a secret file named secret.yml:

    apiVersion: v1
    kind: Secret
    metadata:
      name: platform-oidc-certs
      namespace: platform-stage
    data:
      oidc.pem: <BASE64_ENCODED_PEM_FILE>

  11. Create the secret:

    kubectl apply -f secret.yml

  12. Edit the tower-svc.yml file and uncomment the volumes.cert-volume, volumeMounts.cert-volume, and env.TOWER_OIDC_PEM_PATH fields.

  13. Edit the ConfigMap named platform-backend-cfg in the configmap.yml by changing the following environment variables:

    • TOWER_DATA_STUDIO_CONNECT_URL: The URL of the Studios connect proxy, such as https://connect.example.com/.
    • TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN: The same value as the oidc_registration_token value created previously.

  14. Edit the ConfigMap named tower-yml in the configmap.yml and include the following snippet:

    data:
      tower.yml: |-
        tower:
          data-studio:
            allowed-workspaces: null

    Alternatively, you can specify a comma-separated list of workspace IDs to enable Studios only on those workspaces.

    tower:
      data-studio:
        allowed-workspaces: [12345,67890]

  15. Apply the updated configuration:

    kubectl apply -f configmap.yml

  16. Apply the configuration change to Platform:

    kubectl apply -f tower-svc.yml

  17. Restart the cron service of your deployment to load the updated configuration. For example:

    kubectl rollout restart deployment/cron

  18. Restart the Platform backend service of your deployment to load the updated configuration. For example:

    kubectl rollout restart deployment/backend

  19. Apply the updated ingress file and the Studios manifests:

    kubectl apply -f ingress.<YOUR-INGRESS-FILE>.yml proxy.yml server.yml

  20. To confirm that Studios is available, log into Seqera and navigate to an organizational workspace that has Studios enabled. The Studios tab should be displayed in the sidebar.