Skip to main content

Documentation Index

Fetch the complete documentation index at: https://astronomer-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

This guide explains how to install Astro Private Cloud in an environment that uses Private Certificate Authority (Private CA)–issued TLS certificates. In this setup, all platform components, including the Control Plane, Data Plane, and internal services, communicate over secure HTTPS connections that are validated against your organization’s internal CA. This procedure covers configuring trusted roots, deploying certificates to the appropriate namespaces, and ensures the Astro installation properly trusts and uses the Private CA during installation and runtime.
  1. Store the CA’s root public certificate to an Opaque Kubernetes secret in the Astro Private Cloud namespace with a descriptive name, such as private-root-ca, by running the following command.
Before you run this command, keep the following in mind:
  • The root certificate you specify should be the certificate of the authority that signed the Astro Private Cloud certificate. This is not the certificate associated with Astro Private Cloud or any other service.
  • The name of the secret file must be cert.pem for your certificate to be trusted properly.
  • The file must contain only a single certificate, it can’t be a certificate bundle.
kubectl -n astronomer create secret generic private-root-ca --from-file=cert.pem=./private-root-ca.pem
  1. Add <secret name> to the list of secret names contained in global.privateCaCerts in values.yaml:
global:
  privateCaCerts:
  - private-root-ca
Step 3 and 4 are additional steps for Private CA on the Control Plane only
  1. Create a database secret and add <secret name> to the list of secret names.
kubectl -n astronomer create secret generic db-private-ca  --from-file=cert.pem=./private-root-ca.pem

global:
  privateCaCerts:
  - private-root-ca
  - db-private-ca
  1. Add your Private CA to your Helm values.yaml.
database:
  connection:
    ssl:
      ca: /etc/ssl/certs/ca-certificates.pem
      rejectUnauthorized: true