Skip to main content

Documentation Index

Fetch the complete documentation index at: https://astronomer-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

By default, Deployment creation references an Astro Runtime image by its tag in the Kubernetes spec, like quay.io/astronomer/astro-runtime:9.3.0. However, image tags are mutable and can lead to non-reproducible builds if the image associated with the tag changes. Instead of using the Runtime image tag, you can configure Astro Private Cloud to reference a Runtime image’s immutable sha256 digest, such as quay.io/astronomer/astro-runtime@sha256:<digest>. Using the sha256 digest ensures secure, immutable, and reproducible Deployments, which prevents unexpected behavior caused by tag reassignments. After you enable using the sha256 digest, when users create or update Deployments that include a SHA version, they still see the same Runtime Image tag view as before in the UI or CLI, but the system resolves the build using the sha256 digest in the Kubernetes spec.

Step 1: Enable configuration

Apply a config change to your Houston values.yaml file to enable customImageShaEnabled. 
astronomer:
  houston:
    config:
      deployments:
        customImageShaEnabled: true

Step 2: (Optional) Correlate SHA256 with Runtime versions

By default, Astro Private Cloud checks for Airflow updates, which are included in the Astro Runtime, once per day at midnight by querying https://updates.astronomer.io/astronomer-runtime. This returns a JSON file with details about the latest available Astro Runtime versions. You can store this information in the cluster itself by completing the following steps:
  1. Download the JSON files and store them in a Kubernetes configmap by running the following commands:
curl -XGET https://updates.astronomer.io/astronomer-runtime -o astro_runtime_releases.json

kubectl -n <astronomer platform namespace> create configmap astro-runtime-base-images --from-file=astro_runtime_releases.json
  1. Open the astro_runtime_release.json file and manually add the SHA256 values that you want Deployments to use for each Runtime version. For example, the following code example shows
"13.0.0": {
  "metadata": {
    "airflowVersion": "2.11.0",
    "channel": "stable",
    "releaseDate": "2025-05-20",
    "endOfSupport": "2026-11-30",
    "LTS": true
  },
  "migrations": {
    "airflowDatabase": false,
    "stellarDatabase": false
  }
}
Add the Tag and SHA256 value and save: 
"13.0.0": {
  "metadata": {
    "airflowVersion": "2.11.0",
    "channel": "stable",
    "releaseDate": "2025-05-20",
    "endOfSupport": "2026-11-30",
     "LTS": true
  },
  "migrations": {
    "airflowDatabase": false,
    "stellarDatabase": false
  },
  "sha256": "82dc7efe0b16acc74e96a82bc8f1fd1db35a76a5a8c32f581d171d9765c02326"
}
  1. Add your configmap name, astro-runtime-base-images to your Houston configuration using the runtimeReleasesConfigMapName configuration:
astronomer:
  houston:
    runtimeReleasesConfigMapName: astro-runtime-base-images
    config:
      airgapped:
        enabled: true

Step 3: (Optional) Specify default Runtime

If you want to configure your platform to create Deployments with a single, specific Runtime version, you can add the defaultRuntimeRepository configuration to specify the Runtime: 
astronomer:
  houston:
    config:
      deployments:
        customImageShaEnabled: true
      helm:
        defaultRuntimeRepository: quay.io/astronomer/astro-runtime@sha256