Skip to main content

Documentation Index

Fetch the complete documentation index at: https://astronomer-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Astro Private Cloud (APC) uses TLS certificates for secure communication between components and for JWT token signing.

Self-signed certificate generation

# Generate CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
  -out ca.crt -subj "/CN=APC-CA"

# Generate server certificate
openssl genrsa -out tls.key 4096
openssl req -new -key tls.key -out tls.csr \
  -subj "/CN=*.your-domain.com"

# Sign certificate with SAN
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out tls.crt -days 365

Create Kubernetes secret

kubectl create secret tls platform-tls \
  --cert=tls.crt \
  --key=tls.key \
  -n astronomer

Houston JWT certificates

Houston uses auto-generated JWT certificates to sign and verify authentication tokens. These certificates are created during installation. The regenerateCaEachUpgrade flag controls whether APC regenerates the Houston certificate authority (CA) on each platform upgrade. This flag defaults to false: 
houston:
  regenerateCaEachUpgrade: false
Setting regenerateCaEachUpgrade to true regenerates the CA on every upgrade, which invalidates all existing JWT tokens and forces all users and service accounts to re-authenticate.
Astronomer recommends keeping this value set to false unless you have a specific security requirement to rotate the CA regularly.

Certificate sync

Certificate syncing in APC operates at two levels:

Control plane to data plane

Control plane to data plane certificate sync occurs only during data plane install or upgrade. During this process, the platform calls the Houston endpoint to decode the certificates and annotates them with the Config Syncer label to propagate the necessary secrets to Airflow namespaces.

Within a cluster (Config Syncer)

Config Syncer is a CronJob that propagates annotated secrets from the platform namespace to Airflow Deployment namespaces within the same cluster. It runs on a configurable schedule to keep secret contents in sync across namespaces. 
astronomer:
  configSyncer:
    enabled: true
    schedule: "*/5 * * * *"

Ingress TLS

Use an existing certificate

global:
  tlsSecret: platform-tls

Certificate renewal

Renew certificates manually

# Update secret
kubectl create secret tls platform-tls \
  --cert=new-tls.crt \
  --key=new-tls.key \
  -n astronomer \
  --dry-run=client -o yaml | kubectl apply -f -

# Restart ingress
kubectl rollout restart deployment nginx -n astronomer

Check certificate expiry

kubectl get secret platform-tls -n astronomer \
  -o jsonpath='{.data.tls\.crt}' | base64 -d | \
  openssl x509 -noout -enddate

Best practices

  • Use cert-manager for automatic renewal.
  • Monitor certificate expiration with alerts.
  • Keep regenerateCaEachUpgrade: false to preserve sessions.
  • Use strong key sizes (4096-bit RSA).