By default, Deployment creation references an Astro Runtime image by its tag in the Kubernetes spec, like quay.io/astronomer/astro-runtime:9.3.0. However, image tags are mutable and can lead to non-reproducible builds if the image associated with the tag changes. Instead of using the Runtime image tag, you can configure Astro Private Cloud to reference a Runtime image’s immutable sha256 digest, such as quay.io/astronomer/astro-runtime@sha256:<digest>. Using the sha256 digest ensures secure, immutable, and reproducible Deployments, which prevents unexpected behavior caused by tag reassignments.
After you enable using the sha256 digest, when users create or update Deployments that include a SHA version, they still see the same Runtime Image tag view as before in the UI or CLI, but the system resolves the build using the sha256 digest in the Kubernetes spec.
Apply a config change to your APC API values.yaml file to enable customImageShaEnabled.
By default, Astro Private Cloud checks for Airflow updates, which are included in the Astro Runtime, once per day at midnight by querying https://updates.astronomer.io/astronomer-runtime. This returns a JSON file with details about the latest available Astro Runtime versions.
You can store this information in the cluster itself by completing the following steps:
astro_runtime_release.json file and manually add the SHA256 values that you want Deployments to use for each Runtime version. For example, the following code example showsAdd the Tag and SHA256 value and save:
astro-runtime-base-images to your APC API configuration using the runtimeReleasesConfigMapName configuration:If you want to configure your platform to create Deployments with a single, specific Runtime version, you can add the defaultRuntimeRepository configuration to specify the Runtime: