By default, the Software installation process requires accessing public repositories to download the following components:
quay.io/astronomer or docker.iohelm.astronomer.ioupdates.astronomer.ioIf you cannot use public repositories and networks for your installation, you can install Astronomer in an airgapped environment. An airgapped environment is a locked-down environment with no access to or from the public internet.
This guide explains how to configure your system to install Astronomer without access to the public internet by moving Astronomer images to an accessible registry in your airgapped environment. After completing this setup, follow Steps 1 to 8 in the AWS, GCP, or Azure installation guide to finish your installation.
To complete this setup, you need:
values.yaml. You can find sample values.yaml files in the AWS, Azure, GCP standard installation guides.Astronomer’s Docker images are hosted on a public registry which isn’t accessible from an airgapped network. Therefore, these images must be hosted on a Docker registry accessible from within your own network. Every major cloud platform provides its own managed Docker registry service that can be used for this step:
You can also set up your own registry using a dedicated registry service such as JFrog Artifactory. Regardless of which service you use, follow the product documentation to configure a private registry according to your organization’s security requirements.
After you create your registry:
Log in to the registry and follow the Kubernetes documentation to produce a /.docker/config.json file.
Run the following command to create an image pull secret:
Copy the generated secret for use in Step 3.
The images and tags which are required for your Software installation depend on the version of Astronomer you’re installing. To gather a list of exact images and tags required for your Astronomer version:
Run the following command to template the Astronomer Helm chart and fetch all of its rendered image tags. Make sure to substitute <your-basedomain> and <your-astronomer-version> with your information.
This command sets all possible Helm values that could impact which images are required for your installation. By fetching all images now, you save time by eliminating the risk of missing an image.
Run the following command to determine the Astronomer Airflow Helm chart version:
Run the following command to template the Astronomer Airflow Helm chart and fetch its rendered image tags:
Note: The Astronomer Airflow Helm Chart version begins with the letter v and is versioned separately from Astronomer Software and Airflow.
These commands generate a list of images required for your version of Astronomer. Add these images to a private image registry hosted within your organization’s network. In Step 3, you will specify this private registry in your Astronomer configuration.
If you have already enabled or disabled Astronomer platform components in your values.yaml, you can pass -f/--values values.yaml to helm template to print a list specific to your values.yaml configuration.
Regardless of whether you choose to mirror or manually pull/push images to your private registry, the returned images and/or tags must be made accessible within your network.
To make these images accessible to Astronomer, specify your organization’s private registry in the global section of your values.yaml file:
This configuration automatically pulls most Docker images required in the Astronomer Helm chart. You must also configure the following images individually in a separate section of your values.yaml file:
There are two Helm charts required for Astronomer:
The Astronomer Helm chart can be downloaded using helm pull and applied locally if desired.
Commander, which is Astronomer’s provisioning component, uses the Astronomer Airflow Helm chart to create Airflow deployments. You have two options to make the Helm chart available to Commander:
To use the built-in Astronomer Airflow Helm chart in the Commander Docker image, add the following configuration to your values.yaml file:
To configure a self-hosted Helm chart, add the following configuration to your values.yaml file:
values.yaml file, then astronomer.commander.airGapped.enabled takes precedence over global.helmRepo.By default, Astronomer checks for Airflow updates once a day at midnight by querying https://updates.astronomer.io/astronomer-runtime, which returns a JSON file with version details. However, this URL is not accessible in an airgapped environment. There are several options for making these updates accessible in an airgapped environment:
This setup assumes that the updates JSON will be manually downloaded and added to your environment. For guidance on how to automate this process, reach out to your Astronomer contact.
The following topic provides an example implementation of hosting the Airflow updates JSON files in your airgapped environment and accessing them via an Nginx endpoint. Depending on your organization’s platform and use cases, your own installation might vary from this setup.
To complete this setup:
Host an updates JSON in a Kubernetes configmap by running the following commands:
Add an Nginx deployment and service configuration to a new file named nginx-astronomer-certified.yaml:
Note the Docker image in the deployment and ensure that this is also accessible from within your environment.
Save this file and apply it to your cluster by running the following command:
The updates JSON will be accessible by the service name from pods in the Kubernetes cluster via http://astronomer-releases.astronomer.svc.cluster.local/astronomer-certified.json.
To validate if the updates JSON is accessible you have several options:
If an image with curl is available in your network, you can run:
If you have curl installed on your client machine:
Complete the entire Software installation, then use one of the astro-ui pods which include bash and curl:
No matter what option you choose, the commands that you run should return the updates JSON if the service was configured correctly.
After you have made the updates JSON accessible within your premises, you must configure the Helm chart to fetch updates from the custom URL:
Before completing this step, double-check that the following statements are true:
After this check, you can install the Astronomer Helm chart by running the following commands, making sure to replace <your-version> with the version of Astronomer that you want to install:
After these commands finish, continue your installation with Step 10 (Verify pods are up) in the AWS, Azure, or GCP installation guide.