This guide describes the steps to install Astronomer Software, which allows you to deploy and scale any number of Apache Airflow deployments.
Astronomer recommends platform administrators perform their first Astronomer Software installation manually using the procedures described in this document. You can adapt the procedure to meet organizational best practices when deploying to change-controlled environments.
eksctl for creating and managing your Astronomer cluster on EKS.Before installing Astronomer Software, consider how many instances of the platform you want to host because you install each of these instances on separate Kubernetes clusters following the instructions in this document.
Each instance of Astronomer Software can host multiple Airflow environments, or Deployments. Some common types of Astronomer Software instances you might consider hosting are:
For each instance of the platform that you plan to host, create a project folder to contain the platform instance’s configurations. For example, if you want to install a development environment, create a folder named ~/astronomer-dev.
values.yaml from a templateAstronomer Software uses Helm to apply platform-level configurations. Use one of the following templates as the basis for your Astronomer Software platform configuration by copying the template into a local file named values.yaml in your platform project directory. As you continue to extend the functionality of your Astronomer Software instances, you can continually modify this file to take advantage of new features.
As you copy the template configuration, keep the following in mind.
helm upgrade or upgrade.sh until instructed to do so in later steps.helm upgrade from other Astronomer documentation until you’ve completed this installation.Astronomer Software requires a Kubernetes Ingress controller to function and provides an integrated Ingress controller by default.
Astronomer generally recommends you use the integrated Ingress controller, but Astronomer Software also supports certain third-party ingress-controllers.
Ingress controllers typically need elevated permissions (including a ClusterRole) to function. Specifically, the Astronomer Software Ingress controller requires the ability to:
If you have complex regulatory requirements, you might need to use an Ingress controller that’s approved by your organization and disable Astronomer’s integrated controller. You configure this detail later in the installation.
When you install Astronomer Software, it creates a variety of services that your users access to manage, monitor, and run Airflow.
Choose a base domain such as astronomer.example.com, astro-sandbox.example.com, astro-prod.example.internal for which:
app.<base-domain>deployments.<base-domain>houston.<base-domain>grafana.<base-domain>kibana.<base-domain>install.<base-domain>alertmanager.<base-domain>prometheus.<base-domain>registry.<base-domain>The base domain itself does not need to be available and can point to another service not associated with Astronomer or Airflow. If the base domain is available, you can choose to establish a vanity redirect from <base-domain> to app.<base-domain> later in the installation process.
When choosing a base domain, consider the following:
*.example.com can provide service for app.example.com but not app.astronomer-dev.example.com.app, registry, prometheus, are fixed and cannot be changed... For example, app.astronomer.sandbox.mygroup.example.com is six segments and might cause problems. Astronomer recommends choosing a base domain of astronomer-sandbox.mygroup.example.com instead of astronomer.sandbox.mygroup.example.com.The base domain is visible to end users. They can view the base domain in the following scenarios:
https://app.sandbox-astro.example.com.https://deployments.sandbox-astro.example.com/deployment-release-name/airflow.astro login sandbox-astro.example.com.app.apps.<OpenShift-domain>. Doing this requires permission to reconfigure the route admission policy for the standard ingress controller to InterNamespaceAllowed. See Third Party Ingress Controller - Configuration notes for OpenShift for additional information and options.Locate the global.baseDomain in your values.yaml file and change it to your base domain as shown in the following example:
In your Kubernetes cluster, create a Kubernetes namespace to contain the Astronomer Software platform. Astronomer recommends naming this namespace astronomer.
Astronomer Software uses the contents of this namespace to provision and manage Airflow instances running in other namespaces. Each Airflow instance has its own isolated namespace.
Skip this step if you use Astronomer Software’s integrated ingress controller.
Follow the instructions in this section to create DNS entries pointing to the third-party ingress controller instance that provides ingress service to Astronomer Software.
Astronomer Software requires the following domain names be registered and resolvable within the Kubernetes cluster and to Astronomer Software users:
app.<base-domain> (required)deployments.<base-domain> (required)houston.<base-domain> (required)prometheus.<base-domain> (required)grafana.<base-domain> (required if using Astronomer Software’s integrated grafana)kibana.<base-domain> (required if not using external elasticsearch)registry.<base-domain> (required if using Astronomer Software’s integrated container-registry)alertmanager.<base-domain> (required if using Astronomer Software’s integrated Alert Manager)<base-domain> (optional but recommended, provides a vanity re-direct to app.<base-domain>)install.<base-domain> (optional)Astronomer generally recommends that:
<base-domain> record is a zone apex record, that is typically expressed by using a hostname of @, and points to the IP(s) of the ingress controller.<base-domain>.For platform administrators unable to register the base domain, Astronomer recommends that:
app.<baseDomain> record is a record pointing to the IPs of the ingress controller.app.<base-domain>.Provide the details you gathered in Astronomer Software Third-Party DNS Requirements and Record Guidance to your ingress controller administrator, making sure to replace <base-domain> with your chosen base domain. Then, request the following information from the administrator:
Save this information for later in this setup.
Create DNS records that point to your third-party ingress controller based on your organization’s standard workflows.
Use dig <hostname> or getent hosts <hostname> to verify that each DNS entry is created and points to the IP address of the ingress controller you use.
To install Astronomer Software, you need a TLS certificate that is valid for several domains. One of the domains is the primary name on the certificate, also known as the common name (CN). The additional domains are equally valid, supplementary domains known as Subject Alternative Names (SANs).
Astronomer requires a private certificate to be present in the Astronomer Software platform namespace, even if you use a third-party ingress controller that doesn’t otherwise require it.
Request a TLS certificate from your security team for Astronomer Software. In your request, include the following:
app.<base-domain> as the CN instead.*.<base-domain> or an explicit SAN entry for each of the following items:
app.<base-domain> (omit if already used as the Common Name)deployments.<base-domain>registry.<base-domain>houston.<base-domain>grafana.<base-domain>kibana.<base-domain>install.<base-domain>alertmanager.<base-domain>prometheus.<base-domain>key.pem containing the private key in pem formatfull-chain.pem (containing the public certificate and additional certificates required to validate it, in pem format) or a bare cert.pem and explicit affirmation that there are no intermediate certificates and that the public certificate is the full chain.private-root-ca.pem in pem format of the private Certificate Authority used to create your certificate or a statement that the certificate is signed by a public Certificate Authority.-key-type rsa when requesting certificates. Most other solutions generate RSA keys by default.Ensure that you received each of the following three items:
key.pem containing the private key in pem format.full-chain.pem, in pem format, that contains the public certificate and additional certificates required to validate it or a bare cert.pem and explicit affirmation that there are no intermediate certificates and that the public certificate is the full chain.private-root-ca.pem in pem format of the private Certificate Authority used to create your certificate or a statement that the certificate is signed by public Certificate Authority.To validate that your security team generated the correct certificate, run the following command using the openssl CLI:
This command will generate a report. If the X509v3 Subject Alternative Name section of this report includes either a single *.<base-domain> wildcard domain or all subdomains, then the certificate creation was successful.
Confirm that your full-chain certificate chain is ordered correctly. To determine your certificate chain order, run the following command using the openssl CLI:
The command generates a report of all certificates. Verify that the certificates are in the following order:
The Astronomer Software integrated container registry requires that your private key signs traffic originating from the Astronomer Software platform using the RSA encryption method. Confirm that the key is signing traffic correctly before proceeding.
Run the following command to extract the bare public cert, if it was not already included in the files provided by your certificate authority, from the full-chain certificate file:
Examine the public certificate and ensure all Signature Algorithms are listed as sha1WithRSAEncryption.
If your key is not compatible with the Astronomer Software integrated container registry, ask your Certificate Authority to re-issue the credentials and emphasize the need for an RSA cert, or use an external container registry.
Run the following command to store the public full-chain certificate in the Astronomer Software Platform Namespace in a tls-type Kubernetes secret. You can create a custom name for this secret. The following example uses the name, astronomer-tls.
However, if your security team has instructed you that there are no intermediate certificates, run the following command.
Naming the secret astronomer-tls with no substitutions is recommended when using a third-party ingress controller.
If you use Astronomer Software’s integrated ingress controller, you can skip this step.
Complete the full setup as described in Third-party Ingress-Controllers, which includes steps to configure ingress controllers in specific environment types. When you’re done, return to this page and continue to the next step.
Skip this step if you don’t use a private Certificate Authority (private CA) to sign the certificate used by your ingress-controller. Or, if you don’t use a private CA for any of the following services that the Astronomer Software platform interacts with.
Astronomer Software trusts public Certificate Authorities automatically.
Astronomer Software must be configured to trust any private Certificate Authorities issuing certificates for systems Astronomer Software interacts with, including but not limited-to:
Perform the procedure described in Configuring private CAs for each certificate authority used to sign TLS certificates.
If at least one of the following circumstances apply to your installation, complete this step:
Kubernetes must be able to pull images from one or more container registries for Astronomer Software to function. By default, Kubernetes only trusts publicly signed certificates. This means that by default, Kubernetes does not honor the list of certificates trusted by the Astronomer Software platform.
Many enterprises configure Kubernetes to trust additional certificate authorities as part of their standard cluster creation procedure. Contact your Kubernetes Administrator to find out what, if any, private certificates are currently trusted by your Kubernetes Cluster. Then, consult your Kubernetes administrator and Kubernetes provider’s documentation for instructions on configuring Kubernetes to trust additional CAs.
Follow procedures for your Kubernetes provider to configure Kubernetes to trust each CA associated with your container registries, including the integrated container registry, if applicable.
Certain clusters do not provide a mechanism to configure the list of certificates trusted by Kubernetes.
While configuring the Kubernetes list of cluster certificates is a customer responsibility, Astronomer Software includes an optional component that can, for certain Kubernetes cluster configurations, add certificates defined in global.privateCaCerts to the list of certificates trusted by Kubernetes. This can be enabled by setting global.privateCaCertsAddToHost.enabled and global.privateCaCertsAddToHost.addToContainerd to true in your values.yaml file and setting global.privateCaCertsAddToHost.containerdConfigToml to:
For example, if your base domain is astro-sandbox.example.com and the CA public-certifice certificate is stored in the platform namespace in a secret named my-private-ca, the global.privateCaCertsAddToHost section would be:
Astronomer Software requires the ability to send email to:
Astronomer Software sends all outbound email using SMTP.
Obtain a set of SMTP credentials from your email administrator for you to use to send email from Astronomer Software. When you request an email address and display name, remember that these emails are not designed for users to reply directly to them. Request all the following information:
Do Not Reply <donotreply@example.com>.If there is a / or any other escape character in your username or password, you may need to URL encode those characters.
Ensure that your Kubernetes cluster has access to send outbound email to the SMTP server.
Change the configuration in values.yaml from noreply@my.email.internal to an email address that is valid to use with your SMTP credentials.
Construct an email connection string and store it in a secret in the Astronomer platform namespace. The following example shows how to store the connection in a secret called astronomer-smtp. Make sure to url-encode the username and password if they contain special characters.
In general, an SMTP URI is formatted as smtps://USERNAME:PASSWORD@HOST/?pool=true. The following table contains examples of the URI for some of the most popular SMTP services:
If your SMTP provider is not listed, refer to the provider’s documentation for information on creating an SMTP URI.
If there is a / or any other escape character in your username or password, you may need to URL encode those characters.
Skip this step if your cluster defines a volume storage class, and you want to use it for all volumes associated with Astronomer Software and its Airflow Deployments.
Astronomer strongly recommends that you do not back any volumes used for Astronomer Software with mechanical hard drives.
Replace <desired-storage-class> in the following configuration with the storage class you want to use for each respective component. You can remove the configuration for any component where using the default storage is acceptable.
Merge these values into values.yaml. You can do this manually or by placing merge_yaml.py and the configuration as a new file in your project directory and running python merge_yaml.py storage-class-config.yaml values.yaml.
Astronomer requires a central Postgres database that acts as the backend for Astronomer’s Houston API and hosts individual metadata databases for all Deployments created on the platform.
If, while evaluating Astronomer Software, you need to create a temporary environment where Postgres is not available, locate the global.postgresqlEnabled option already present in your values.yaml and set it to true, then skip the remainder of this step.
Note that global.postgresqlEnabled to true is an unsupported configuration, and should never be used on any development, staging, or production environment.
If you use Azure Database for either PostgreSQL or another Postgres instance that does not enable the pg_trgm by default, you must enable the pg_trgm extension prior to installing Astronomer Software. If pg_trgm is not enabled, the install will fail. pg_tgrm is enabled by default on Amazon RDS and Google Cooud SQL for PostgresQL.
For instructions on enabling the pg_trgm extension for Azure Flexible Server, see PostgreSQL extensions in Azure Database for PostgreSQL - Flexible Server.
Additional requirements apply to the following databases:
pg_trgm extension as per the advisory earlier in this section.global.ssl.modeto prefer in your values.yaml file.Create a Kubernetes Secret named astronomer-bootstrap that points to your database. You must URL encode any special characters in your Postgres password.
To create this secret, run the following command replacing the astronomer platform namespace, username, password, database hostname, and database port with their respective values. Remember that username and password must be url-encoded if they contain special-characters:
For example, for a username named bob with password abc@abc at hostname some.host.internal, you would run:
By default, Astronomer Software users create customized Airflow container images when they deploy project code to the platform. These images frequently contain sensitive information and must be stored in a secure location accessible to Kubernetes.
Astronomer Software includes an integrated image registry for this purpose.
Users can use images hosted in other container image repositories accessible to the Kubernetes cluster without additional platform-level configuration.
See Configure a custom registry for Deployment images for additional configurable options.
Skip this step if you are installing Astronomer Software onto a Kubernetes cluster that can pull container images from public image repositories and you don’t want to mirror these images locally.
Astronomer expects the images to use their normal names, but prefixed by a string you define. For example, if you specify artifactory.example.com/astronomer, when you mirror images later in this procedure, you mirror quay.io/astronomer/<image> as <custom-platform-repo-prefix>/astronomer/<image>. The following show additional examples:
quay.io/astronomer/ap-houston-api to artifactory.example.com/astronomer/ap-houston-apiquay.io/astronomer/astronomer/ap-commander to artifactory.example.com/astronomer/ap-commanderReplace <custom-platform-repo-prefix> in the following configuration data with your platform image repository prefix and merge into values.yaml either manually or by placing merge_yaml.py in your astro-platform project-directory and running python merge_yaml.py private-platform-registry-snippet.yaml values.yaml.
For example, if your custom platform image registry prefix was 012345678910.dkr.ecr.us-east-1.amazonaws.com/myrepo/astronomer, your configuration would look like the following:
These instructions do not apply to images hosted on Amazon Elastic Container Registry (ECR). Credentials for ECR have a limited lifespan and are unsuitable for using on Astronomer Software. To use AWS ECR to serve images for Astronomer, you must grant permissions for the following actions to the Kubernetes Nodes IAM Role.
Astronomer Software platform images are usually hosted in internal repositories that do not require configuration. If your repository requires you pass an image credential:
Log in to the registry and follow the Kubernetes documentation to produce a /.docker/config.json file.
Run the following command to create an image pull secret named platform-regcred in the Astronomer Software platform namespace:
Set global.privateRegistry.secretName in values.yaml to platform-regcred. For example:
Astronomer recommends new Astronomer Software installations use the most recent version available in either the Stable or Long Term Support (LTS) release-channel. Keep this version number available for the following steps.
See Astronomer Software’s lifecycle policy and version compatibility reference for more information.
If you have internet access to https://helm.astronomer.io, run the following command on the machine where you want to install Astronomer Software:
If you don’t have internet access to https://helm.astronomer.io, download the Astronomer Software Platform Helm chart file corresponding to the version of Astronomer Software you are installing or upgrading to from https://helm.astronomer.io/astronomer-<version number>.tgz. For example, for Astronomer Software v0.36.0 you would download https://helm.astronomer.io/astronomer-0.36.0.tgz. This file does not need to be uploaded to an internal chart repository.
Create a file named upgrade.sh in your platform deployment project directory containing the following script. Specify the following values at the beginning of the script:
CHART_VERSION: Your Astronomer Software version, including patch and a v prefix. For example, v0.36.0.RELEASE_NAME: Your Helm release name. astronomer is strongly recommended.NAMESPACE: The namespace to install platform components into. astronomer is strongly recommended.CHART_NAME: Set to astronomer/astronomer if fetching platform images from the internet. Otherwise, specify the filename if you’re installing from a file (for example astronomer-0.36.0.tgz).Mac and Linux users with jq installed can set CHART_VERSION in the following snippet and run it to produce a list of images.
If you are not installing Astronomer Software into an egress-controlled or airgapped environment, skip this step.
By default, Astronomer Software checks for Airflow updates, which are included in the Astro Runtime, once per day at midnight by querying https://updates.astronomer.io/astronomer-runtime. This returns a JSON file with details about the latest available Astro Runtime versions.
To store this in the cluster itself, and avoid this check, complete the following steps:
Download the JSON files and store them in a Kubernetes configmap by running the following commands:
Add the following values into values.yaml. You can do this manually or by placing the configuration as a new file, along with merge_yaml.py in your project directory and running python merge_yaml.py openshift.yaml values.yaml.
If you’re not installing Astronomer Software into an OpenShift Kubernetes cluster, skip this step.
Add the following values into values.yaml. You can do this manually or by placing the configuration as a new file, along with merge_yaml.py in your project directory and running python merge_yaml.py openshift.yaml values.yaml.
Astronomer Software on OpenShift is only supported when using a third-party ingress-controller and using the logging sidecar feature of Astronomer Software. The above configuration enables both of these items.
By default, Astronomer Software automatically creates namespaces for each new Airflow Deployment.
You can restrict the Airflow management components of Astronomer Software to a list of predefined namespaces and configure it to operate without a ClusterRole by following the instructions in Configure a Kubernetes namespace pool for Astronomer Software. If you want to disable creation of role and rolebindings for commander, config-syncer, and kubestate metrics, you can set global.features.namespacePools.createRbac to false.
When global.rbacEnabled is set to false, the platform no longer creates any role, rolebindings, or service accounts. The user must define default roles to the k8s default service account to continue with the platform install. See Bring your own Kubernetes service accounts for setup steps.
Running a logging sidecar to export Airflow task logs is essential for running Astronomer Software in a multi-tenant cluster.
By default, Astronomer Software creates a privileged DaemonSet to aggregate logs from Airflow components for viewing from within Airflow and the Astronomer Software UI.
You can replace this privileged Daemonset with unprivileged logging sidecars by following instructions in Export logs using container sidecars.
Astronomer Software includes integrations for several of the most popular OAUTH2 identity providers (IdPs), such as Okta and Microsoft Entra ID. Configuring an external IdP allows you to automatically provision and manage users in accordance with your organization’s security requirements. See Integrate an auth system to configure the identity provider of your choice in your values.yaml file.
Skip this step if you’re using a third-party ingress controller or provisioning domain names for ingress objects using external DNS.
To install and function, Astronomer Software platform components require DNS entries to point to a load balancer associated with your ingress controller.
Perform a preliminary install of Astronomer Software to trigger your ingress controller to create the load balancer. This installation intentionally times out after 30 seconds, but it causes the ingress controller to still create the load balancer.
Run kubectl -n <astronomer platformm namespace> get service -l component=ingress-controller and verify that a service-type LoadBalancer resource was created and that it received an External IP in a range that is accessible to your end-users, but not accessible to the general internet. For example:
If you uninstall and re-install the Astronomer Software platform chart, the ingress controller almost always receives a new IP address, which requires updating the DNS entries.
In lower environments, you can set nginx.loadBalancerIP in values.yaml to the External-IP address:
This option allows the cluster to request the same Load Balancer IP at creation time. Rebuilds immediately following teardowns can almost always receive the same IP address, but issuance is not guaranteed and installations will fail if the IP address has been assigned elsewhere, or is otherwise not available. Therefore, this option should not be used in higher environments unless you have taken special measures to guarantee the same IP address is reissued.
If you’re using a third-party ingress controller, you can skip this step.
The Astronomer load balancer routes incoming traffic to your NGINX ingress controller. After you install Astronomer Software, the load balancer will spin up in your cloud provider account.
Run $ kubectl get svc -n <astronomer platform namespace>to view your load balancer’s CNAME, located in the EXTERNAL-IP column for the astronomer-nginx service and look similar to the following:
You will need to create a new CNAME record through your DNS provider using the external IP listed for astronomer-nginx.
You can create a single wildcard CNAME record such as *.sandbox-astro.example.com, or alternatively create individual CNAME records for the following routes:
Astronomer Software requires the following domain-names be registered and resolvable within the Kubernetes cluster and to Astronomer Software users:
app.<base-domain> (required)deployments.<base-domain> (required)houston.<base-domain> (required)prometheus.<base-domain> (required)grafana.<base-domain> (required if using Astronomer Software’s integrated grafana)kibana.<base-domain> (required if not using external elasticsearch)registry.<base-domain> (required if using Astronomer Software’s integrated container-registry)alertmanager.<base-domain> (required if using Astronomer Software’s integrated Alert Manager)<base-domain> (optional but recommended, provides a vanity re-direct to app.<base-domain>)install.<base-domain> (optional)Install the Astronomer Software Helm chart using upgrade.sh, which is recommended for your first install, or directly from Helm.
To verify all pods are up and running, run:
All pods should be in Running status. For example,
If all pods are not in running status, check the guide on debugging your installation or contact Astronomer support for additional configuration assistance.
Visit https://app.<base-domain> in your web-browser to view Astronomer Software’s web interface.
Congratulations, you have configured and installed an Astronomer Software platform instance - your new Airflow control plane.
From the Astronomer Software UI, you’ll be able to both invite and manage users as well as create and monitor Airflow Deployments on the platform.
The following topics include optional information about one or multiple topics in the installation guide.
merge_yaml.pyWhen merging YAML configurations into values.yaml, you can merge manually or with a tool of your choosing.
You can use the followingmerge_yaml.py script to merge YAML excerpts into values.yaml automatically. This script requires both Python and the ruamel.yaml package, which you can install using pip install ruamel.yaml. To run the program, ensure that merge_yaml.py, values.yaml, and the yaml file that contains the configuration you want to add are all in your project directory. Then, run:
You can configure Astronomer Software to not send outbound email.
astronomer.houston.config.publicSignup: true with astronomer.houston.config.email.enabled: false is only secure when all non-OIDC authentication backends are explicitly disabled and the OIDC provider provides sufficient user validation to prevent untrusted users from accessing Astronomer Software.To disable email transmission and email verification of users attempting to access the platform:
values.yaml file, set astronomer.houston.config.email.enabled to false.astronomer.houston.config.publicSignups to true.EMAIL__SMTP_URL list-item from astronomer.houston.secret.private-root-ca, by running the following command.Before you run this command, keep the following in mind:
cert.pem for your certificate to be trusted properly.Add <secret name> to the list of secret names contained in global.privateCaCerts in values.yaml:
If your users will deploy images to a container registry, including the integrated container registry, that uses a TLS certificate signed by a private CA, you need to configure Docker Desktop to trust the CA’s public certificate.
Obtain a copy of the CA’s public certificate in pem format and place it in /etc/docker/certs.d: