For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management
        • Overview
        • Set up audit log shipping
        • Configuration reference
        • Log schema and operations

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Sidecar-level values
  • CloudWatch sink values
  • GCP Cloud Logging sink values
  • Elasticsearch sink values
  • APC service account annotations
  • Validation rules
  • Unsupported values
  • Next steps
Security and complianceAPC audit logging

APC audit logging configuration reference

Edit this page
Built with

This document lists every Helm value that controls the Astro Private Cloud (APC) audit logging sidecar and its sinks. For task-oriented instructions, see Set up audit log shipping.

All values in this document live under houston.logging.loggingSidecar in the astronomer chart’s values file. When you use the umbrella chart, prefix the path with astronomer., so the full path becomes astronomer.houston.logging.loggingSidecar.*.

Sidecar-level values

These values control the Vector sidecar itself, independent of which sink you enable.

KeyTypeDefaultDescription
enabledbooleanfalseEnables the Vector sidecar on the APC API and APC Worker Pods. When false, no audit events are shipped to any sink.
resources.requests.cpustring50mCPU request for the Vector sidecar container.
resources.requests.memorystring128MiMemory request for the Vector sidecar container.
resources.limits.cpustring200mCPU limit for the Vector sidecar container.
resources.limits.memorystring256MiMemory limit for the Vector sidecar container.
securityContext.runAsNonRootbooleantrueVector sidecar’s runAsNonRoot security context. Override only when your cluster’s Pod security policy requires a different value.
securityContext.allowPrivilegeEscalationbooleanfalseVector sidecar’s allowPrivilegeEscalation security context. Override only when your cluster’s Pod security policy requires a different value.

The Vector sidecar ships with a secure-by-default security context. The chart already applies securityContext.runAsNonRoot: true and securityContext.allowPrivilegeEscalation: false, so most installations don’t need to set these values.

The Vector image is controlled at the chart level, not on the sidecar, through images.vector.repository and images.vector.tag. These values are managed by the chart and change between chart releases, so they aren’t pinned in this reference. For the current defaults, see the astronomer/astronomer chart values file.

CloudWatch sink values

Set under houston.logging.loggingSidecar.cloudwatch. Use this sink on Amazon EKS.

KeyTypeDefaultDescription
enabledbooleanfalseEnables the CloudWatch sink. Only one sink can be enabled at a time.
regionstring""AWS region of the target log group. Required when enabled is true.
logGroupNamestring/astronomer/houston/auditTarget CloudWatch log group. The log group must exist and the IAM principal used by Vector must be allowed to write to it.
useIRSAbooleantrueWhen true, Vector authenticates with AWS using IAM Roles for Service Accounts (IRSA). The eks.amazonaws.com/role-arn annotation on houston.serviceAccount.annotations must reference the IRSA role.
secretNamestringhouston-cloudwatch-credsName of a Kubernetes secret containing aws_access_key_id and aws_secret_access_key. Used when useIRSA is false.

GCP Cloud Logging sink values

Set under houston.logging.loggingSidecar.gcpCloudLogging. Use this sink on Google Kubernetes Engine (GKE).

KeyTypeDefaultDescription
enabledbooleanfalseEnables the GCP Cloud Logging sink. Only one sink can be enabled at a time.
projectIdstring""Google Cloud project that receives the logs. Required when enabled is true.
logIdstringhouston-auditCustom log ID that identifies this APC audit stream in Cloud Logging.
resource.typestringk8s_containerMonitored resource type. k8s_container is the expected value for GKE Pods.
resource.locationstring""GKE cluster location, for example us-east4 or us-east4-b. Required when enabled is true.
resource.clusterNamestring""GKE cluster name as it appears in Cloud Logging. Required when enabled is true.
severityKeystringlevelField in each audit event that Vector maps to GCP severity.
useWorkloadIdentitybooleantrueWhen true, Vector authenticates with GCP through Workload Identity. The iam.gke.io/gcp-service-account annotation on houston.serviceAccount.annotations must reference the Google service account.
credentialsSecretNamestringhouston-gcp-logging-credsName of a Kubernetes secret that contains a GCP service account JSON key. Used when useWorkloadIdentity is false.
credentialsSecretKeystringkey.jsonKey within credentialsSecretName that holds the JSON key file. The file is mounted at /etc/gcp-credentials/<credentialsSecretKey>.

projectId, resource.location, and resource.clusterName are required when gcpCloudLogging.enabled is true. Empty or whitespace-only values are rejected by the chart.

Elasticsearch sink values

Set under houston.logging.loggingSidecar.elasticsearch. Use this sink to ship events to an external Elasticsearch cluster. The Elasticsearch sink is supported when the Astro Private Cloud control plane runs on Amazon EKS, GKE, or AKS.

KeyTypeDefaultDescription
enabledbooleanfalseEnables the Elasticsearch sink. Only one sink can be enabled at a time.
endpointstring~ (null)External Elasticsearch URL, for example https://es.example.com:9200. Required when enabled is true.
indexstringhouston-audit-%Y.%m.%dIndex name pattern. Accepts strftime tokens for date-based indices.
apiVersionstringv8Elasticsearch API version.
auth.strategystringbasicAuthentication strategy. Supported values are basic and none.
auth.secretNamestringhouston-elasticsearch-credsName of a Kubernetes secret that contains username and password keys. Required when auth.strategy is basic.
tls.enabledbooleanfalseWhen true, Vector uses the CA certificate in caSecretName to validate the Elasticsearch server certificate.
tls.caSecretNamestring""Name of a Kubernetes secret that contains a ca.pem entry. The chart mounts the secret at /etc/es-tls/ca.pem. Required when tls.enabled is true.

auth.strategy and tls.enabled are independent. The chart supports all four combinations: none, basic, none with a custom CA, and basic with a custom CA.

APC service account annotations

The IRSA and Workload Identity integration points are annotations on the <release>-houston-bootstrapper service account. The chart passes any key-value pairs you set on houston.serviceAccount.annotations through to the rendered ServiceAccount manifest.

AnnotationUse with
eks.amazonaws.com/role-arnCloudWatch sink with useIRSA: true
iam.gke.io/gcp-service-accountGCP Cloud Logging sink with useWorkloadIdentity: true

Both the APC API and APC Worker Pods use the same <release>-houston-bootstrapper service account, so a single annotation applies to both deployments.

Validation rules

The chart validates houston.logging.loggingSidecar at render time. The following rules fail helm upgrade with a descriptive error when violated:

  • When loggingSidecar.enabled is true, exactly one of cloudwatch.enabled, gcpCloudLogging.enabled, or elasticsearch.enabled must also be true.
  • When gcpCloudLogging.enabled is true, projectId, resource.location, and resource.clusterName must each be set to a non-whitespace value.
  • When elasticsearch.enabled is true, endpoint must be set.

Unsupported values

extraSinks on houston.logging.loggingSidecar isn’t accepted by the chart. APC audit logging ships only to the three sinks documented on this page.

Next steps

  • To apply these values to an installation, see Set up audit log shipping.
  • For the shape of each audit event and the list of audited operations, see Audit log schema and operations.