Helm configuration reference
This reference documents all configuration options for the Astro Private Cloud (APC) Helm chart. Use this guide to customize the values.yaml file for your APC installation.
Values file structure
The APC Helm chart uses a hierarchical structure:
1 global: # Platform-wide settings 2 baseDomain: "" # Required: your base domain 3 plane: 4 mode: "" # unified, control, or data 5 # ... more global settings 6 7 tags: # Enable/disable component groups 8 9 monitoring: true 10 logging: true 11 12 astronomer: # Platform component settings 13 houston: {} 14 commander: {} 15 registry: {} 16 astroUI: {} 17 18 nginx: {} # Ingress configuration 19 prometheus: {} # Metrics collection 20 elasticsearch: {} # Log storage 21 grafana: {} # Dashboards 22 # ... more component sections
Required configuration
Configure the following required values:
1 global: 2 baseDomain: "example.com" # Your platform domain 3 tlsSecret: "astronomer-tls" # TLS certificate secret name
Global configuration
Base domain and TLS
1 global: 2 # Required: Base domain for all platform endpoints 3 # Results in: app.example.com, houston.example.com, etc. 4 baseDomain: "example.com" 5 6 # Name of Kubernetes secret containing TLS certificate 7 tlsSecret: "astronomer-tls" 8 9 # List of secrets containing private CA certificates 10 privateCaCerts: []
Plane Mode (Control, Data, Unified)
Astro Private Cloud 1.0 supports split control plane and data plane deployments:
1 global: 2 plane: 3 # Options: unified (default), control, data 4 mode: "unified" 5 6 # Domain prefix for this plane (used in split deployments) 7 domainPrefix: ""
| Mode | Description |
|---|---|
unified | Control and data plane in same cluster (default, like 0.x) |
control | Control plane only - manages deployments |
data | Data plane only - runs Airflow workloads |
Network policies
1 global: 2 # Enable platform-level network policies 3 networkPolicy: 4 enabled: true 5 6 # Apply default deny ingress policy 7 defaultDenyNetworkPolicy: true 8 9 # Enable namespace labels for network policies 10 networkNSLabels: false
RBAC and cluster roles
1 global: 2 # Enable Kubernetes RBAC 3 rbacEnabled: true 4 5 # Use cluster-wide roles (required for some features) 6 clusterRoles: true 7 8 # Disable management of cluster-scoped resources 9 disableManageClusterScopedResources: false
Node selection
Separate platform pods from Airflow pods:
1 global: 2 platformNodePool: 3 nodeSelector: 4 node-role: platform 5 affinity: {} 6 tolerations: 7 - key: "platform" 8 operator: "Equal" 9 value: "true" 10 effect: "NoSchedule"
Private registry
Use a private container registry:
1 global: 2 privateRegistry: 3 enabled: true 4 repository: "registry.example.com/astronomer" 5 secretName: "registry-credentials"
Namespace pools
Pre-provision namespaces for Airflow Deployments:
1 global: 2 features: 3 namespacePools: 4 enabled: true 5 createRbac: true 6 namespaces: 7 create: false # Set true to auto-create 8 names: 9 - airflow-prod 10 - airflow-staging 11 - airflow-dev
Storage class
Specify a storage class for all persistent volumes:
1 global: 2 storageClass: "gp3"
OpenShift support
1 global: 2 openshiftEnabled: true 3 sccEnabled: true # Security context constraints
Astronomer platform components
Houston API
Houston is the core internal API that powers the platform:
1 astronomer: 2 houston: 3 replicas: 2 4 5 resources: 6 requests: 7 cpu: "500m" 8 memory: "1024Mi" 9 limits: 10 cpu: "1000m" 11 memory: "2048Mi" 12 13 # Database connection 14 backendSecretName: "houston-backend-secret" 15 # Or specify directly: 16 backendConnection: 17 user: houston 18 pass: "password" 19 host: postgres.example.com 20 port: 5432 21 db: houston 22 23 # Airflow database connection template 24 airflowBackendSecretName: "airflow-backend-secret" 25 26 # Houston configuration (see houston.config section below) 27 config: {} 28 29 # Environment variables common to all houston containers 30 env: 31 - name: LOG_LEVEL 32 value: "info" 33 34 # Worker pods for async processing 35 worker: 36 enabled: true 37 replicas: 2 38 39 # Upgrade all airflow helm deployments when upgrading APC helm deployment 40 upgradeDeployments: 41 enabled: true 42 43 # Cleanup soft-deleted deployments 44 cleanupDeployments: 45 enabled: true 46 schedule: "0 0 * * *" 47 olderThan: 14 48 49 # Cleanup Airflow database metadata 50 cleanupAirflowDb: 51 enabled: false 52 schedule: "23 5 * * *" 53 olderThan: 365
Houston configuration (houston.config)
Houston accepts extensive configuration via houston.config:
Authentication
1 astronomer: 2 houston: 3 config: 4 auth: 5 # Local username/password auth 6 local: 7 enabled: true 8 9 # OpenID Connect 10 openidConnect: 11 # Auth flow: "code" (recommended) or "implicit" 12 flow: "code" 13 14 # Microsoft/Azure AD 15 microsoft: 16 enabled: true 17 clientId: "your-client-id" 18 clientSecret: "your-client-secret" 19 discoveryUrl: "https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration" 20 21 # Google OAuth 22 google: 23 enabled: false 24 clientId: "" 25 clientSecret: "" 26 27 # Okta 28 okta: 29 enabled: false 30 clientId: "" 31 clientSecret: "" 32 discoveryUrl: "" 33 34 # Import groups from IDP 35 idpGroupsImportEnabled: true 36 idpGroupsRefreshEnabled: false 37 38 # GitHub via Auth0 39 github: 40 enabled: false
Deployment defaults
1 astronomer: 2 houston: 3 config: 4 deployments: 5 # Enable Dag-only deployments 6 dagOnlyDeployment: true 7 8 # Enable configureDagDeployment if you will be enabling any of the dag deployment types listed below 9 configureDagDeployment: true 10 11 # Enable NFS volume mounts 12 nfsMountDagDeployment: true 13 14 # Enable git-sync 15 gitSyncDagDeployment: true 16 17 # Hard delete deployments 18 hardDeleteDeployment: false 19 20 # Enable deployment rollbacks 21 enableDeployRollback: true 22 23 # Manual release names 24 manualReleaseNames: false 25 26 # Component resource limits 27 components: 28 - name: workers 29 resources: 30 default: 31 cpu: 1000 32 memory: 3840 33 minimum: 34 cpu: 100 35 memory: 384 36 limit: 37 cpu: 3000 38 memory: 11520 39 extra: 40 - name: terminationGracePeriodSeconds 41 default: 600 42 minimum: 0 43 limit: 36000 44 - name: replicas 45 default: 1 46 minimum: 1 47 limit: 10 48 49 # Default Helm values for Airflow deployments 50 helm: 51 airflow: 52 # Default Airflow image 53 defaultAirflowRepository: quay.io/astronomer/ap-airflow 54 55 # Environment variables for all deployments 56 env: 57 - name: AIRFLOW__CORE__COLORED_CONSOLE_LOG 58 value: "false" 59 60 # Scheduler configuration 61 scheduler: 62 resources: 63 requests: 64 cpu: "500m" 65 memory: "1Gi" 66 67 # Worker configuration 68 workers: 69 resources: 70 requests: 71 cpu: "500m" 72 memory: "1Gi"
Email configuration
1 astronomer: 2 houston: 3 config: 4 email: 5 enabled: true 6 smtpUrl: "smtp://smtp.example.com:587" 7 reply: "noreply@example.com" 8 9 # Require email confirmation for new users 10 emailConfirmation: true 11 12 # Allow public signups 13 publicSignups: false
Prometheus integration
1 astronomer: 2 houston: 3 config: 4 prometheus: 5 enabled: true 6 host: "http://astronomer-prometheus:9090"
Commander
Commander manages Kubernetes resources for deployments:
1 astronomer: 2 commander: 3 replicas: 2 4 5 resources: 6 requests: 7 cpu: "250m" 8 memory: "1Gi" 9 limits: 10 cpu: "500m" 11 memory: "2Gi" 12 13 # Air-gapped mode (no external registry access) 14 airGapped: 15 enabled: false 16 17 # Helm upgrade timeout (seconds) 18 upgradeTimeout: 600 19 20 # Environment variables 21 env: []
Registry
Container registry for deployment images:
1 astronomer: 2 registry: 3 replicas: 1 4 5 resources: 6 requests: 7 cpu: "250m" 8 memory: "512Mi" 9 limits: 10 cpu: "500m" 11 memory: "1024Mi" 12 13 # Persistent storage 14 persistence: 15 enabled: true 16 size: "100Gi" 17 storageClassName: ~ 18 19 # Use external storage backends 20 # AWS S3 21 s3: 22 enabled: false 23 accesskey: "" 24 secretkey: "" 25 region: "us-east-1" 26 bucket: "astronomer-registry" 27 28 # Google Cloud Storage 29 gcs: 30 enabled: false 31 bucket: "" 32 useKeyfile: true 33 keyfile: /var/gcs-keyfile/astronomer-gcs-keyfile 34 35 # Azure Blob Storage 36 azure: 37 enabled: false 38 accountname: "" 39 accountkey: "" 40 container: ""
Astro UI
1 astronomer: 2 astroUI: 3 replicas: 2 4 5 resources: 6 requests: 7 cpu: "100m" 8 memory: "256Mi" 9 limits: 10 cpu: "500m" 11 memory: "1024Mi" 12 13 env: []
NGINX ingress
1 nginx: 2 replicas: 2 3 4 resources: 5 requests: 6 cpu: "500m" 7 memory: "1024Mi" 8 limits: 9 cpu: "1" 10 memory: "2048Mi" 11 12 # Service type: LoadBalancer, ClusterIP, or NodePort 13 serviceType: "LoadBalancer" 14 15 # Specific load balancer IP (optional) 16 loadBalancerIP: ~ 17 18 # Restrict source IPs 19 loadBalancerSourceRanges: 20 - "10.0.0.0/8" 21 22 # Private/internal load balancer 23 privateLoadBalancer: false 24 25 # NodePort configuration (when serviceType: NodePort) 26 httpNodePort: ~ 27 httpsNodePort: ~ 28 29 # Ingress annotations 30 ingressAnnotations: 31 # AWS 32 service.beta.kubernetes.io/aws-load-balancer-internal: "true" 33 # GCP 34 cloud.google.com/load-balancer-type: "Internal" 35 # Azure 36 service.beta.kubernetes.io/azure-load-balancer-internal: "true" 37 38 # Proxy settings 39 proxyConnectTimeout: 15 40 proxyReadTimeout: 600 41 proxySendTimeout: 600 42 proxyBodySize: "1024m" 43 44 # Default backend 45 defaultBackend: 46 enabled: true 47 resources: 48 requests: 49 cpu: "100m" 50 memory: "50Mi"
Prometheus (Monitoring)
1 prometheus: 2 # Data retention period 3 retention: 15d 4 5 # Persistent storage 6 persistence: 7 enabled: true 8 size: "150Gi" 9 10 resources: 11 requests: 12 cpu: "1000m" 13 memory: "4Gi" 14 limits: 15 cpu: "2000m" 16 memory: "8Gi"
Grafana
1 grafana: 2 resources: 3 requests: 4 cpu: "250m" 5 memory: "512Mi" 6 limits: 7 cpu: "500m" 8 memory: "1024Mi" 9 10 # Custom dashboards 11 dashboards: 12 default: 13 custom-dashboard: 14 file: dashboards/custom.json 15 16 # Extra environment variables (e.g., SMTP for alerts) 17 extraEnvVars: 18 - name: GF_SMTP_ENABLED 19 value: "true" 20 - name: GF_SMTP_HOST 21 value: "smtp.example.com:587"
Elasticsearch (Logging)
1 elasticsearch: 2 # Enable persistence 3 common: 4 persistence: 5 enabled: true 6 7 # Client nodes 8 client: 9 replicas: 2 10 heapMemory: "2g" 11 resources: 12 requests: 13 cpu: "1" 14 memory: "2Gi" 15 limits: 16 cpu: "2" 17 memory: "4Gi" 18 19 # Data nodes 20 data: 21 replicas: 3 22 heapMemory: "2g" 23 resources: 24 requests: 25 cpu: "1" 26 memory: "2Gi" 27 limits: 28 cpu: "2" 29 memory: "4Gi" 30 persistence: 31 size: "100Gi" 32 33 # Master nodes 34 master: 35 replicas: 3 36 heapMemory: "2g" 37 resources: 38 requests: 39 cpu: "1" 40 memory: "2Gi" 41 limits: 42 cpu: "2" 43 memory: "4Gi" 44 persistence: 45 size: "20Gi"
Vector (Log Collection)
1 vector: 2 vector: 3 resources: 4 requests: 5 cpu: "250m" 6 memory: "512Mi" 7 limits: 8 cpu: "1000m" 9 memory: "1024Mi"
External logging
Forward logs to external Elasticsearch:
1 global: 2 customLogging: 3 enabled: true 4 scheme: https 5 host: "elasticsearch.example.com" 6 port: "9200" 7 secret: "es-credentials"
NATS (Messaging)
1 global: 2 nats: 3 enabled: true 4 replicas: 3 5 jetStream: 6 enabled: true 7 tls: false 8 9 nats: 10 nats: 11 resources: 12 requests: 13 cpu: "75m" 14 memory: "30Mi" 15 limits: 16 cpu: "250m" 17 memory: "100Mi"
Database configuration
External PostgreSQL (Recommended)
1 global: 2 # Disable in-cluster PostgreSQL 3 postgresqlEnabled: false 4 5 astronomer: 6 houston: 7 backendSecretName: "houston-db-secret" 8 # Secret should contain: connection=postgres://user:pass@host:5432/houston 9 10 # Airflow metadata databases 11 houston: 12 airflowBackendSecretName: "airflow-db-secret"
Database SSL
1 global: 2 ssl: 3 enabled: true 4 mode: "require" # disable, allow, prefer, require, verify-ca, verify-full 5 grafana: 6 sslmode: "require"
PgBouncer (connection pooling)
1 global: 2 pgbouncer: 3 enabled: true 4 gssSupport: true 5 secretName: "astronomer-pgbouncer-config" 6 servicePort: "6543"
Auth sidecar (OpenShift)
For OpenShift deployments requiring auth proxy:
1 global: 2 authSidecar: 3 enabled: true 4 repository: quay.io/astronomer/ap-auth-sidecar 5 # tag: 1.29.3 6 port: 8084 7 resources: 8 requests: 9 cpu: "500m" 10 memory: "512Mi" 11 limits: 12 cpu: "1000m" 13 memory: "1024Mi"
Logging sidecar
Add Vector sidecar to Airflow pods:
1 global: 2 loggingSidecar: 3 enabled: true 4 name: sidecar-log-consumer 5 repository: quay.io/astronomer/ap-vector 6 tag: 0.52.0 7 resources: 8 requests: 9 cpu: "100m" 10 memory: "386Mi"
Dag-only deployments
1 global: 2 dagOnlyDeployment: 3 enabled: true 4 repository: quay.io/astronomer/ap-dag-deploy 5 tag: 0.8.1 6 resources: {} 7 persistence: {}
Airflow operator
Enable Kubernetes operator-based deployments:
1 global: 2 airflowOperator: 3 enabled: false
Extra objects
Add custom Kubernetes resources:
1 astronomer: 2 extraObjects: 3 # Custom LimitRange 4 - apiVersion: v1 5 kind: LimitRange 6 metadata: 7 name: default-limits 8 namespace: astronomer 9 spec: 10 limits: 11 - default: 12 cpu: "1" 13 memory: "1Gi" 14 defaultRequest: 15 cpu: "100m" 16 memory: "128Mi" 17 type: Container 18 19 # Custom NetworkPolicy 20 - apiVersion: networking.k8s.io/v1 21 kind: NetworkPolicy 22 metadata: 23 name: custom-policy 24 spec: 25 podSelector: {} 26 policyTypes: 27 - Ingress
Complete example
Here’s an example configuration:
1 global: 2 baseDomain: "airflow.example.com" 3 tlsSecret: "astronomer-tls" 4 5 plane: 6 mode: "unified" 7 8 rbacEnabled: true 9 clusterRoles: true 10 11 networkPolicy: 12 enabled: true 13 14 postgresqlEnabled: false 15 16 privateRegistry: 17 enabled: true 18 repository: "registry.example.com/astronomer" 19 secretName: "registry-creds" 20 21 platformNodePool: 22 nodeSelector: 23 node-type: platform 24 tolerations: 25 - key: "dedicated" 26 value: "platform" 27 effect: "NoSchedule" 28 29 ssl: 30 enabled: true 31 mode: "require" 32 33 tags: 34 platform: true 35 monitoring: true 36 logging: true 37 38 astronomer: 39 houston: 40 replicas: 2 41 resources: 42 requests: 43 cpu: "500m" 44 memory: "1Gi" 45 limits: 46 cpu: "1000m" 47 memory: "2Gi" 48 backendSecretName: "houston-db-secret" 49 config: 50 auth: 51 local: 52 enabled: false 53 openidConnect: 54 microsoft: 55 enabled: true 56 clientId: "your-client-id" 57 clientSecret: "your-client-secret" 58 discoveryUrl: "https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration" 59 email: 60 enabled: true 61 smtpUrl: "smtp://smtp.example.com:587" 62 publicSignups: false 63 deployments: 64 hardDeleteDeployment: true 65 manualReleaseNames: true 66 67 commander: 68 replicas: 2 69 resources: 70 requests: 71 cpu: "250m" 72 memory: "1Gi" 73 limits: 74 cpu: "500m" 75 memory: "2Gi" 76 77 registry: 78 persistence: 79 enabled: true 80 size: "200Gi" 81 82 nginx: 83 replicas: 2 84 serviceType: LoadBalancer 85 privateLoadBalancer: true 86 resources: 87 requests: 88 cpu: "500m" 89 memory: "1Gi" 90 91 prometheus: 92 retention: 30d 93 persistence: 94 enabled: true 95 size: "200Gi" 96 resources: 97 requests: 98 cpu: "1" 99 memory: "4Gi" 100 101 elasticsearch: 102 data: 103 replicas: 3 104 persistence: 105 size: "200Gi" 106 resources: 107 requests: 108 cpu: "1" 109 memory: "4Gi"
Validate configuration
After creating your values file, validate it:
$ # Dry-run to check for errors $ helm template astronomer astronomer/astronomer \ > -f values.yaml \ > --namespace astronomer \ > --debug $ $ # Check rendered templates $ helm template astronomer astronomer/astronomer \ > -f values.yaml \ > --namespace astronomer > rendered.yaml
Upgrade configuration
(Optional) When updating your values file, you can use the helm diff plugin, and then run the following command to see a diff of your changes:
$ # Compare changes $ helm diff upgrade astronomer astronomer/astronomer \ > -f values.yaml \ > --namespace astronomer $ $ # Apply changes $ helm upgrade astronomer astronomer/astronomer \ > -f values.yaml \ > --namespace astronomer
