Security and compliance

TLS certificate management

Astro Private Cloud (APC) uses TLS certificates for secure communication between components and for JWT token signing.

Self-signed certificate generation

$# Generate CA
$openssl genrsa -out ca.key 4096
$openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
>  -out ca.crt -subj "/CN=APC-CA"
$
$# Generate server certificate
$openssl genrsa -out tls.key 4096
$openssl req -new -key tls.key -out tls.csr \
>  -subj "/CN=*.your-domain.com"
$
$# Sign certificate with SAN
$openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key \
>  -CAcreateserial -out tls.crt -days 365

Create Kubernetes secret

$kubectl create secret tls platform-tls \
>  --cert=tls.crt \
>  --key=tls.key \
>  -n astronomer

Houston JWT certificates

Houston uses auto-generated JWT certificates to sign and verify authentication tokens. These certificates are created during installation.

The regenerateCaEachUpgrade flag controls whether APC regenerates the Houston certificate authority (CA) on each platform upgrade. This flag defaults to false:

1houston:
2  regenerateCaEachUpgrade: false

Setting regenerateCaEachUpgrade to true regenerates the CA on every upgrade, which invalidates all existing JWT tokens and forces all users and service accounts to re-authenticate.

Astronomer recommends keeping this value set to false unless you have a specific security requirement to rotate the CA regularly.

Certificate sync

Certificate syncing in APC operates at two levels:

Control plane to data plane

Control plane to data plane certificate sync occurs only during data plane install or upgrade. During this process, the platform calls the Houston endpoint to decode the certificates and annotates them with the Config Syncer label to propagate the necessary secrets to Airflow namespaces.

Within a cluster (Config Syncer)

Config Syncer is a CronJob that propagates annotated secrets from the platform namespace to Airflow Deployment namespaces within the same cluster. It runs on a configurable schedule to keep secret contents in sync across namespaces.

1astronomer:
2  configSyncer:
3    enabled: true
4    schedule: "*/5 * * * *"

Ingress TLS

Use an existing certificate

1global:
2  tlsSecret: platform-tls

Certificate renewal

Renew certificates manually

$# Update secret
$kubectl create secret tls platform-tls \
>  --cert=new-tls.crt \
>  --key=new-tls.key \
>  -n astronomer \
>  --dry-run=client -o yaml | kubectl apply -f -
$
$# Restart ingress
$kubectl rollout restart deployment nginx -n astronomer

Check certificate expiry

$kubectl get secret platform-tls -n astronomer \
>  -o jsonpath='{.data.tls\.crt}' | base64 -d | \
>  openssl x509 -noout -enddate

Best practices

  • Use cert-manager for automatic renewal.
  • Monitor certificate expiration with alerts.
  • Keep regenerateCaEachUpgrade: false to preserve sessions.
  • Use strong key sizes (4096-bit RSA).