For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Self-signed certificate generation
  • Create Kubernetes secret
  • APC API JWT certificates
  • Certificate sync
  • Control plane to data plane
  • Within a cluster (Config Syncer)
  • Ingress TLS
  • Use an existing certificate
  • Certificate renewal
  • Renew certificates manually
  • Check certificate expiry
  • Best practices
Security and compliance

TLS certificate management

Edit this page
Built with

Astro Private Cloud (APC) uses TLS certificates for secure communication between components and for JWT token signing.

Self-signed certificate generation

$# Generate CA
$openssl genrsa -out ca.key 4096
$openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
>  -out ca.crt -subj "/CN=APC-CA"
$
$# Generate server certificate
$openssl genrsa -out tls.key 4096
$openssl req -new -key tls.key -out tls.csr \
>  -subj "/CN=*.your-domain.com"
$
$# Sign certificate with SAN
$openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key \
>  -CAcreateserial -out tls.crt -days 365

Create Kubernetes secret

$kubectl create secret tls platform-tls \
>  --cert=tls.crt \
>  --key=tls.key \
>  -n astronomer

APC API JWT certificates

The APC API uses auto-generated JWT certificates to sign and verify authentication tokens. These certificates are created during installation.

The regenerateCaEachUpgrade flag controls whether APC regenerates the APC API certificate authority (CA) on each platform upgrade. This flag defaults to false:

1houston:
2  regenerateCaEachUpgrade: false

Setting regenerateCaEachUpgrade to true regenerates the CA on every upgrade, which invalidates all existing JWT tokens and forces all users and service accounts to re-authenticate.

Astronomer recommends keeping this value set to false unless you have a specific security requirement to rotate the CA regularly.

Certificate sync

Certificate syncing in APC operates at two levels:

Control plane to data plane

Control plane to data plane certificate sync occurs only during data plane install or upgrade. During this process, the platform calls the APC API endpoint to decode the certificates and annotates them with the Config Syncer label to propagate the necessary secrets to Airflow namespaces.

Within a cluster (Config Syncer)

Config Syncer is a CronJob that propagates annotated secrets from the platform namespace to Airflow Deployment namespaces within the same cluster. It runs on a configurable schedule to keep secret contents in sync across namespaces.

1astronomer:
2  configSyncer:
3    enabled: true
4    schedule: "*/5 * * * *"

Ingress TLS

Use an existing certificate

1global:
2  tlsSecret: platform-tls

Certificate renewal

Renew certificates manually

$# Update secret
$kubectl create secret tls platform-tls \
>  --cert=new-tls.crt \
>  --key=new-tls.key \
>  -n astronomer \
>  --dry-run=client -o yaml | kubectl apply -f -
$
$# Restart ingress
$kubectl rollout restart deployment nginx -n astronomer

Check certificate expiry

$kubectl get secret platform-tls -n astronomer \
>  -o jsonpath='{.data.tls\.crt}' | base64 -d | \
>  openssl x509 -noout -enddate

Best practices

  • Use cert-manager for automatic renewal.
  • Monitor certificate expiration with alerts.
  • Keep regenerateCaEachUpgrade: false to preserve sessions.
  • Use strong key sizes (4096-bit RSA).