Upgrade to Astro Private Cloud

Upgrade to Astro Private Cloud 1.0 from 0.37

This guide provides instructions to upgrade from Astro Private Cloud (APC) 0.37.6 to 1.0.0 and prepare your environment for Airflow 3 Deployments.

Prerequisites

  • Upgrade to APC 0.37.6 if you are on an earlier version.
  • Back up your platform database. At minimum, create a snapshot or backup of your PostgreSQL database (RDS snapshot, Azure backup, Cloud SQL backup, or pg_dump).
  • Verify that all platform and Airflow Deployment Pods are healthy: 
    $# Check platform pods
    >kubectl get pods -n astronomer
    ># Check Airflow deployment pods (replace with your deployment namespace)
    >kubectl get pods -n astronomer-<deployment-release-name>
  • (Optional) Capture logs from your NATS and STAN instances before the upgrade: 
    $kubectl logs -n astronomer -l component=nats --tail=1000 > nats-pre-upgrade.log
    >kubectl logs -n astronomer -l component=stan --tail=1000 > stan-pre-upgrade.log

If you experience any issues during your upgrade to 1.0, refer to the Debug upgrade guide.

Manual DNS and load balancer update required

When upgrading from Astro Private Cloud (APC) 0.x.x to 1.0.0, APC creates a new control plane NGINX ingress Service (astronomer-cp-nginx) and a new LoadBalancer. The previous ingress and LoadBalancer are replaced.

You must:

  • Update all DNS records to the new load balancer IP address.
  • Update firewall, allowlist, and security rules to point to the new public endpoint.
  • Re-issue or update any TLS/SSL certificates that reference the previous LoadBalancer hostname, if applicable.

This change occurs because the control plane ingress Service name changes from astronomer-nginx (0.x) to astronomer-cp-nginx (1.0), which causes Kubernetes to provision a new external LoadBalancer with a new public IP/hostname. Prepare these updates before performing the upgrade.

Example (your output will vary by cloud/provider):

1kubectl -n astronomer get svc astronomer-cp-nginx
2NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP                                        PORT(S)                      AGE
3astronomer-cp-nginx  LoadBalancer   10.100.223.78   7666ac61ef6-1683718677.us-east-2.elb.amazonaws.com 80:32255/TCP,443:32647/TCP  25d

Step 1: Delete existing STAN and NATS StatefulSets

Before upgrading to version 1.0.0, you must migrate from STAN to JetStream. In your cluster, run the following commands to remove legacy STAN components before JetStream is initialized:

1kubectl delete sts <release-name>-stan
2kubectl delete sts <release-name>-nats --cascade=orphan

Step 2: Patch astronomer-bootstrap secret with database name

Before running the Helm upgrade, ensure the astronomer-bootstrap secret includes a database name suffix in connection (for example, /postgres). This prevents Postgres connection errors during or after the upgrade.

Check your current connection string

First, check if your connection string already includes a database name:

$kubectl get secret -n astronomer astronomer-bootstrap \
>  --template='{{.data.connection | base64decode }}'

Examine the output. A connection string with a database name looks like:

postgresql://user:pass@host:5432/postgres
                                 ^^^^^^^^
                                 database name present

A connection string without a database name looks like:

postgresql://user:pass@host:5432
                                ^
                                no database name

If your connection string already includes a database name (for example, /postgres or /astronomer), you can skip to Step 3.

Determine the correct database name

The default database name depends on your cloud provider:

  • AWS RDS: postgres (standard default; main may appear only in specific legacy or custom configurations)
  • Azure Database for PostgreSQL: postgres
  • GCP Cloud SQL: postgres

If you’re unsure which database to use, connect to your PostgreSQL instance using your preferred method (psql, a database client, or cloud console) and run \l to list available databases.

Patch the secret

After confirming the database name, patch the astronomer-bootstrap secret:

$# Namespace where APC is installed
>NAMESPACE=astronomer
># Database name - verify using the steps above
>DB_NAME=postgres
>
># Read current connection string, append database name, and update the secret
>CURRENT=$(kubectl -n "$NAMESPACE" get secret astronomer-bootstrap -o jsonpath='{.data.connection}' | base64 -d)
>NEW="${CURRENT%/}/$DB_NAME"
>kubectl -n "$NAMESPACE" patch secret astronomer-bootstrap --type=merge -p "{\"data\":{\"connection\":\"$(printf '%s' "$NEW" | base64 -w0)\"}}"

Step 3: Delete the Houston Deployment

Before running the Helm upgrade, delete the Houston Deployment to avoid a known Helm patch conflict related to environment variable ordering changes between versions.

$kubectl delete deployment/<release-name>-houston -n astronomer --cascade=orphan

The --cascade=orphan flag keeps the Houston Pods running during the delete operation. The Helm upgrade in the next step recreates the Deployment with the correct configuration.

If you skip this step and encounter a Helm patch error during the upgrade, see Debug upgrade for the workaround.

Step 4: Upgrade to APC 1.0

When upgrading from 0.37.x, you must configure your deployment to run in unified plane mode. Unified mode is equivalent to how 0.37.x operates and is required for the initial upgrade.

Add the following configuration to your values.yaml:

1global:
2  plane:
3    mode: "unified"

After upgrading to 1.0 in unified mode, you can optionally add separate Data Planes to run Airflow Deployments in other clusters. See Install a Data Plane for instructions. If you later want to convert your unified installation to a dedicated Control Plane (after migrating all Deployments to Data Planes), see Install a Control Plane.

Ensure you’ve completed all pre-upgrade steps (database backup, STAN/NATS deletion, bootstrap secret patch, Houston Deployment deletion) before running the upgrade command.

Perform a standard Helm upgrade using your existing release name and namespace:

$helm upgrade -f values.yaml -n astronomer astronomer astronomer/astronomer --version 1.0.x

Replace 1.0.x with the specific patch version you are upgrading to (for example, 1.0.1).

Airgapped environments

For airgapped environments that cannot access the internet, download the Helm chart .tgz file directly from the Astronomer Helm repository:

https://helm.astronomer.io/astronomer-<version>.tgz

Replace <version> with the specific version you are upgrading to (for example, 1.0.1). Upload this file to your internal artifact repository (such as Artifactory or Nexus), then reference it in your helm upgrade command.

Step 5: Restart NATS and Houston components

After the platform upgrade completes and all Pods are running, restart NATS and Houston components to ensure the new JetStream components and Houston services are connected and synchronized:

1kubectl rollout restart sts/<release-name>-nats
2kubectl rollout restart deploy/<release-name>-houston
3kubectl rollout restart deploy/<release-name>-houston-worker

After the rollout completes, verify the pods have been recreated by checking their age:

$kubectl get pods -n astronomer -l "component in (nats,houston,houston-worker)" -o wide

All pods should show a recent AGE (a few minutes). If any pods show an older age, delete them manually to force recreation:

$kubectl delete pod -n astronomer -l component=nats
>kubectl delete pod -n astronomer -l component=houston
>kubectl delete pod -n astronomer -l component=houston-worker

Step 6: Update DNS records

APC 1.0 creates a new control plane NGINX ingress Service (astronomer-cp-nginx) with a new LoadBalancer. Get the new load balancer address:

$kubectl -n astronomer get svc astronomer-cp-nginx

Update your DNS records to point to the new load balancer IP or hostname. This includes all subdomains for your base domain (for example, app.<baseDomain>, houston.<baseDomain>, registry.<baseDomain>).

You must complete this step before you can access the Astro UI or API.

Step 7: Upgrade all Airflow Deployments

Once you have validated that all platform Pods in APC 1.0 are healthy and running, upgrade your Airflow Deployments to ensure compatibility with 1.0.

Existing Airflow Deployments typically continue to function after the platform upgrade without immediate action. However, Astronomer recommends upgrading Deployments to ensure full compatibility with the new platform version.

To upgrade Deployments, use one of the following approaches:

  • Astro UI: Upgrade each Deployment manually from the Astro UI by navigating to the Deployment and triggering an upgrade.
  • Houston API: Use the Houston API upsertDeployment mutation for programmatic or bulk upgrades.
  • Astro CLI: Use the Astro CLI’s astro deploy command.

Step 8: Post-upgrade validation

After you complete your upgrade, validate your upgrade works as expected by completing the following steps:

1

Confirm that NATS pods are running with JetStream enabled.

$kubectl -n astronomer get jobs | grep jetstream

Checks if jetstream job is created.

$kubectl -n astronomer get pods -lcomponent=nats

Checks if nats Pods are running.

2

Verify Houston Worker pods are healthy and processing events.

$kubectl -n astronomer get pods -l component=houston-worker

Checks if Houston Worker Pods are in running state.

3

Verify there are no remaining references to STAN.

$kubectl -n astronomer get statefulsets | grep stan

Command should return no results.

4

Verify you can access the Astro UI.

Navigate to app.<baseDomain> in your browser and confirm the UI loads.

Next steps

  • Airflow 3: To create Airflow 3 Deployments, see Migrate to Airflow 3 for the required cluster configuration.
  • Data Planes: To add separate Data Planes for running Airflow Deployments in other clusters, see Install a Data Plane.