Helm configuration reference | Astronomer Documentation

This reference is for the platform values.yaml you apply with Helm: chart-level settings (global, tags, nginx, prometheus, and other subcharts) and the APC API application block astronomer.houston.config, including deployments.* defaults used with Config governance (platform defaults in this file, then optional cluster, workspace, and deployment overrides). Tabular sections use the same path prefix you use in your install values.

Values file structure

The APC Helm chart uses a hierarchical structure:

1 global:           # Platform-wide settings
2   baseDomain: ""  # Required: your base domain
3   plane:
4     mode: ""      # unified, control, or data
5   # ... more global settings
6 
7 tags:             # Enable/disable component groups
8 
9   monitoring: true
10   logging: true
11 
12 astronomer:       # Platform component settings
13   houston: {}
14   commander: {}
15   registry: {}
16   astroUI: {}
17 
18 nginx: {}         # Ingress configuration
19 prometheus: {}    # Metrics collection
20 elasticsearch: {} # Log storage
21 grafana: {}       # Dashboards
22 # ... more component sections

Required configuration

Configure the following required values:

1 global:
2   baseDomain: "example.com"  # Your platform domain
3   tlsSecret: "astronomer-tls"  # TLS certificate secret name

Helm chart parameter tables

Selected defaults from the APC umbrella chart (values.yaml). Parameter paths are relative to the root of your install values file.

Parameter	Type	Description	Default	Allowed values
`tags.platform`	boolean	Enable core platform chart groups (ingress, Astronomer stack).	`true`	`true`, `false`
`tags.monitoring`	boolean	Enable Prometheus, kube-state-metrics, Grafana stack.	`true`	`true`, `false`
`tags.logging`	boolean	Enable Elasticsearch and logging collectors.	`true`	`true`, `false`

Global settings

Parameter	Type	Description	Default	Allowed values
`global.baseDomain`	string	DNS zone for platform hosts (`app`, `houston`, ingress).	`~`	Domain name
`global.tlsSecret`	string	TLS Secret used by ingress.	`astronomer-tls`	Kubernetes Secret name
`global.privateCaCerts`	array	Extra CA Secrets for private PKI.	`[]`	Secret names
`global.plane.mode`	string	Control plane / data plane / unified topology.	`"unified"`	`unified`, `control`, `data`
`global.plane.domainPrefix`	string	Prefix for split-plane routing when used.	`""`	String
`global.networkPolicy.enabled`	boolean	Install NetworkPolicies for platform namespaces.	`true`	`true`, `false`
`global.defaultDenyNetworkPolicy`	boolean	Default-deny ingress NetworkPolicy baseline.	`true`	`true`, `false`
`global.networkNSLabels.enabled`	boolean	Enable namespace labels for network policies.	`false`	`true`, `false`
`global.rbac.enabled`	boolean	Manage Kubernetes RBAC objects for the platform.	`true`	`true`, `false`
`global.clusterRoles`	boolean	Use ClusterRole bindings where required.	`true`	`true`, `false`
`global.nats.enabled`	boolean	Deploy NATS for the APC API messaging.	`true`	`true`, `false`
`global.nats.replicas`	integer	NATS replicas.	`3`	Positive integer
`global.airflowOperator.enabled`	boolean	Enable Airflow Kubernetes operator integration path.	`false`	`true`, `false`
`global.dataPlaneFailover.enabled`	boolean	Master switch for data-plane failover features when components are installed.	`false`	`true`, `false`

Astronomer platform images

Parameter	Type	Description	Default	Allowed values
`astronomer.images.commander.repository`	string	Deployment orchestrator image repository.	`quay.io/astronomer/ap-commander`	OCI repository
`astronomer.images.commander.tag`	string	Deployment orchestrator image tag.	`2.0.14`	Tag string
`astronomer.images.houston.repository`	string	APC API image repository.	`quay.io/astronomer/ap-houston-api`	OCI repository
`astronomer.images.houston.tag`	string	APC API image tag.	`2.0.18`	Tag string
`astronomer.images.astroUI.repository`	string	Astro UI image repository.	`quay.io/astronomer/ap-astro-ui`	OCI repository
`astronomer.images.astroUI.tag`	string	Astro UI tag.	`2.0.7`	Tag string
`astronomer.images.registry.repository`	string	Internal registry image repository.	`quay.io/astronomer/ap-registry`	OCI repository
`astronomer.images.registry.tag`	string	Internal registry tag.	`3.0.0-9`	Tag string

Astronomer workload defaults

Resource defaults for core platform Deployments often ship in the umbrella chart—override requests / limits per component:

Parameter	Type	Description	Default	Allowed values
`astronomer.astroUI.resources`	object	Astro UI CPU/memory requests and limits.	requests `100m`/`256Mi`, limits `500m`/`1024Mi`	Kubernetes resources
`astronomer.houston.resources`	object	APC API CPU/memory.	requests `500m`/`1024Mi`, limits `1000m`/`2048Mi`	Kubernetes resources
`astronomer.houston.strictSchemaCheck.enabled`	boolean	Chart-level toggle aligned with the APC API; keep consistent with `astronomer.houston.config.strictSchemaCheck.enabled` below.	`true`	`true`, `false`
`astronomer.commander.resources`	object	Deployment orchestrator CPU/memory.	requests `250m`/`1Gi`, limits `500m`/`2Gi`	Kubernetes resources
`astronomer.registry.persistence.enabled`	boolean	Persist registry storage.	`true`	`true`, `false`
`astronomer.registry.persistence.size`	string	Registry PVC size.	`"100Gi"`	Quantity string
`astronomer.install.resources`	object	Helm install job resources.	requests `100m`/`256Mi`, limits `500m`/`1024Mi`	Kubernetes resources

For nginx, Prometheus, Elasticsearch, Grafana, NATS workload tables, follow the same pattern in your values.yaml; defaults ship alongside those keys in the umbrella chart.

APC API configuration

Set these keys under astronomer.houston.config in your platform values.yaml. Published defaults mirror the APC API config/default.yaml. The subtree deployments.* participates in layered overrides (platform → cluster → workspace → deployment); see Config governance. Override APIs may use the string DELETE_KEY at mergeable leaves where the schema allows (see Config governance).

Outside the `deployments` subtree

These keys configure the APC API, workers, auth, UI metadata, and integrations. They are not subject to the four deployment override tiers unless documented elsewhere.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.strictSchemaCheck.enabled`	boolean	When `true`, unknown keys or invalid types under `deployments` overrides are rejected (runtime enforcement aligns with this setting).	`true`	`true`, `false`
`astronomer.houston.config.webserver.port`	integer	HTTP listen port for the APC API inside the pod.	`8871`	Positive integer
`astronomer.houston.config.webserver.endpoint`	string	REST API base path.	`"/v1"`	String
`astronomer.houston.config.webserver.graphqlPlayground.enabled`	boolean	Expose GraphQL playground endpoint.	`true`	`true`, `false`
`astronomer.houston.config.logging.level`	string	APC API log level.	`"info"`	Typical log levels (`error`, `warn`, `info`, `debug`, …)
`astronomer.houston.config.platformReleasesFile`	string	Platform releases manifest filename.	`'astronomer_platform_releases.json'`	Filename string
`astronomer.houston.config.publicSignups.enabled`	boolean	Allow public user registration.	`false`	`true`, `false`
`astronomer.houston.config.emailConfirmation.enabled`	boolean	Require email confirmation for new accounts.	`true`	`true`, `false`
`astronomer.houston.config.email.enabled`	boolean	Enable outbound email.	`false`	`true`, `false`
`astronomer.houston.config.email.reply`	string	Default From / reply address.	`"noreply@astronomer.io"`	Email string
`astronomer.houston.config.email.smtpUrl`	string	SMTP connection URL.	`~` (null)	SMTP URL or null
`astronomer.houston.config.prometheus.enabled`	boolean	Query Prometheus for metrics in the APC API features that support it.	`false`	`true`, `false`
`astronomer.houston.config.prometheus.host`	string	Prometheus hostname.	`localhost`	Hostname
`astronomer.houston.config.prometheus.port`	integer	Prometheus port.	`9090`	Port number
`astronomer.houston.config.plane.mode`	string	Logical plane mode for the APC API runtime behavior.	`unified`	`unified`, `control`, `data` (also set chart-wide using `global.plane.mode`)
`astronomer.houston.config.auth.openidConnect.flow`	string	OIDC OAuth flow.	`"implicit"`	`"code"`, `"implicit"`
`astronomer.houston.config.jwt.authDuration`	integer	Session length bound (ms), coordinated with IdP token lifetimes.	`86400000`	Positive integer
`astronomer.houston.config.airgapped.enabled`	boolean	Air-gapped installation behaviors.	`false`	`true`, `false`
`astronomer.houston.config.updateAirflowCheck.enabled`	boolean	Enable checks related to Airflow version updates.	`true`	`true`, `false`
`astronomer.houston.config.updateRuntimeCheck.enabled`	boolean	Enable Astro Runtime update checks.	`true`	`true`, `false`
`astronomer.houston.config.sslVerification.enabled`	boolean	Verify TLS for outbound connections (replaces legacy inverted `disableSSLVerify`).	`true`	`true`, `false`
`astronomer.houston.config.autoCompleteForSensitiveFields.enabled`	boolean	Allow autocomplete on sensitive fields in UI.	`true`	`true`, `false`
`astronomer.houston.config.logUsername.enabled`	boolean	Include usernames in logs when enabled.	`false`	`true`, `false`
`astronomer.houston.config.maxDockerJwtExtraDeployments`	integer	Upper bound for JWT-scoped docker operations across extra deployments.	`50`	Non-negative integer

For keys not listed here (full auth providers, workers.*, prisma, nats, Helm runtime templating helm.*), refer to config/default.yaml and Configuration Flag Migration (2.x) in the APC API repository.

The APC API deployment defaults

The following tables list defaults under astronomer.houston.config.deployments.*. Keys in this subtree participate in the platform → cluster → workspace → deployment override chain described in Config governance.

Operational and platform defaults

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.chart.version`	string	Default Airflow chart version for new deployments; also used for upgrade coordination.	`0.0.0`	Chart version string
`astronomer.houston.config.deployments.releaseVerification`	string	Which image classes may be deployed (`STABLE` only official runtime releases; `EDGE` adds edge images; `DEV` adds dev builds).	`STABLE`	`STABLE`, `EDGE`, `DEV`; override layers may use `DELETE_KEY` where schema allows
`astronomer.houston.config.deployments.subdomain`	string	Subdomain segment used for deployment hostnames.	`'deployments'`	DNS label–safe string
`astronomer.houston.config.deployments.performanceOptimization.enabled`	boolean	Feature gate for performance optimization mode.	`false`	`true`, `false`
`astronomer.houston.config.deployments.upsertDeployment.extraIniAllowed`	boolean	Allow `pgbouncer` extra INI fields via upsert API.	`true`	`true`, `false`
`astronomer.houston.config.deployments.upsertDeployment.allowFromUi.enabled`	boolean	Allow creating/updating deployments from the UI.	`true`	`true`, `false`
`astronomer.houston.config.deployments.logHelmValues.enabled`	boolean	Log generated Helm values (debug; noisy).	`false`	`true`, `false`
`astronomer.houston.config.deployments.tagPrefix`	string	Prefix for deployment tags on images.	`"deploy"`	String
`astronomer.houston.config.deployments.fluentdIndexPrefix`	string	Fluentd index prefix.	`"fluentd"`	String

Runtime management

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.runtimeManagement.airflowV3.enabled`	boolean	Enable Airflow 3–related runtime behaviors where supported.	`false`	`true`, `false`
`astronomer.houston.config.deployments.runtimeManagement.airflowV3.minimumAstroRuntimeVersion`	string	Minimum Astro Runtime version when Airflow 3 is in play.	`"3.1-2"`	Runtime version string
`astronomer.houston.config.deployments.runtimeManagement.customImageSha.enabled`	boolean	Allow deployment create/update using image SHA selection flows.	`false`	`true`, `false`
`astronomer.houston.config.deployments.runtimeManagement.listAllRuntimeVersions.enabled`	boolean	Expose full runtime version list where applicable.	`false`	`true`, `false`
`astronomer.houston.config.deployments.runtimeManagement.runtimeEnvOverrideSemverCheck`	string	Semver constraint for runtime environment overrides.	See `default.yaml`	Semver range string
`astronomer.houston.config.deployments.runtimeManagement.astroRuntimeReleasesFile`	string	Astro Runtime releases manifest file.	`'astro_runtime_releases.json'`	Filename
`astronomer.houston.config.deployments.runtimeManagement.airflowMinimumAstroRuntimeVersion`	string	Minimum Astro Runtime for Airflow 2 paths.	`2.2.5`	Version string

Logging

Vector sidecar and optional Elasticsearch client settings for deployment workloads.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.logging.loggingSidecar.enabled`	boolean	Enable Vector sidecar for deployment logs.	`false`	`true`, `false`
`astronomer.houston.config.deployments.logging.loggingSidecar.name`	string	Sidecar container name.	`sidecar-log-consumer`	String
`astronomer.houston.config.deployments.logging.loggingSidecar.image`	string	Vector image reference.	`quay.io/astronomer/ap-vector:0.47.0-5`	Image reference
`astronomer.houston.config.deployments.logging.loggingSidecar.customConfig`	boolean	Use custom Vector config.	`false`	`true`, `false`
`astronomer.houston.config.deployments.logging.elasticsearch.enabled`	boolean	Enable Elasticsearch logging integration for this domain.	`false`	`true`, `false`

Logging blocklists for workspace/deployment overrides are described in Config governance.

Dag deploy

Defaults for Dag-only deployment when that mechanism is enabled under deployMechanisms.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.dagDeploy.enabled`	boolean	Master enable for Dag-deploy server/client paths in defaults.	`false`	`true`, `false`
`astronomer.houston.config.deployments.dagDeploy.images.dagServer.repository`	string	Dag server image repository.	`quay.io/astronomer/ap-dag-deploy`	Repository URL
`astronomer.houston.config.deployments.dagDeploy.images.dagServer.tag`	string	Dag server image tag.	`0.7.2`	Tag string
`astronomer.houston.config.deployments.dagDeploy.serviceAccount.create`	boolean	Create service account for Dag deploy components.	`true`	`true`, `false`

Deploy mechanisms

Feature gates for Dag deploy, NFS, git-sync, and git-sync relay defaults.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.deployMechanisms.configureDagDeployment.enabled`	boolean	Allow configuring Dag deployment mechanisms.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deployMechanisms.dagOnlyDeployment.enabled`	boolean	Dag-only deployment mechanism.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deployMechanisms.nfsMountDagDeployment.enabled`	boolean	NFS-mounted Dag bundles.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deployMechanisms.gitSyncDagDeployment.enabled`	boolean	Git-sync–based Dag deployment.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deployMechanisms.gitSyncRelay.storageClassName`	string	Storage class for relay PVCs.	`~`	Storage class name or null
`astronomer.houston.config.deployments.deployMechanisms.gitSyncRelay.webhookSecretKey.showForMinutes`	integer	How long relay webhook secrets are shown in responses.	`1`	Non-negative integer

Airflow components

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.airflowComponents.triggerer.enabled`	boolean	Deploy Airflow triggerer.	`true`	`true`, `false`
`astronomer.houston.config.deployments.airflowComponents.dagProcessor.enabled`	boolean	Deploy Airflow Dag processor.	`true`	`true`, `false`

Auth sidecar

Auth sidecar for routing/auth integration (often cluster-scoped).

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.authSideCar.enabled`	boolean	Deploy auth sidecar template with deployments.	`false`	`true`, `false`
`astronomer.houston.config.deployments.authSideCar.repository`	string	Container image repository.	`quay.io/astronomer/ap-auth-sidecar`	Image repository
`astronomer.houston.config.deployments.authSideCar.tag`	string	Image tag.	`1.29.2`	Tag string
`astronomer.houston.config.deployments.authSideCar.port`	integer	Listen port.	`8084`	Port

Resource management

Cluster sizing, executor availability, Astro Units, and capacity ceilings.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.resourceManagement.resourceQuotas.enabled`	boolean	Manage Kubernetes ResourceQuota / LimitRange objects for namespaces.	`true`	`true`, `false`
`astronomer.houston.config.deployments.resourceManagement.components`	array	Component resource profiles (scheduler, workers, …).	`[]`	Array of component specs; see `default.yaml`
`astronomer.houston.config.deployments.resourceManagement.executors`	array	Supported executors and required components per executor.	Local, Celery, K8s entries	Fixed structure in `default.yaml`
`astronomer.houston.config.deployments.resourceManagement.astroUnit.cpu`	integer	Millicores per Astro Unit.	`100`	Positive integer
`astronomer.houston.config.deployments.resourceManagement.astroUnit.memory`	integer	MiB per Astro Unit.	`384`	Positive integer
`astronomer.houston.config.deployments.resourceManagement.maxExtraCapacity.cpu`	integer	Max extra CPU (millicores) schedulable above base.	`40000`	Integer
`astronomer.houston.config.deployments.resourceManagement.maxExtraCapacity.memory`	integer	Max extra memory (MiB).	`153600`	Integer
`astronomer.houston.config.deployments.resourceManagement.maxPodCapacity.cpu`	integer	Max CPU per pod (millicores).	`3500`	Integer
`astronomer.houston.config.deployments.resourceManagement.maxPodCapacity.memory`	integer	Max memory per pod (MiB).	`13440`	Integer
`astronomer.houston.config.deployments.resourceManagement.overProvisioningFactorMem`	number	Memory over-provisioning factor.	`1`	Number ≥ 1
`astronomer.houston.config.deployments.resourceManagement.overProvisioningFactorCPU`	number	CPU over-provisioning factor.	`1`	Number ≥ 1

Namespace management

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.namespaceManagement.manualReleaseNames.enabled`	boolean	Allow operators to set Helm release names manually.	`false`	`true`, `false`
`astronomer.houston.config.deployments.namespaceManagement.manualNamespaceNames.enabled`	boolean	Manual Kubernetes namespace names for deployments.	`false`	`true`, `false`
`astronomer.houston.config.deployments.namespaceManagement.namespaceFreeFormEntry.enabled`	boolean	Free-form namespace entry flows.	`false`	`true`, `false`
`astronomer.houston.config.deployments.namespaceManagement.namespaceLabels`	object	Labels applied to deployment namespaces.	`{}`	String map
`astronomer.houston.config.deployments.namespaceManagement.preCreatedNamespaces`	array	Pre-created namespace names for routing.	`[]`	Array of `{name}` objects

namespaceManagement is blocklisted for deployment-level overrides (immutable after create); see Config governance.

Deployment lifecycle

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.deploymentLifecycle.deployRollback.enabled`	boolean	Allow rollback of code deploys / revisions.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deploymentLifecycle.deployRollback.deployRevisionReportNumberOfDays`	integer	Window for deploy revision reporting (days).	`90`	Positive integer
`astronomer.houston.config.deployments.deploymentLifecycle.deployRollback.dagTarballVersionValidation.enabled`	boolean	Validate Dag tarball versions on rollback paths.	`true`	`true`, `false`
`astronomer.houston.config.deployments.deploymentLifecycle.hardDeleteDeployment.enabled`	boolean	Allow hard delete of deployments (destructive).	`false`	`true`, `false`
`astronomer.houston.config.deployments.deploymentLifecycle.cleanupAirflowDb.enabled`	boolean	Enable cleanup jobs for Airflow metadata DB.	`false`	`true`, `false`

Database management

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.databaseManagement.database.enabled`	boolean	Provision per-deployment Airflow databases when enabled.	`true`	`true`, `false`
`astronomer.houston.config.deployments.databaseManagement.database.retainOnDelete`	boolean	Keep DB objects after deployment deletion.	`false`	`true`, `false`
`astronomer.houston.config.deployments.databaseManagement.database.allowRootAccess`	boolean	Allow root-level DB access patterns documented in the APC API.	`false`	`true`, `false`
`astronomer.houston.config.deployments.databaseManagement.manualConnectionStrings.enabled`	boolean	Allow manual connection string configuration.	`false`	`true`, `false`
`astronomer.houston.config.deployments.databaseManagement.pgBouncerResourceCalculationStrategy`	string	Strategy key for PgBouncer sizing (`null` uses built-in algorithm).	`~`	Strategy name or null

Image registry

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.deploymentImagesRegistry.exposeDockerWebhookEndpoint.enabled`	boolean	Expose webhook endpoint for image push flows.	`true`	`true`, `false`
`astronomer.houston.config.deployments.deploymentImagesRegistry.updateDeploymentImageEndpoint.enabled`	boolean	Allow API to update deployment images directly.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deploymentImagesRegistry.updateDeploymentImageEndpointDockerValidation.enabled`	boolean	Validate docker payloads on image update endpoint.	`false`	`true`, `false`
`astronomer.houston.config.deployments.deploymentImagesRegistry.serviceAccountAnnotationKey`	string	Cloud IAM annotation key on workload identity (`eks.amazonaws.com/role-arn`, `iam.gke.io/gcp-service-account`, …).	`~`	Annotation key or null

Metrics reporting

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.metricsReporting.grafana.enabled`	boolean	Surface Grafana links / metrics UI integration points.	`true`	`true`, `false`
`astronomer.houston.config.deployments.metricsReporting.taskUsageMetrics.enabled`	boolean	Enable task usage metrics reporting features.	`false`	`true`, `false`
`astronomer.houston.config.deployments.metricsReporting.taskUsageMetrics.reportNumberOfDays`	integer	Reporting horizon for task usage (days).	`90`	Positive integer

Pagination maxTake limits under metricsReporting.pagination.* follow defaults in config/default.yaml (typically 101 per collection).

Orchestration mode

Deployment orchestration mode (Helm vs operator).

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.mode.helm.enabled`	boolean	Use Helm-based deployment reconciler.	`true`	`true`, `false`
`astronomer.houston.config.deployments.mode.operator.enabled`	boolean	Use Kubernetes operator–based deployment path when supported.	`false`	`true`, `false`

Operator probes and detailed probe specs are defined under deployments.mode.operator in default.yaml.

Deployments Helm defaults

The deployments.helm subtree supplies defaults merged into Airflow Helm chart values for each deployment (scheduler resources, PgBouncer sidecars, ingress, runtime images, Elasticsearch hooks, etc.). It is large and nested; defaults are authoritative in config/default.yaml under deployments.helm. For merge and validation rules at override layers, rely on deployments-config-override.schema.json and Config governance.

Mock webhook (test only)

Test-only mock webhook settings for development scenarios.

Parameter	Type	Description	Default	Allowed values
`astronomer.houston.config.deployments.mockWebhook.enabled`	boolean	Enable mock webhook server wiring.	`false`	`true`, `false`
`astronomer.houston.config.deployments.mockWebhook.krb.enabled`	boolean	Kerberos realm defaults for mock.	`true`	`true`, `false`
`astronomer.houston.config.deployments.mockWebhook.shouldCreateDb`	boolean	Auto-create backing DB objects in mock mode.	`true`	`true`, `false`

Global configuration

Base domain and TLS

1 global:
2   # Required: Base domain for all platform endpoints
3   # Results in: app.example.com, houston.example.com, etc.
4   baseDomain: "example.com"
5 
6   # Name of Kubernetes secret containing TLS certificate
7   tlsSecret: "astronomer-tls"
8 
9   # List of secrets containing private CA certificates
10   privateCaCerts: []

Plane mode (control, data, unified)

Astro Private Cloud 2.0 supports split control plane and data plane deployments:

1 global:
2   plane:
3     # Options: unified (default), control, data
4     mode: "unified"
5 
6     # Domain prefix for this plane (used in split deployments)
7     domainPrefix: ""

Mode	Description
`unified`	Control and data plane in same cluster (default, like 0.x)
`control`	Control plane only - manages Deployments
`data`	Data plane only - runs Airflow workloads

Network policies

1 global:
2   # Enable platform-level network policies
3   networkPolicy:
4     enabled: true
5 
6   # Apply default deny ingress policy
7   defaultDenyNetworkPolicy: true
8 
9   # Enable namespace labels for network policies
10   networkNSLabels:
11     enabled: false

RBAC and cluster roles

1 global:
2   # Enable Kubernetes RBAC
3   rbac:
4     enabled: true
5 
6   # Use cluster-wide roles (required for some features)
7   clusterRoles: true
8 
9   # Management of cluster-scoped resources (RBAC objects, etc.)
10   manageClusterScopedResources:
11     enabled: true

Node selection

Separate platform Pods from Airflow Pods:

1 global:
2   platformNodePool:
3     nodeSelector:
4       node-role: platform
5     affinity: {}
6     tolerations:
7       - key: "platform"
8         operator: "Equal"
9         value: "true"
10         effect: "NoSchedule"

Private registry

Use a private container registry:

1 global:
2   privateRegistry:
3     enabled: true
4     repository: "registry.example.com/astronomer"
5     secretName: "registry-credentials"

Namespace pools

Pre-provision namespaces for Airflow Deployments:

1 global:
2   features:
3     namespacePools:
4       enabled: true
5       createRbac: true
6       namespaces:
7         create: false  # Set true to auto-create
8         names:
9           - airflow-prod
10           - airflow-staging
11           - airflow-dev

Storage class

Specify a storage class for all persistent volumes:

1 global:
2   storageClass: "gp3"

OpenShift support

1 global:
2   openshiftEnabled: true
3   sccEnabled: true  # Security context constraints

Astronomer platform components

APC API

The APC API is the core internal API that powers the platform:

1 astronomer:
2   houston:
3     replicas: 2
4 
5     resources:
6       requests:
7         cpu: "500m"
8         memory: "1024Mi"
9       limits:
10         cpu: "1000m"
11         memory: "2048Mi"
12 
13     # Database connection
14     backendSecretName: "houston-backend-secret"
15     # Or specify directly:
16     backendConnection:
17       user: houston
18       pass: "password"
19       host: postgres.example.com
20       port: 5432
21       db: houston
22 
23     # Airflow database connection template
24     airflowBackendSecretName: "airflow-backend-secret"
25 
26     # Houston configuration (see houston.config section below)
27     config: {}
28 
29     # Environment variables common to all houston containers
30     env:
31       - name: LOG_LEVEL
32         value: "info"
33 
34     # Worker pods for async processing
35     worker:
36       enabled: true
37       replicas: 2
38 
39     # Upgrade all airflow helm deployments when upgrading APC helm deployment
40     upgradeDeployments:
41       enabled: true
42 
43     # Cleanup soft-deleted deployments
44     cleanupDeployments:
45       enabled: true
46       schedule: "0 0 * * *"
47       olderThan: 14
48 
49     # Cleanup Airflow database metadata
50     cleanupAirflowDb:
51       enabled: false
52       schedule: "23 5 * * *"
53       olderThan: 365

APC API configuration (`houston.config`)

The APC API accepts extensive configuration via houston.config:

Authentication

1 astronomer:
2   houston:
3     config:
4       auth:
5         # Local username/password auth
6         local:
7           enabled: true
8 
9         # OpenID Connect
10         openidConnect:
11           # Auth flow: "code" (recommended) or "implicit"
12           flow: "code"
13 
14           # Microsoft/Azure AD
15           microsoft:
16             enabled: true
17             clientId: "<YOUR_CLIENT_ID>"
18             clientSecret: "<YOUR_CLIENT_SECRET>"
19             discoveryUrl: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
20 
21           # Google OAuth
22           google:
23             enabled: false
24             clientId: ""
25             clientSecret: ""
26 
27           # Okta
28           okta:
29             enabled: false
30             clientId: ""
31             clientSecret: ""
32             discoveryUrl: ""
33 
34           # Import groups from IDP (nested `.enabled` in APC 2.0)
35           idpGroupsImport:
36             enabled: true
37           idpGroupsRefresh:
38             enabled: false
39 
40         # GitHub via Auth0
41         github:
42           enabled: false

Deployment defaults (`deployments`)

APC 2.0 groups deployment-related settings under domains (for example deployMechanisms, deploymentLifecycle, runtimeManagement) using nested objects and feature.enabled toggles—not flat keys such as dagOnlyDeployment or hardDeleteDeployment.

For tables of defaults, allowed values, and override semantics, see APC API configuration earlier on this page. For how cluster, workspace, and deployment layers merge, see Config governance.

Example shape (abbreviated):

1 astronomer:
2   houston:
3     config:
4       deployments:
5         deployMechanisms:
6           dagOnlyDeployment:
7             enabled: true
8           gitSyncDagDeployment:
9             enabled: true
10         deploymentLifecycle:
11           hardDeleteDeployment:
12             enabled: false
13           deployRollback:
14             enabled: true
15         resourceManagement:
16           components: []

Airflow Helm value defaults merged per deployment live under deployments.helm in the APC API’s config/default.yaml; see Deployments Helm defaults earlier on this page.

Email configuration

1 astronomer:
2   houston:
3     config:
4       email:
5         enabled: true
6         smtpUrl: "smtp://smtp.example.com:587"
7         reply: "noreply@example.com"
8 
9       # Root-level toggles (APC 2.0 nested `.enabled` pattern)
10       emailConfirmation:
11         enabled: true
12 
13       publicSignups:
14         enabled: false

Prometheus integration

1 astronomer:
2   houston:
3     config:
4       prometheus:
5         enabled: true
6         host: "http://astronomer-prometheus:9090"

Deployment orchestrator

The deployment orchestrator manages Kubernetes resources for Deployments:

1 astronomer:
2   commander:
3     replicas: 2
4 
5     resources:
6       requests:
7         cpu: "250m"
8         memory: "1Gi"
9       limits:
10         cpu: "500m"
11         memory: "2Gi"
12 
13     # Air-gapped mode (no external registry access)
14     airGapped:
15       enabled: false
16 
17     # Helm upgrade timeout (seconds)
18     upgradeTimeout: 600
19 
20     # Environment variables
21     env: []

Registry

Container registry for deployment images:

1 astronomer:
2   registry:
3     replicas: 1
4 
5     resources:
6       requests:
7         cpu: "250m"
8         memory: "512Mi"
9       limits:
10         cpu: "500m"
11         memory: "1024Mi"
12 
13     # Persistent storage
14     persistence:
15       enabled: true
16       size: "100Gi"
17       storageClassName: ~
18 
19     # Use external storage backends
20     # AWS S3
21     s3:
22       enabled: false
23       accesskey: ""
24       secretkey: ""
25       region: "us-east-1"
26       bucket: "astronomer-registry"
27 
28     # Google Cloud Storage
29     gcs:
30       enabled: false
31       bucket: ""
32       useKeyfile: true
33       keyfile: /var/gcs-keyfile/astronomer-gcs-keyfile
34 
35     # Azure Blob Storage
36     azure:
37       enabled: false
38       accountname: ""
39       accountkey: ""
40       container: ""

Astro UI

1 astronomer:
2   astroUI:
3     replicas: 2
4 
5     resources:
6       requests:
7         cpu: "100m"
8         memory: "256Mi"
9       limits:
10         cpu: "500m"
11         memory: "1024Mi"
12 
13     env: []

NGINX ingress

1 nginx:
2   replicas: 2
3 
4   resources:
5     requests:
6       cpu: "500m"
7       memory: "1024Mi"
8     limits:
9       cpu: "1"
10       memory: "2048Mi"
11 
12   # Service type: LoadBalancer, ClusterIP, or NodePort
13   serviceType: "LoadBalancer"
14 
15   # Specific load balancer IP (optional)
16   loadBalancerIP: ~
17 
18   # Restrict source IPs
19   loadBalancerSourceRanges:
20     - "10.0.0.0/8"
21 
22   # Private/internal load balancer
23   privateLoadBalancer: false
24 
25   # NodePort configuration (when serviceType: NodePort)
26   httpNodePort: ~
27   httpsNodePort: ~
28 
29   # Ingress annotations
30   ingressAnnotations:
31     # AWS
32     service.beta.kubernetes.io/aws-load-balancer-internal: "true"
33     # GCP
34     cloud.google.com/load-balancer-type: "Internal"
35     # Azure
36     service.beta.kubernetes.io/azure-load-balancer-internal: "true"
37 
38   # Proxy settings
39   proxyConnectTimeout: 15
40   proxyReadTimeout: 600
41   proxySendTimeout: 600
42   proxyBodySize: "1024m"
43 
44   # Default backend
45   defaultBackend:
46     enabled: true
47     resources:
48       requests:
49         cpu: "100m"
50         memory: "50Mi"

Prometheus (monitoring)

1 prometheus:
2   # Data retention period
3   retention: 15d
4 
5   # Persistent storage
6   persistence:
7     enabled: true
8     size: "150Gi"
9 
10   resources:
11     requests:
12       cpu: "1000m"
13       memory: "4Gi"
14     limits:
15       cpu: "2000m"
16       memory: "8Gi"

Grafana

1 grafana:
2   resources:
3     requests:
4       cpu: "250m"
5       memory: "512Mi"
6     limits:
7       cpu: "500m"
8       memory: "1024Mi"
9 
10   # Custom dashboards
11   dashboards:
12     default:
13       custom-dashboard:
14         file: dashboards/custom.json
15 
16   # Extra environment variables (for example, SMTP for alerts)
17   extraEnvVars:
18     - name: GF_SMTP_ENABLED
19       value: "true"
20     - name: GF_SMTP_HOST
21       value: "smtp.example.com:587"

Elasticsearch (logging)

1 elasticsearch:
2   # Enable persistence
3   common:
4     persistence:
5       enabled: true
6 
7   # Client nodes
8   client:
9     replicas: 2
10     heapMemory: "2g"
11     resources:
12       requests:
13         cpu: "1"
14         memory: "2Gi"
15       limits:
16         cpu: "2"
17         memory: "4Gi"
18 
19   # Data nodes
20   data:
21     replicas: 3
22     heapMemory: "2g"
23     resources:
24       requests:
25         cpu: "1"
26         memory: "2Gi"
27       limits:
28         cpu: "2"
29         memory: "4Gi"
30     persistence:
31       size: "100Gi"
32 
33   # Master nodes
34   master:
35     replicas: 3
36     heapMemory: "2g"
37     resources:
38       requests:
39         cpu: "1"
40         memory: "2Gi"
41       limits:
42         cpu: "2"
43         memory: "4Gi"
44     persistence:
45       size: "20Gi"

Vector (log collection)

1 vector:
2   vector:
3     resources:
4       requests:
5         cpu: "250m"
6         memory: "512Mi"
7       limits:
8         cpu: "1000m"
9         memory: "1024Mi"

External logging

Forward logs to external Elasticsearch:

1 global:
2   customLogging:
3     enabled: true
4     scheme: https
5     host: "elasticsearch.example.com"
6     port: "9200"
7     secret: "es-credentials"

NATS (messaging)

1 global:
2   nats:
3     enabled: true
4     replicas: 3
5     jetStream:
6       enabled: true
7       tls: false
8 
9 nats:
10   nats:
11     resources:
12       requests:
13         cpu: "75m"
14         memory: "30Mi"
15       limits:
16         cpu: "250m"
17         memory: "100Mi"

Database configuration

External PostgreSQL (recommended)

1 global:
2   # Disable in-cluster PostgreSQL
3   postgresql:
4     enabled: false
5 
6 astronomer:
7   houston:
8     backendSecretName: "houston-db-secret"
9     # Secret should contain: connection=postgres://user:pass@host:5432/houston
10     airflowBackendSecretName: "airflow-db-secret"

Database SSL

1 global:
2   ssl:
3     enabled: true
4     mode: "require"  # disable, allow, prefer, require, verify-ca, verify-full
5     grafana:
6       sslmode: "require"

PgBouncer (connection pooling)

1 global:
2   pgbouncer:
3     enabled: true
4     gssSupport: true
5     secretName: "astronomer-pgbouncer-config"
6     servicePort: "6543"

Auth sidecar (OpenShift)

global.authSidecar configures the chart-level platform auth proxy used for OpenShift and similar environments. This is separate from astronomer.houston.config.deployments.authSideCar, which controls the per-Deployment auth sidecar injected by the APC API (default tag 1.29.2).

1 global:
2   authSidecar:
3     enabled: true
4     repository: quay.io/astronomer/ap-auth-sidecar
5     tag: 1.29.8
6     port: 8084
7     resources:
8       requests:
9         cpu: "500m"
10         memory: "512Mi"
11       limits:
12         cpu: "1000m"
13         memory: "1024Mi"

Logging sidecar

Add Vector sidecar to Airflow Pods:

1 global:
2   logging:
3     loggingSidecar:
4       enabled: true
5       name: sidecar-log-consumer
6       repository: quay.io/astronomer/ap-vector
7       tag: 0.54.0
8       resources:
9         requests:
10           cpu: "100m"
11           memory: "386Mi"

Dag-only deployments

1 global:
2   dagOnlyDeployment:
3     enabled: true
4     repository: quay.io/astronomer/ap-dag-deploy
5     tag: 0.9.4
6     resources: {}
7     persistence: {}

Airflow operator

Enable Kubernetes operator-based deployments:

1 global:
2   airflowOperator:
3     enabled: false

Extra objects

Add custom Kubernetes resources:

1 astronomer:
2   extraObjects:
3     # Custom LimitRange
4     - apiVersion: v1
5       kind: LimitRange
6       metadata:
7         name: default-limits
8         namespace: astronomer
9       spec:
10         limits:
11           - default:
12               cpu: "1"
13               memory: "1Gi"
14             defaultRequest:
15               cpu: "100m"
16               memory: "128Mi"
17             type: Container
18 
19     # Custom NetworkPolicy
20     - apiVersion: networking.k8s.io/v1
21       kind: NetworkPolicy
22       metadata:
23         name: custom-policy
24       spec:
25         podSelector: {}
26         policyTypes:
27           - Ingress

Complete example

Here’s an example configuration:

1 global:
2   baseDomain: "airflow.example.com"
3   tlsSecret: "astronomer-tls"
4 
5   plane:
6     mode: "unified"
7 
8   rbac:
9     enabled: true
10   clusterRoles: true
11 
12   networkPolicy:
13     enabled: true
14 
15   postgresql:
16     enabled: false
17 
18   privateRegistry:
19     enabled: true
20     repository: "registry.example.com/astronomer"
21     secretName: "registry-creds"
22 
23   platformNodePool:
24     nodeSelector:
25       node-type: platform
26     tolerations:
27       - key: "dedicated"
28         value: "platform"
29         effect: "NoSchedule"
30 
31   ssl:
32     enabled: true
33     mode: "require"
34 
35 tags:
36   platform: true
37   monitoring: true
38   logging: true
39 
40 astronomer:
41   houston:
42     replicas: 2
43     resources:
44       requests:
45         cpu: "500m"
46         memory: "1Gi"
47       limits:
48         cpu: "1000m"
49         memory: "2Gi"
50     backendSecretName: "houston-db-secret"
51     config:
52       auth:
53         local:
54           enabled: false
55         openidConnect:
56           microsoft:
57             enabled: true
58             clientId: "<YOUR_CLIENT_ID>"
59             clientSecret: "<YOUR_CLIENT_SECRET>"
60             discoveryUrl: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
61       email:
62         enabled: true
63         smtpUrl: "smtp://smtp.example.com:587"
64       publicSignups:
65         enabled: false
66       deployments:
67         deploymentLifecycle:
68           hardDeleteDeployment:
69             enabled: true
70         namespaceManagement:
71           manualReleaseNames:
72             enabled: true
73 
74   commander:
75     replicas: 2
76     resources:
77       requests:
78         cpu: "250m"
79         memory: "1Gi"
80       limits:
81         cpu: "500m"
82         memory: "2Gi"
83 
84   registry:
85     persistence:
86       enabled: true
87       size: "200Gi"
88 
89 nginx:
90   replicas: 2
91   serviceType: LoadBalancer
92   privateLoadBalancer: true
93   resources:
94     requests:
95       cpu: "500m"
96       memory: "1Gi"
97 
98 prometheus:
99   retention: 30d
100   persistence:
101     enabled: true
102     size: "200Gi"
103   resources:
104     requests:
105       cpu: "1"
106       memory: "4Gi"
107 
108 elasticsearch:
109   data:
110     replicas: 3
111     persistence:
112       size: "200Gi"
113     resources:
114       requests:
115         cpu: "1"
116         memory: "4Gi"

Validate configuration

After creating your values file, validate it:

$ # Dry-run to check for errors
$ helm template astronomer astronomer/astronomer \
>   -f values.yaml \
>   --namespace astronomer \
>   --debug
$ 
$ # Check rendered templates
$ helm template astronomer astronomer/astronomer \
>   -f values.yaml \
>   --namespace astronomer > rendered.yaml

Upgrade configuration

(Optional) When updating your values file, you can use the helm diff plugin, and then run the following command to see a diff of your changes:

$ # Compare changes
$ helm diff upgrade astronomer astronomer/astronomer \
>   -f values.yaml \
>   --namespace astronomer
$ 
$ # Apply changes
$ helm upgrade astronomer astronomer/astronomer \
>   -f values.yaml \
>   --namespace astronomer