Skip to main content
Version: 0.35

Install Astronomer Software in an airgapped environment

By default, the Software installation process requires accessing public repositories to download the following components:

  • Docker images from or
  • Astronomer Helm charts from
  • Astronomer version information from

If you cannot use public repositories and networks for your installation, you can install Astronomer in an airgapped environment. An airgapped environment is a locked-down environment with no access to or from the public internet.

This guide explains how to configure your system to install Astronomer without access to the public internet by moving Astronomer images to an accessible registry in your airgapped environment. After completing this setup, follow Steps 1 to 8 in the AWS, Azure, or GCP installation guide to finish your installation.


To complete this setup, you need:

  • A VPC.
  • Private Kubernetes.
  • A PostgreSQL instance accessible from that environment.
  • PostgreSQL superuser permissions.
  • A VPN (or other means) set up to access, at a minimum, Kubernetes and DNS from inside your VPC.
  • A Helm configuration file for Astronomer named values.yaml. You can find sample values.yaml files in the AWS, Azure, GCP standard installation guides.

Step 1: Configure a private Docker registry

Astronomer's Docker images are hosted on a public registry which isn't accessible from an airgapped network. Therefore, these images must be hosted on a Docker registry accessible from within your own network. Every major cloud platform provides its own managed Docker registry service that can be used for this step:

You can also set up your own registry using a dedicated registry service such as JFrog Artifactory. Regardless of which service you use, follow the product documentation to configure a private registry according to your organization's security requirements.

After you create your registry:

  1. Log in to the registry and follow the Kubernetes documentation to produce a /.docker/config.json file.

  2. Run the following command to create an image pull secret:

    kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
  3. Copy the generated secret for use in Step 3.

Step 2: Fetch images from Astronomer's Helm template

The images and tags which are required for your Software installation depend on the version of Astronomer you're installing. To gather a list of exact images and tags required for your Astronomer version:

  1. Run the following command to template the Astronomer Helm chart and fetch all of its rendered image tags. Make sure to substitute <your-basedomain> and <your-astronomer-version> with your information.

    helm template --version <your-astronomer-version> astronomer/astronomer --set global.dagOnlyDeployment.enabled=True --set global.loggingSidecar.enabled=True --set global.postgresqlEnabled=True --set global.authSidecar.enabled=True --set global.baseDomain=<your-basedomain> | grep "image: " | sed -e 's/"//g' -e 's/image:[ ]//' -e 's/^ *//g' | sort | uniq

    This command sets all possible Helm values that could impact which images are required for your installation. By fetching all images now, you save time by eliminating the risk of missing an image.

  2. Run the following command to determine the Astronomer Airflow Helm chart version:

    helm template astronomer/astronomer --version <your-astronomer-version>|grep 'Static helm' -A4| grep "version: " | sed -e 's/"//g' -e 's/version:[ ]//' -e 's/^ */v/g'
  3. Run the following command to template the Astronomer Airflow Helm chart and fetch its rendered image tags:

    helm template --version <your-astronomer-airflow-chart-version> astronomer/airflow --set airflow.postgresql.enabled=false --set airflow.pgbouncer.enabled=true --set airflow.statsd.enabled=true --set airflow.executor=CeleryExecutor | grep "image: " | sed -e 's/"//g' -e 's/image:[ ]//' -e 's/^ *//g' | sort | uniq

    Note: The Astronomer Airflow Helm Chart version begins with the letter v and is versioned separately from Astronomer Software and Airflow.

These commands generate a list of images required for your version of Astronomer. Add these images to a private image registry hosted within your organization's network. In Step 3, you will specify this private registry in your Astronomer configuration.

Note: If you have already enabled or disabled Astronomer platform components in your values.yaml, you can pass -f/--values values.yaml to helm template to print a list specific to your values.yaml configuration.

Step 3: Add images to your values.yaml file

Regardless of whether you choose to mirror or manually pull/push images to your private registry, the returned images and/or tags must be made accessible within your network.

To make these images accessible to Astronomer, specify your organization's private registry in the global section of your values.yaml file:

enabled: true
# secretName: ~

This configuration automatically pulls most Docker images required in the Astronomer Helm chart. You must also configure the following images individually in a separate section of your values.yaml file:


Step 4: Fetch Airflow Helm charts

There are two Helm charts required for Astronomer:

The Astronomer Helm chart can be downloaded using helm pull and applied locally if desired.

Commander, which is Astronomer's provisioning component, uses the Astronomer Airflow Helm chart to create Airflow deployments. You have two options to make the Helm chart available to Commander:

  • Use the built-in Astronomer Airflow Helm chart in the Commander Docker image.
  • Host the Astronomer Airflow Helm chart within your network. Not every cloud provider has a managed Helm registry, so you might want to check out JFrog Artifactory or ChartMuseum.

To use the built-in Astronomer Airflow Helm chart in the Commander Docker image, add the following configuration to your values.yaml file:

enabled: true

To configure a self-hosted Helm chart, add the following configuration to your values.yaml file:

# Example URL - replace with your own repository destination
helmRepo: ""

If you configure both options in your values.yaml file, then astronomer.commander.airGapped.enabled takes precedence over global.helmRepo.

Step 5: Fetch Airflow updates

By default, Astronomer checks for Airflow updates once a day at midnight by querying, which returns a JSON file with version details. However, this URL is not accessible in an airgapped environment. There are several options for making these updates accessible in an airgapped environment:

  • You can download the JSON and host it in a location that's accessible within your airgapped environment, for example:
    • AWS S3
    • Git
    • Nginx (example below)
  • You can disable the update checks (not advised)

This setup assumes that the updates JSON will be manually downloaded and added to your environment. For guidance on how to automate this process, reach out to your Astronomer contact.

Exposing Airflow updates using an Nginx endpoint

The following topic provides an example implementation of hosting the Airflow updates JSON files in your airgapped environment and accessing them via an Nginx endpoint. Depending on your organization's platform and use cases, your own installation might vary from this setup.

To complete this setup:

  1. Host an updates JSON in a Kubernetes configmap by running the following commands:

    $ curl -L --output astronomer-certified.json
    $ curl -L --output astronomer-runtime.json
    $ kubectl create configmap astronomer-certified --from-file=astronomer-certified.json=./astronomer-certified.json -n astronomer
    $ kubectl create configmap astronomer-runtime --from-file=astronomer-runtime.json=./astronomer-runtime.json -n astronomer
  2. Add an Nginx deployment and service configuration to a new file named nginx-astronomer-certified.yaml:

    apiVersion: apps/v1
    kind: Deployment
    name: astronomer-releases
    namespace: astronomer
    type: Recreate
    app: astronomer-releases
    app: astronomer-releases
    - name: astronomer-releases
    image: ap-nginx-es
    memory: "32Mi"
    cpu: "100m"
    memory: "128Mi"
    cpu: "500m"
    - containerPort: 8080
    - name: astronomer-certified
    mountPath: /usr/share/nginx/html/astronomer-certified
    subPath: astronomer-certified.json
    - name: astronomer-runtime
    mountPath: /usr/share/nginx/html/astronomer-runtime
    subPath: astronomer-runtime.json
    - name: astronomer-certified
    name: astronomer-certified
    - name: astronomer-runtime
    name: astronomer-runtime
    apiVersion: v1
    kind: Service
    name: astronomer-releases
    namespace: astronomer
    type: ClusterIP
    app: astronomer-releases
    - port: 80
    targetPort: 8080
    kind: NetworkPolicy
    name: astronomer-astronomer-releases-nginx-policy
    - from:
    - namespaceSelector: {}
    podSelector: {}
    - port: 8080
    protocol: TCP
    app: astronomer-releases
    - Ingress

    Note the Docker image in the deployment and ensure that this is also accessible from within your environment.

  3. Save this file and apply it to your cluster by running the following command:

    kubectl apply -f nginx-astronomer-releases.yaml

    The updates JSON will be accessible by the service name from pods in the Kubernetes cluster via http://astronomer-releases.astronomer.svc.cluster.local/astronomer-certified.json.

To validate if the updates JSON is accessible you have several options:

  • If an image with curl is available in your network, you can run:

    $ kubectl run --rm -it [container name] --image=[image] --restart=Never -- /bin/sh
    $ curl http://astronomer-releases.astronomer.svc.cluster.local/astronomer-certified
    $ curl http://astronomer-releases.astronomer.svc.cluster.local/astronomer-runtime
  • If you have curl installed on your client machine:

    $ kubectl proxy
    # In a separate terminal window:
    $ curl http://localhost:8001/api/v1/namespaces/astronomer/services/astronomer-releases/astronomer-certified
    $ curl http://localhost:8001/api/v1/namespaces/astronomer/services/astronomer-releases/astronomer-runtime
  • Complete the entire Software installation, then use one of the astro-ui pods which include bash and curl:

    $ kubectl exec -it astronomer-astro-ui-7cfbbb97fd-fv8kl -n=astronomer -- /bin/bash
    $ curl http://astronomer-releases.astronomer.svc.cluster.local/astronomer-certified
    $ curl http://astronomer-releases.astronomer.svc.cluster.local/astronomer-runtime

No matter what option you choose, the commands that you run should return the updates JSON if the service was configured correctly.

Configuring a custom updates JSON URL

After you have made the updates JSON accessible within your premises, you must configure the Helm chart to fetch updates from the custom URL:

updateCheck: # There is a 2nd check for Astronomer platform updates but this is deprecated and not actively used. Therefore disable
enabled: false
updateAirflowCheck: # Configure URL for Airflow updates check
url: http://astronomer-releases.astronomer.svc.cluster.local/astronomer-certified
updateRuntimeCheck: # Configure URL for Airflow updates check
url: http://astronomer-releases.astronomer.svc.cluster.local/astronomer-runtime
value: http://astronomer-releases.astronomer.svc.cluster.local/astronomer-runtime

Step 6: Create a Kubernetes TLS Secret

Store the public TLS certificate in a kubernetes secret in the Astronomer platform namespace. If you use a third-party ingress controller, this secret must be named astronomer-tls. You must use astronomer-tls exactly. There is no substitution for platform release name. Additionally, make sure the value of global.tlsSecret in your values.yaml is also set to astronomer-tls.

To store the secret in the Astronomer platform namespace, run the following command:

kubectl -n <astronomer platform namespace> create secret tls astronomer-tls --cert <your-certificate-filepath> --key <your-private-key-filepath>

Most third-party ingress-controllers require the public certificate to be available in the namespace of the various airflow instances. If using a third-party ingress-controller, run the following command to mark the secret for automatic replication into Astronomer-managed Airflow namespaces. When you run the command, substitute both instances of <astronomer-platform-namespace> with the name of the Astronomer Software platform namespace:

kubectl -n <astronomer-platform-namespace> annotate secret astronomer-tls ""="platform=<astronomer platform namespace>"

If you received a certificate from a private CA, you also need to follow these steps:

  1. Add the root certificate provided to you by your security team to an Opaque Kubernetes secret in the Astronomer namespace by running the following command:

    kubectl create secret generic private-root-ca --from-file=cert.pem=./<your-certificate-filepath> -n astronomer

    The root certificate that you specify with this command must be the certificate of the authority that signed the Astronomer certificate, rather than the Astronomer certificate itself. This is the same certificate you need to install with all your clients for them to trust your services.


    The name of the secret file must be cert.pem for Astronomer to properly trust your certificate.

  2. Note the value of private-root-ca. You need this value to configure your Helm chart in Step 7 to specify the privateCaCerts key-value pair with this value.

Step 7: Install Astronomer using Helm

Before completing this step, double-check that the following statements are true:

  • You made Astronomer's Docker images, Astronomer Airflow Helm chart, and updates JSON accessible inside your network.
  • You completed Steps 1 through 8 in the AWS, Azure, or GCP install guide.

After this check, you can install the Astronomer Helm chart by running the following commands, making sure to replace <your-image-tag> with the version of Astronomer that you want to install:

curl -L<your-image-tag>.tar.gz -o astronomer.tgz

# Alternatively, use helm pull to pull the latest version of Astronomer
helm pull astronomer/astronomer

# ... If necessary, copy to a place where you can access Kubernetes ...
helm install astronomer -f values.yaml -n astronomer astronomer.tgz

After these commands finish, continue your installation with Step 10 (Verify pods are up) in the AWS, Azure, or GCP installation guide.

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.