AdministrationSecurity and compliance

Configure a custom registry for Deployment images

Astronomer Software includes access to a Docker image registry that is managed by Astronomer. Every time a user deploys to Astronomer Software, a Docker image is generated and pushed to this registry. Depending on your deploy method, these Docker images can include OS and Python dependencies, DAG code, and the Airflow service.

Using the Astronomer registry is recommended when you’re getting started and your team is comfortable deploying code. However, the Astronomer registry might not meet your organization’s security requirements.

If your organization can’t support the Astronomer default internal registry, you can configure a custom container image registry. This option is best suited for organizations who require additional control for security and governance reasons. Using a custom registry provides your organization with the opportunity to scan images for CVEs, malicious code, and unapproved Python and OS-level packages contained in Docker images.

A custom registry can still connect to public networks or internet. Therefore, this procedure is different if you’re installing Astronomer in an airgapped environment. If you need to create a custom registry for a system that can’t connect to the public networks or internet, see Install Astronomer in an airgapped environment.

These instructions do not apply to images hosted on Amazon Elastic Container Registry (ECR). Credentials for ECR have a limited lifespan and are unsuitable for using on Astronomer Software. To use AWS ECR to serve images for Astronomer, you must grant permissions for the following actions to the Kubernetes Nodes IAM Role.

1  "ecr:GetDownloadUrlForLayer",
2  "ecr:BatchGetImage"

Prerequisites

  • Helm.
  • kubectl.
  • Astro CLI version 1.3.0+.
  • A custom container image registry.
  • A process for building and pushing your Astro projects as images to your custom registry.

Setup

  1. Create a secret for the container repository credentials in your Astronomer namespace:

    $kubectl -n <astronomer-platform-namespace> create secret docker-registry <name-of-secret> --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-password> --docker-email=<your-email>

    To have Astronomer Software sync the registry credentials to all Deployment namespaces, add the following annotation:

    $kubectl -n <astronomer-platform-namespace> annotate secret <name-of-secret> "astronomer.io/commander-sync"="platform=astronomer"
To use different registries for each Deployment, create the same secret in each Deployment namespace instead of your Astronomer namespace. Make sure to specify different custom registries using --docker-server. If you don’t need to synch your secrets between deployments, you don’t need to add the secret annotation.

  1. Open your values.yaml file. See Apply a Config Change.

  2. Add the following to your values.yaml file:

    1astronomer:
    2  houston:
    3    config:
    4      deployments:
    5        enableUpdateDeploymentImageEndpoint: true
    6      registry:
    7        protectedCustomRegistry:
    8          enabled: true
    9          updateRegistry:
    10            enabled: true
    11            host: <your-airflow-image-repo>
    12            secretName: <name-of-secret>

To use different registries for each Deployment, do not set astronomer.houston.config.deployments.registry.protectedCustomRegistry.updateRegistry.host. When you specify the host, include both the registry and the repository in the format <registry>/<repo-name>/<subdirectory>, where <repo-name>/<subdirectory> represents a repository name and optionally a subdirectory within that repository.

  1. Push the configuration change. See Apply a config change.

  2. For any existing Deployments, run the following command to sync the registry credentials.

    $kubectl create job -n <astronomer-platform-namespace> --from=cronjob/<platform-release-name>-config-syncer upgrade-config-synchronization
If you’re using different registries for each Deployment, skip this step.

Push code to a custom registry

You can use the Astro CLI to push build and push images to your custom registry. Based on the Helm configurations in your Astronomer cluster, the Astro CLI automatically detects your custom image registry and pushes your image to it. It then calls the Houston API to update your Deployment to pull the new image from the registry.

After you configure your custom registry, open your Astro project and run:

1astro deploy

Alternatively, you can run a GraphQL query to update the image in your Deployment after manually pushing the image to the custom registry. This can be useful for automating code deploys using CI/CD.

At a minimum, your query has to include the following:

1mutation updateDeploymentImage {
2        updateDeploymentImage(
3                releaseName: "<deployment-release-name>", # for example "analytics-dev"
4                image: "<host>/<image-name>:<tag>",  # for example docker.io/cmart123/ap-airflow:test4
5                runtimeVersion: "<runtime-version-number>" # for example "5.0.6"
6        )
7        {
8                id
9        }
10}

Alternatively, you can run this same query using curl:

$curl 'https://houston.BASEDOMAIN/v1' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'Connection: keep-alive' -H 'DNT: 1' -H 'Origin: https://houston.BASEDOMAIN/v1' -H 'Authorization: <your-token>' --data-binary '{"query":"mutation updateDeploymentImage {updateDeploymentImage(releaseName: \"<deployment-release-name>\", image: \"<host>/<image-name>:<tag>\",runtimeVersion: \"<runtime-version-number>\"){id}}"}' --compressed