---
title: "Installing cert-manager on OVHcloud Managed Kubernetes"
description: "Find out how to install cert-manager on OVHcloud Managed Kubernetes"
url: https://docs.ovhcloud.com/pl/guides/public-cloud/containers-orchestration/managed-kubernetes/install-cert-manager
lang: pl
lastUpdated: 2026-01-06
---
# Installing cert-manager on OVHcloud Managed Kubernetes

## Objective

[Cert-manager](https://github.com/cert-manager/cert-manager) is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.

![Cert Manager](/images/public-cloud/containers-orchestration/managed-kubernetes/installing-cert-manager/cert-manager-logo.png)

It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.

![Cert Manager architecture](/images/public-cloud/containers-orchestration/managed-kubernetes/installing-cert-manager/cert-manager-archi.png)

In this tutorial we are going to guide you with the setup of [cert-manager](https://github.com/jetstack/cert-manager) on your OVHcloud Managed Kubernetes Service.

## Requirements

This tutorial presupposes that you already have a working OVHcloud Managed Kubernetes cluster, and some basic knowledge of how to operate it. If you want to know more on those topics, please look at the [OVHcloud Managed Kubernetes Service Quickstart](/pl/guides/public-cloud/containers-orchestration/managed-kubernetes/deploy-hello-world.md).

You also need to have [Helm](https://docs.helm.sh/) installer on your workstation and your cluster, please refer to the [How to install Helm on OVHcloud Managed Kubernetes Service](/pl/guides/public-cloud/containers-orchestration/managed-kubernetes/install-helm.md) tutorial.

## Installing cert-manager Helm chart

For this tutorial we are using the [cert-manager Helm chart](https://artifacthub.io/packages/helm/cert-manager/cert-manager) found on its own Helm repository.

The chart is fully configurable, but here we are using the default configuration.

Add the cert-manager Helm repository:

```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
```

These commands will add the Kyverno Helm repository to your local Helm chart repository and update the installed chart repositories:

```console
$ helm repo add jetstack https://charts.jetstack.io
helm repo update
"jetstack" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...
...Successfully got an update from the "jetstack" chart repository
...
Update Complete. ⎈Happy Helming!⎈
```

Create a `values.yaml` file with the following content:

```yaml
config:
  featureGates:
    # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
    # https://github.com/kubernetes/ingress-nginx/issues/11176
    ACMEHTTP01IngressPathTypeExact: false
```

Install the latest version of cert-manager with `helm install` command:

```bash
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true \
  --values values.yaml
```

:::info
`values.yaml` file is necessary to "fix" blocking [ingress-nginx 1.18+ changes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18/#acme-http01-challenge-paths-now-use-pathtype-exact-in-ingress-routes).
:::

This command will install the latest version of cert-manager, create a new `cert-manager` namespace and install the new CRD (CustomResourceDefinitions):

```console
$ helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
 --set crds.enabled=true
NAME: cert-manager
LAST DEPLOYED: Thu Jan 18 15:28:23 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.13.3 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/
```

Check cert-manager have been deployed correctly with `kubectl get pods --namespace cert-manager` command:

```console
$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-75cf8df6b6-x2q6l              1/1     Running   0          2m34s
cert-manager-cainjector-857f5bd88c-gggxw   1/1     Running   0          2m34s
cert-manager-webhook-5cd99556d6-jq5vk      1/1     Running   0          2m34s
```

Now that the cert-manager is deployed, we need to configure a **cluster-issuer** to perform Let's Encrypt ACME challenges.

:::info
To avoid to be banned by Let's Encrypt robots, for testing purposes, the staging environment should be used before going to prod.
:::

Create an Issuer in a file named `issuer.yaml` with the following content:

```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [YOUR_EMAIL]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [YOUR_EMAIL]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
```

:::info
Don't forget to replace `[YOUR_EMAIL]` by a real value, it will be used for ACME challenges.
:::

Apply the YAML manifest:

```bash
kubectl apply -f issuer.yaml
```

Now, any ingress resources will be able to be annotated with:

```console
"cert-manager.io/cluster-issuer": "letsencrypt-prod"
# Or for tests
"cert-manager.io/cluster-issuer": "letsencrypt-staging"
```

Please refer to our tutorial on [How to secure a Nginx Ingress with cert-manager on OVHcloud Managed Kubernetes](/pl/guides/public-cloud/containers-orchestration/managed-kubernetes/secure-nginx-ingress-cert-manager.md) for ingresses configuration.

## Go further

- If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](https://www.ovhcloud.com/pl/professional-services/) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.

- Join our [community of users](https://community.ovhcloud.com/).