Managing Certificates | NVIDIA OpenShell

The OpenShell gateway requires mTLS certificates for sandbox supervisors and clients. The Helm chart supports two ways to provision and manage them:

Mode	When to use
Built-in `pkiInitJob` (default)	Simplest path. A pre-install Kubernetes Job generates a self-signed CA and certificates once at install time. No additional dependencies.
cert-manager	Production deployments that need automatic certificate rotation managed by a running controller.

The rest of this page covers switching to cert-manager. The built-in mode requires no configuration.

cert-manager and pkiInitJob are mutually exclusive. The chart will fail if both are enabled at the same time.

Install cert-manager

Add the Jetstack Helm repository and install cert-manager with CRD support enabled:

$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm upgrade --install cert-manager jetstack/cert-manager \
>   --namespace cert-manager \
>   --create-namespace \
>   --set crds.enabled=true \
>   --wait

Verify the cert-manager pods are running:

$ kubectl -n cert-manager get pods

Install OpenShell with cert-manager PKI

Pass the cert-manager values override when installing or upgrading the chart:

$ helm upgrade --install openshell \
>   oci://ghcr.io/nvidia/openshell/helm-chart \
>   --version <version> \
>   --namespace openshell \
>   --set certManager.enabled=true \
>   --set pkiInitJob.enabled=false

The chart creates a self-signed CA, issues server and client certificates from it, and cert-manager handles renewal before expiry.

Next Steps

Return to Setup to complete the installation.