Skip to main content
This page covers the OVHcloud-specific bits. The actual Helm install — values, ingress, env vars — lives in Install with Helm.
ComponentOVHcloud serviceNotes
KubernetesManaged Kubernetes Service (MKS)3–5 nodes, ≥ b3-16 (4 vCPU / 16 GB). Pick the EU-WEST-PAR region for a Multi-AZ controlplane — all other regions are single-AZ (OVH KB). Cluster autoscaler enabled per node pool.
MongoDBOVHcloud Managed Databases for MongoDB (preferred)Provisioned via ovh_cloud_project_database with engine mongodb. Standard cluster plan, 3 nodes. Alternative: MongoDB Atlas. See MongoDB.
OpenSearchOVHcloud Managed Databases for OpenSearchProvisioned via ovh_cloud_project_database with engine opensearch. ACLs enabled — use per-tenant index patterns (events-<env>-*, <env>-searchengine-*, <env>_aik_rag_*). See Elasticsearch.
Redis / ValkeyOVHcloud Managed Databases for ValkeyValkey is a Redis fork — wire-compatible with the platform’s Redis client. Standard Redis (no modules) is enough. See Redis.
PostgreSQL (optional)OVHcloud Managed Databases for PostgreSQLProvisioned via ovh_cloud_project_database. See PostgreSQL.
Object storageOVH Object Storage (S3-compatible)Two buckets: <prefix>-workspaces and <prefix>-uploads. Add a third <prefix>-uploads-public only if you want public assets served directly from a CDN.
File storage (PVC RWX)OVH NAS-HA or any NFS providerMount as ReadWriteMany with a nfs storage class — required by prismeai-functions for its shared volume.
Ingress / Load balancerOVH Public Cloud Load Balancer + ingress-nginxThe chart deploys ingress-nginx as a DaemonSet exposed via a LoadBalancer service annotated with loadbalancer.ovhcloud.com/flavor. Proxy protocol enabled.
TLS / Certificatescert-manager + DNS-01 webhook (Gandi, Route53, OVH)Wildcard certificate covering api.<domain>, studio.<domain> and *.pages.<domain> issued from Let’s Encrypt.
SecretsHashiCorp Vault, External Secrets Operator, or AWS Secrets Manager (cross-cloud)OVHcloud has no first-party secrets manager — pick whichever your team already runs.
DNSExternal provider (Gandi, Cloudflare, Route53…)Wire api.<domain>, studio.<domain> and *.pages.<domain> to the LB IP.
Valkey users must be created manually. The OVH Terraform provider does not yet expose a resource for Valkey users — after the database is provisioned, create the <env>-core user from the OVH Manager (settings: * keys, +@all categories, * channels) and store the URL + credentials in your secrets manager before applying the rest of the Helm chart.

Persistent storage

The shared RWX PVC (used by prismeai-functions) must be backed by NFS — OVH NAS-HA or any NFS-compatible storage class — and mounted as ReadWriteMany. OVH block storage (csi-cinder) is RWO and not suitable for the shared volume. Example PVC: 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: apps-prismeai-sfsturbo
  namespace: <env>-apps
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
  storageClassName: nfs
Then reference it from the apps chart: 
prismeai-functions:
  persistence:
    existingClaim: apps-prismeai-sfsturbo

Infrastructure as Code

A reference Terraform bundle for OVHcloud is available on request from Prisme.ai support. It provisions:
ModuleWhat it provisions
prismeaiManaged Kubernetes cluster (ovh_cloud_project_kube), node pools across availability zones with autoscaling.
mongodbManaged MongoDB cluster + permissions and collections users with readWrite roles scoped per database.
opensearchManaged OpenSearch cluster with ACL-restricted user — pattern-scoped to events-*, searchengine-* and aik_rag_*.
redisManaged Valkey cluster. User creation is manual (see note above).
s3Object storage buckets — workspaces, uploads, uploads-public.
loadbalanceringress-nginx as DaemonSet + LoadBalancer service annotated for the OVH Public Cloud LB, with proxy protocol enabled.

Apply order

  1. terraform init && terraform apply on the cluster + databases.
  2. Once the cluster is up, retrieve the kubeconfig and point kubectl at it.
  3. Manually create the Valkey user (see note above) and back its credentials into your secrets manager.
  4. Re-run terraform apply to inject the Valkey secret into the Helm values.
Kubeconfig drift. If Terraform loses access to the cluster after a kubeconfig rotation, re-import the resource:
terraform state rm "module.prismeai.ovh_cloud_project_kube.main[0]"
terraform import "module.prismeai.ovh_cloud_project_kube.main[0]" <ovh_project_id>/<k8s_cluster_id>
terraform refresh

DNS

Retrieve the public IP of the ingress-nginx LoadBalancer service: 
kubectl -n ingress-nginx get service/ingress-nginx-controller \
  -o jsonpath="{.metadata.annotations['loadbalancer\.openstack\.org/load-balancer-address']}"
Then create the records on your DNS provider: 
api.<your-domain>      A      <LB_IP>
studio.<your-domain>   A      <LB_IP>
*.pages.<your-domain>  A      <LB_IP>

cert-manager and Let’s Encrypt

OVHcloud has no managed certificate service, so issue TLS certificates with cert-manager and a DNS-01 webhook matching your DNS provider. Example for Gandi: 
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace \
  --set installCRDs=true \
  --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'

helm repo add cert-manager-webhook-gandi https://sintef.github.io/cert-manager-webhook-gandi
helm install cert-manager-webhook-gandi cert-manager-webhook-gandi/cert-manager-webhook-gandi \
  --namespace cert-manager \
  --set gandiApiToken=<GANDI_PAT>
Then create a ClusterIssuer and Certificate resource per environment — a full example is available on request from Prisme.ai support.

Ingress annotations

ingress-nginx is no longer actively maintained. The project entered maintenance mode and will stop receiving updates — including security patches — in the near future. For new deployments we recommend picking a maintained alternative such as Ingress NGINX (InGate), Traefik, HAProxy Ingress or Envoy Gateway. The annotations below still apply to existing ingress-nginx installs.
ingress-nginx is the controller historically used on OVH MKS. The non-negotiable annotations on the LoadBalancer service: 
metadata:
  annotations:
    loadbalancer.ovhcloud.com/flavor: small        # or medium / large depending on traffic
    loadbalancer.openstack.org/proxy-protocol: "true"
Inside the ingress-nginx controller chart values, enable proxy protocol so the gateway sees real client IPs: 
controller:
  kind: DaemonSet
  config:
    use-proxy-protocol: "true"
For the two distinct LB timeouts (60s client keep-alive < 70s gateway keep-alive, 300s idle for SSE / long LLM streams), set them on the ingress-nginx ConfigMap: 
controller:
  config:
    keep-alive: "60"
    proxy-read-timeout: "300"
    proxy-send-timeout: "300"
Full ingress example lives in Helm install — Ingress and load balancer.

Next Steps

Install with Helm

Configure values and deploy core + apps namespaces.

Databases

MongoDB, Valkey, OpenSearch and PostgreSQL.

Install products

Fresh-install walkthrough.

Resources & Autoscaling

Balanced vs High-throughput, HPA targets.