diff --git a/docs/development.md b/docs/development.md
index b08f0ec..1740888 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -102,8 +102,16 @@ HTTP authentication and forwards all requests from load balancer to
 Follow up to date docs to install [reverse
 proxy](https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke).
  
-We also have [certificate manager](
-http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) and 
+[cert-manager] is installed with helm https://cert-manager.io/docs/installation/helm/ 
+
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.9.1 \
+  --set installCRDs=true 
+  
+We also have [certificate manager](https://cert-manager.io/docs/) and 
 [lets-encrypt configuration](../kubernetes/cert-issuer.yaml) in place, but they are
 not used at the moment and should be removed if we decide to live with static IP.
 
diff --git a/kubernetes/cert-issuer.yaml b/kubernetes/cert-issuer.yaml
index d247f79..ac46ee1 100644
--- a/kubernetes/cert-issuer.yaml
+++ b/kubernetes/cert-issuer.yaml
@@ -15,14 +15,14 @@
 # based on documentation on
 # https://github.com/jetstack/cert-manager/blob/master/docs/tutorials/acme/quick-start/index.rst
 
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-staging
 spec:
   acme:
     server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: kuhnel@google.com
+    email: goncharov@google.com
     privateKeySecretRef:
       name: letsencrypt-staging
     solvers:
@@ -30,14 +30,14 @@ spec:
         ingress:
           class: nginx
 ---
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-prod
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
-    email: kuhnel@google.com
+    email: goncharov@google.com
     privateKeySecretRef:
       name: letsencrypt-prod
     solvers:
diff --git a/kubernetes/phabricator-proxy/Ingress.yaml b/kubernetes/phabricator-proxy/Ingress.yaml
index 11203f2..e0f3997 100644
--- a/kubernetes/phabricator-proxy/Ingress.yaml
+++ b/kubernetes/phabricator-proxy/Ingress.yaml
@@ -1,5 +1,5 @@
 # This ingress matches ALL requests to nginx.
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
   name: nginx-ingress-all
@@ -10,7 +10,17 @@ metadata:
     nginx.ingress.kubernetes.io/auth-type: basic
     nginx.ingress.kubernetes.io/auth-secret: http-auth
     nginx.ingress.kubernetes.io/auth-realm: "LLVM pre-merge checks"
+    # cert-manager
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    # ^ cert-manager
 spec:
+  # cert-manager
+  tls:
+  - secretName: llvm-premerge-staging-cert
+    hosts:
+    - llvm-premerge.org
+  # ^ cert-manager
   rules:
   - http:
       paths: