Configuring Your ClusterBegin the Smallstep platform installation process (powered by KOTS). Install into the smallstep namespace.
kubectl config use-context <your context>
kubectl kots install smallstep/onboarding
If prompted for the name of the desired namespace, use the default called smallstep. This should already be an input, so you can hit Enter. It will also ask for a password; this will be the password used to log in to the admin portal in the next step. Note: Store this password in your password manager for later troubleshooting and updates to the stack.

Cluster Dashboard

After some processing, KOTS will port forward to the cluster dashboard using port :8800. Using a web browser, navigate to localhost:8800 to continue cluster configuration. When prompted for a password, use the password you just set at the command line. You will then see a screen similar to the following:

Fill in all values to allow the cluster to begin communicating with your other infrastructure. If you used Terraform to configure your infrastructure, these values are available as outputs from the module.

Once filled out, click through to the next screen and wait for the pre-flight checks to complete. Continue to click through prompts until you reach your high-level Dashboard.

If you see this screen, you have successfully begun the Run Anywhere installation into your K8s cluster. You are free to close your browser and kill the port forwarding process on your terminal now that you have completed the installation process. However, you can also use this portal for troubleshooting, looking at cluster metrics, and enabling GitOps features. To get back to this portal in the future, you can simply run:
kubectl kots admin-console -n smallstep
Wait 20-30 minutes until all of the pods have initialized and are in “Running” status, and continue to team and authority configuration.

Team and Authority Configuration

Exec into the admin-tools pod to run configuration tooling:
kubectl exec -it -n smallstep deploy/admin-tools -c admin-tools -- bash
The following steps will generate your customer configuration of SSH Professional. Several values will be important for later reference, so it is highly recommended to save the outputs of each command run and to log these for reference in the future.

Create a new team

For the following command, make sure the team slug matches the slug used in your smallstep installation.
You will be prompted for company name, team slug (reference name for your team), given name, family name, admin email, and an admin password. If successful, you will see a similar result to the following:

Create a new authority
create-authority --ssh

CA Domain MUST follow the format of: ssh.<team-slug>.ca.<base-domain> If it does not, the authority will not be functional.

Note that the authority id listed above for this scenario is 43da4e45-e6a1-4bc0-af8f-042f9233e710. This id is how we will later reference this authority in any other commands.

Create a new provisioner

manage-provisioners --ssh --type SSHPOP --name "SSH POP" \
--authority <authority-id> add

This command generates an SSHPOP provisioner, which will be required to renew SSH certificates.

Refresh the authority

refresh-authority <authority-id>

This will update the authority to begin using new provisioners.

Add OIDC provisioner

manage-provisioners --ssh --type OIDC --name "azuread" --listen-address --client-id <client-id> --client-secret <client-secret> --configuration-endpoint <configuraiton-endpoint> --domain <domain>  --authority <authority-id> --tenant-id <azure-tenant-id> add

This provisioner will be used by users of the system to generate User SSH Certificates.

For Okta, the command does not need the tenant-id

manage-provisioners --ssh --type OIDC --name "okta" --listen-address --client-id <client-id> --client-secret <client-secret> --configuration-endpoint <configuraiton-endpoint> --domain <domain>  --authority <authority-id> add

After this, go to the UI and navigate to /app/smallstep/ssh/resources. This page is hidden in run-anywhere. The URL and API token for SCIM sync will be at the bottom of that page. Those need to be set in Okta.

Note: After syncing over SCIM, don't forget to update the team SSH directory to point to the new IdP directory.

kubectl exec -it -n smallstep deploy/admin-tools -c admin-tools -- bash

$ psql folk
> update teams set ssh_directory_id = '<directory-id>' where slug = '<team-slug>';

Log into your SSH Professional Dashboard

Now that your team has been configured, your authority created, and your provisioners populated, it is time to finally start using SSH Professional. Your dashboard will be located at:


You will be asked to log in using the admin email and password you used to create your team. From there, it’s time to start syncing users from your IdP and registering Hosts. This process is slightly different from the process for our SaaS solution of SSH Professional, so you can follow the following guides to set up your client and host devices: