Configuring Your Cluster

Begin the Smallstep platform installation process (powered by KOTS). Install into the smallstep namespace.

kubectl config use-context <your context>
kubectl kots install smallstep/onboarding

If prompted for the name of the desired namespace, use the default called smallstep. This should already be an input, so you can go ahead and hit Enter. It will also ask for a password; this will be the password used to log in to the admin portal in the next step. Make sure to store this password in your password manager for later troubleshooting and updates to the stack.

Cluster Dashboard

After some processing, KOTS will port forward to the the cluster dashboard using port :8800. Using a web browser, navigate to localhost:8800 to continue cluster configuration. When prompted for a password, use the password you just set at the command line. You will then see a screen similar to the following:

Fill in all values to allow the cluster to begin communicating with your other infrastructure. If you used Terraform to configure your infrastructure, these values are available as outputs from the module.

Once filled out, click through to the next screen and wait for the pre-flight checks to complete. Continue to click through prompts until you reach your high-level Dashboard.

If you see this screen, you have successfully begun the run anywhere installation into your K8s cluster. You are free to close your browser and kill the port forwarding process on your terminal now that you have completed the installation process. However, you can also use this portal for troubleshooting, looking at cluster metrics, and enabling GitOps features. To get back to this portal in the future you can simply run:

kubectl kots admin-console -n smallstep

Wait 20-30 minutes until all of the pods have initialized and are in “Running” status, and continue to team and authority configuration.

Team and Authority Configuration

Exec into the a admin-tools pod to run configuration tooling:

kubectl exec -it -n smallstep deploy/admin-tools -c admin-tools -- bash

The following steps will generate your customer configuration of Certificate Manager. Several values will be important for later reference, so it is highly recommended to save the outputs of each command run and to log these for reference in the future.

Create a new team

For the following command, make sure the team slug matches the slug used in your smallstep installation.


You will be prompted for the company name, team slug (reference name for your team), given name, family name, admin email, and an admin password. If successful, you will see a similar result to the following:

Note that my team id listed above for this scenario is 5725426a-e1b4-47ce-9ec0-1f8ed39316b9. This id is how we will later reference this team in all other commands.

Log into the Certificate Manager Dashboard

Now that your team has been configured, you can begin creating authorities in the Certificate Manager Dashboard located at:


You will be asked to log in using the admin email and password you used to create your team. From there, you can create an Authority and manage Provisioners as you would for our SaaS version of Certificate Manager. You may use the standard Certificate Manager onboarding guide to proceed with your integration (skipping the step to create your team).