diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/tty.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/tty.j2
index f52d38e..b64dab7 100644
--- a/ansible/roles/firstboot/files/ansible_payload/templates/tty.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/templates/tty.j2
@@ -12,7 +12,8 @@ DFLT='\033[0m'        # Reset colour
 LCLR='\033[K'         # Clear to end of line
 PRST='\033[0;0H'      # Reset cursor position
 
-COMPONENTS=('ingress' 'storage' 'registry' 'git' 'gitops')
+# COMPONENTS=('ca' 'ingress' 'storage' 'registry' 'git' 'gitops')
+COMPONENTS=('ca' 'storage' 'registry' 'git' 'gitops')
 FQDN='{{ vapp['metacluster.fqdn'] }}'
 IPADDRESS='{{ vapp['guestinfo.ipaddress'] }}'
 
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index e124edc..4d647ec 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -63,8 +63,15 @@ components:
       chart_values: !unsafe |
         inject:
           secrets:
-            ca_password: "{{ vapp['guestinfo.rootpw'] }}"
-            provisioner_password: "{{ vapp['guestinfo.rootpw'] }}"
+            ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
+            provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
+        ingress:
+          enabled: true
+          hosts:
+            - host: ca.{{ vapp['metacluster.fqdn'] }}
+              paths:
+                - path: /
+                  pathType: Prefix
         service:
           targetPort: 9000
 
@@ -157,6 +164,10 @@ dependencies:
       extra_opts: --strip-components=1
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.9.1/skopeo
+    - filename: step
+      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.21.0/step_linux_0.21.0_amd64.tar.gz
+      archive: compressed
+      extra_opts: --strip-components=2
     - filename: yq
       url: http://github.com/mikefarah/yq/releases/download/v4.25.3/yq_linux_amd64