diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
index 792d600..af766ae 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
@@ -1 +1,37 @@
-#
+- name: Trim container image digests
+  ansible.builtin.lineinfile:
+    path: "{{ item }}"
+    regexp: "([ ]+image: (.*))@sha256:.*"
+    line: "\\1"
+    state: present
+    backrefs: yes
+  loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/pinniped/*.yaml') }}"
+
+- name: Install supervisor
+  kubernetes.core.k8s:
+    src: /opt/metacluster/pinniped/pinniped-supervisor.yaml
+    state: present
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+
+- name: Add ingress for supervisor
+  kubernetes.core.k8s:
+    template: "ingressroute.j2"
+    state: present
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: pinniped-supervisor-api
+      namespace: pinniped-supervisor
+      config: |2
+          entryPoints:
+          - web
+          - websecure
+          routes:
+          - kind: Rule
+            match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
+            services:
+            - kind: Service
+              name: pinniped-supervisor-api
+              namespace: pinniped-supervisor
+              port: 443