diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml
index f3fd0bf..ca1539a 100644
--- a/ansible/vars/workloadcluster.yml
+++ b/ansible/vars/workloadcluster.yml
@@ -21,23 +21,22 @@ downstream:
           defaultDataPath: /mnt/blockstorage
 
     pinniped:
-      helm:
-        version: 1.2.11  # (= Pinniped v0.25.0)
-        chart: bitnami/pinniped
-        namespace: pinniped-concierge
-        parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-        chart_values: !unsafe |
-          supervisor:
-            enabled: false
-        extra_manifests: !unsafe
-          - src: jwtauthenticator.j2
-            _template:
-              name: metacluster-sso
-              spec: |2
-                  issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
-                  audience: {{ vapp['workloadcluster.name'] | lower }}
-                  tls:
-                    certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
+      version: 1.2.11  # (= Pinniped v0.25.0)
+      chart: bitnami/pinniped
+      namespace: pinniped-concierge
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        supervisor:
+          enabled: false
+      extra_manifests: !unsafe
+        - src: jwtauthenticator.j2
+          _template:
+            name: metacluster-sso
+            spec: |2
+                issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
+                audience: {{ vapp['workloadcluster.name'] | lower }}
+                tls:
+                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
 
     sealed-secrets:
       version: 2.8.1  # (= Sealed Secrets v0.20.2)