diff --git a/.github/tests/common.sh b/.github/tests/common.sh
index d833cf68d..cead98833 100755
--- a/.github/tests/common.sh
+++ b/.github/tests/common.sh
@@ -82,6 +82,16 @@ while true; do
 done
 )
 
+common_test_file_exists () (
+count=20
+while true; do
+        if [ -f "$1" ]; then exit 0; fi
+        sleep 2
+        count=$((count-1))
+        [ $count -le 0 ] && exit 1
+done
+)
+
 # Used just for testing. You should provide your own values as described in the install instructions.
 common_test_your_values () {
 cat > /tmp/$$.example-your-values.yaml <<EOF
diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml
index 95070944e..fed25b560 100644
--- a/.github/workflows/helm-chart-ci.yaml
+++ b/.github/workflows/helm-chart-ci.yaml
@@ -171,7 +171,7 @@ jobs:
       - name: Run chart-testing (install)
         run: |
           helm install -n spire-server spire-crds charts/spire-crds
-          ct install --config ct.yaml --excluded-charts spire-crds \
+          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
             --target-branch ${{ github.base_ref }}
 
       - name: Test summary
diff --git a/charts/spiffe-step-ssh/Chart.yaml b/charts/spiffe-step-ssh/Chart.yaml
new file mode 100644
index 000000000..e3ae9e26b
--- /dev/null
+++ b/charts/spiffe-step-ssh/Chart.yaml
@@ -0,0 +1,42 @@
+apiVersion: v2
+name: spiffe-step-ssh
+description: sshd signed host certificates using SPIFFE for trust and step CA
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+keywords: ["spiffe", "step", "step-ca", "ssh"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+sources:
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
+
+dependencies:
+  - name: spire-lib
+    repository: file://../spire/charts/spire-lib
+    version: 0.1.0
+  - name: step-certificates
+    alias: step
+    repository: https://smallstep.github.io/helm-charts/
+    version: 1.27.4
diff --git a/charts/spiffe-step-ssh/README.md b/charts/spiffe-step-ssh/README.md
new file mode 100644
index 000000000..96f5b3f92
--- /dev/null
+++ b/charts/spiffe-step-ssh/README.md
@@ -0,0 +1,65 @@
+spire-values.yaml
+```
+spire-server:
+  nodeAttestor:
+    httpChallenge:
+      enabled: true
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        spiffe-step-ssh-config:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: config
+        spiffe-step-ssh-fetchca:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: fetchca
+          dnsNameTemplates:
+          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
+```
+
+```shell
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
+```
+
+```shell
+helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
+```
+
+```shell
+PASSWORD=$(openssl rand -base64 48)
+echo "$PASSWORD" > spiffe-step-ssh-password.txt
+step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
+```
+
+ingress-values.yaml
+```yaml
+global:
+  spiffe:
+    ingressControllerType: ingress-nginx
+stepIngress:
+  enabled: true
+fetchCA:
+  ingress:
+    enabled: true
+```
+
+```shell
+helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
+```
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
diff --git a/charts/spiffe-step-ssh/ci/default-values.yaml b/charts/spiffe-step-ssh/ci/default-values.yaml
new file mode 100644
index 000000000..3fe430bd4
--- /dev/null
+++ b/charts/spiffe-step-ssh/ci/default-values.yaml
@@ -0,0 +1 @@
+trustDomain: example.org
diff --git a/charts/spiffe-step-ssh/files/ssh_x5c.tpl b/charts/spiffe-step-ssh/files/ssh_x5c.tpl
new file mode 100644
index 000000000..292bcdbc0
--- /dev/null
+++ b/charts/spiffe-step-ssh/files/ssh_x5c.tpl
@@ -0,0 +1,13 @@
+{{- if eq (len .AuthorizationCrt.URIs) 1 }}
+{{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
+{{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{
+  "type": {{ toJson .Type }},
+  "keyId": {{ toJson $name }},
+  "principals": [{{ toJson $name }}],
+  "extensions": {{ toJson .Extensions }},
+  "criticalOptions": {{ toJson .CriticalOptions }}
+}
+{{-   end }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/NOTES.txt b/charts/spiffe-step-ssh/templates/NOTES.txt
new file mode 100644
index 000000000..1a8bc499b
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Installed {{ .Chart.Name }}…
+
+Configure your ssh clients with known_hosts file with:
+
+@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}
diff --git a/charts/spiffe-step-ssh/templates/_helpers.tpl b/charts/spiffe-step-ssh/templates/_helpers.tpl
new file mode 100644
index 000000000..415702b0b
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/_helpers.tpl
@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spiffe-step-ssh.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spiffe-step-ssh.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spiffe-step-ssh.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spiffe-step-ssh.labels" -}}
+helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
+{{ include "spiffe-step-ssh.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spiffe-step-ssh.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spiffe-step-ssh.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/* Takes in a dictionary with keys:
+ * global - the standard global object
+ * ingress - a standard format ingress config object
+*/}}
+{{- define "spiffe-step-ssh.ingress-controller-type" }}
+{{-   $type := "" }}
+{{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
+{{-     $type = .global.spiffe.ingressControllerType }}
+{{-   else if ne .ingress.controllerType "" }}
+{{-     $type = .ingress.controllerType }}
+{{-   else if (dig "openshift" false .global) }}
+{{-     $type = "openshift" }}
+{{-   else }}
+{{-     $type = "other" }}
+{{-   end }}
+{{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
+{{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
+{{-   end }}
+{{-   $type }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/config-configmap.yaml b/charts/spiffe-step-ssh/templates/config-configmap.yaml
new file mode 100644
index 000000000..ef40ee7d6
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/config-configmap.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "sh"
+    cmd_args = "/config-deployment/update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
+    echo Updating Roots to "$ROOTS"
+    cat /config/ca.json > /work/ca.json
+    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
+    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
+    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
+    echo $?
diff --git a/charts/spiffe-step-ssh/templates/config-deployment.yaml b/charts/spiffe-step-ssh/templates/config-deployment.yaml
new file mode 100644
index 000000000..e8b51333f
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/config-deployment.yaml
@@ -0,0 +1,143 @@
+{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: config
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: config
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ $configSum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: config
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+      - name: setup-volume-p1
+        image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+        command:
+        - sh
+        - -c
+        - 'cp -a /bin/busybox /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p2
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /bin/kubectl /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p3
+        image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      containers:
+      - name: {{ .Chart.Name }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
+        command:
+        - /helper/spiffe-helper
+        - -config
+        - /config-deployment/spiffe-helper.conf
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+          readOnly: true
+        - name: config
+          mountPath: /config
+          readOnly: true
+        - name: config-deployment
+          mountPath: /config-deployment
+          readOnly: true
+        - name: certdir
+          mountPath: /certs
+        - name: spiffe-workload-api
+          mountPath: /spiffe-workload-api
+          readOnly: true
+        - name: workdir
+          mountPath: /work
+      volumes:
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: config-deployment
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+      - name: certdir
+        emptyDir: {}
+      - name: spiffe-helper-config
+        emptyDir: {}
+      - name: spiffe-helper
+        emptyDir: {}
+      - name: workdir
+        emptyDir: {}
+      {{- with .Values.config.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/spiffe-step-ssh/templates/config-role.yaml b/charts/spiffe-step-ssh/templates/config-role.yaml
new file mode 100644
index 000000000..f44f1209b
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/config-role.yaml
@@ -0,0 +1,41 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+rules:
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs:
+      - create
+  - apiGroups: [""]
+    resources: [configmaps]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups: ["apps"]
+    resources: [statefulsets]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
+    verbs:
+      - get
+      - patch
+  - apiGroups: ["apps"]
+    resources: [deployments]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
+    verbs:
+      - get
+      - patch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
new file mode 100644
index 000000000..6a1f67f59
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    component: config
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
new file mode 100644
index 000000000..f17d62364
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper-init.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = ""
+    cmd_args = ""
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  spiffe-helper-sidecar.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "/busybox/busybox"
+    cmd_args = "sh /update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`
diff --git a/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
new file mode 100644
index 000000000..5114c1c98
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
@@ -0,0 +1,182 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  {{- if not .Values.fetchCA.autoscaling.enabled }}
+  replicas: {{ .Values.fetchCA.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: fetchca
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: fetchca
+    spec:
+      shareProcessNamespace: true
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: busybox-volume
+          image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+          command:
+          - sh
+          - -c
+          - 'cp -a /bin/busybox /busybox'
+          volumeMounts:
+          - name: busybox
+            mountPath: /busybox
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+        - name: init-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          - -daemon-mode=false
+          volumeMounts:
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-init.conf
+            readOnly: true
+          - name: certs
+            mountPath: /certs
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      containers:
+        - name: {{ .Chart.Name }}-fetchca
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
+          command:
+          - /bin/sh
+          - -c
+          - |
+            echo $$$$ > /pid/pid
+            cat > /etc/nginx/conf.d/ssl.conf <<EOF
+            server {
+                listen       8443 ssl;
+                server_name  localhost;
+                ssl_certificate     /certs/tls.crt;
+                ssl_certificate_key /certs/tls.key;
+                location / {
+                    root   /usr/share/nginx/html;
+                    index  root_ca.crt index.html index.htm;
+                }
+                error_page   500 502 503 504  /50x.html;
+                location = /50x.html {
+                    root   /usr/share/nginx/html;
+                }
+            }
+            EOF
+            exec nginx -g "daemon off;"
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          resources:
+            {{- toYaml .Values.fetchCA.resources | nindent 12 }}
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+          - name: share
+            mountPath: /usr/share/nginx/html
+        - name: update-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-sidecar.conf
+            readOnly: true
+          - name: config
+            mountPath: /update.sh
+            subPath: update.sh
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+            readOnly: true
+          - name: busybox
+            mountPath: /busybox
+            readOnly: true
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      volumes:
+      - name: certs
+        emptyDir: {}
+      - name: pid
+        emptyDir: {}
+      - name: busybox
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: share
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+      {{- with .Values.fetchCA.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml b/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
new file mode 100644
index 000000000..477d388af
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.fetchCA.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml b/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
new file mode 100644
index 000000000..3e69f1c67
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.fetchCA.ingress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
+{{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/fetchca-service.yaml b/charts/spiffe-step-ssh/templates/fetchca-service.yaml
new file mode 100644
index 000000000..bc56c475c
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  type: {{ .Values.fetchCA.service.type }}
+  ports:
+    - port: {{ .Values.fetchCA.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}
diff --git a/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml b/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
new file mode 100644
index 000000000..4c853f31f
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml b/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
new file mode 100644
index 000000000..50af2003a
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
diff --git a/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml b/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
new file mode 100644
index 000000000..99910ccd8
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
diff --git a/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml b/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
new file mode 100644
index 000000000..d800d256a
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "root_ca.crt": |
+    {{- .Values.inject.certificates.root_ca | nindent 4}}
+  "intermediate_ca.crt": |
+    {{ .Values.inject.certificates.intermediate_ca | nindent 4}}
+  "ssh_host_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
+  "ssh_user_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}
diff --git a/charts/spiffe-step-ssh/templates/step-config.yaml b/charts/spiffe-step-ssh/templates/step-config.yaml
new file mode 100644
index 000000000..ee3a6c28e
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-config.yaml
@@ -0,0 +1,32 @@
+{{- define "spiffe-step-ssh.config-provisioners" }}
+type: X5C
+name: "x5c@spiffe"
+roots: ""
+claims:
+  maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
+  defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
+  disableRenewal: true
+  enableSSHCA: true
+disableCustomSANs: true
+options:
+ ssh:
+   templateFile: /home/step/config/ssh_x5c.tpl
+{{- end }}
+{{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
+{{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "ca.json": |
+    {{- $ca | toPrettyJson | nindent 4 }}
+  "defaults.json": |
+    {{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
+{{- if eq .Values.trustDomain "" }}
+{{-   fail "You must set trustDomain" }}
+{{- end }}
+  "ssh_x5c.tpl": |
+    {{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}
diff --git a/charts/spiffe-step-ssh/templates/step-ingress.yaml b/charts/spiffe-step-ssh/templates/step-ingress.yaml
new file mode 100644
index 000000000..f02ee5796
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-ingress.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.stepIngress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
+{{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.stepIngress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}
diff --git a/charts/spiffe-step-ssh/templates/step-secret.yaml b/charts/spiffe-step-ssh/templates/step-secret.yaml
new file mode 100644
index 000000000..7d921f621
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
+  intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
+  ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
+  ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}
diff --git a/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml b/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
new file mode 100644
index 000000000..4e5c07948
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
diff --git a/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml b/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
new file mode 100644
index 000000000..1ce44c553
--- /dev/null
+++ b/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
diff --git a/charts/spiffe-step-ssh/values.yaml b/charts/spiffe-step-ssh/values.yaml
new file mode 100644
index 000000000..bdbea920f
--- /dev/null
+++ b/charts/spiffe-step-ssh/values.yaml
@@ -0,0 +1,292 @@
+# Default values for spiffe-step-ssh.
+# SPDX-License-Identifier: APACHE-2.0
+
+global:
+  spiffe:
+    ## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    ingressControllerType: ""
+
+## @param trustDomain The trust domain for SPIRE
+trustDomain: ""
+## @param caPassword Password securing the SSH CA
+caPassword: ""
+## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
+maxTLSCertDuration: 24h
+## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
+defaultTLSCertDuration: 1h
+## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
+prefix: sshd
+## @param csiDriver The csi driver to use
+csiDriver: csi.spiffe.io
+
+## @skip inject
+## These will be generated by the step-ca tool
+inject:
+  secrets:
+    x509:
+      root_ca_key: ""
+      intermediate_ca_key: ""
+    ssh:
+      host_ca_key: ""
+      user_ca_key: ""
+  config:
+    files:
+      ca.json:
+        authority: {}
+  certificates:
+    root_ca: ""
+    intermediate_ca: ""
+    ssh_host_ca: ""
+    ssh_user_ca: ""
+
+stepIngress:
+  ## @param stepIngress.enabled Flag to enable ingress
+  enabled: false
+  ## @param stepIngress.className Ingress class name
+  className: ""
+  ## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+  controllerType: ""
+  ## @param stepIngress.annotations [object] Annotations for the ingress object
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # If Profile Type == https_spiffe:
+    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+  ## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "spiffe-step-ssh"
+
+  ## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+  #  - host: spiffe-step-ssh.example.org
+  #    paths:
+  #      - path: /
+  #        pathType: Prefix
+
+  ## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
+  #  - hosts:
+  #      - spiffe-step-ssh.example.org
+
+## @skip step
+step:
+  service:
+    port: 443
+    targetPort: 8443
+  inject:
+    enabled: false
+  bootstrap:
+    enabled: false
+    configmaps: false
+    secrets: false
+  existingSecrets:
+    enabled: true
+    ca: true
+    issuer: true
+    certsAsSecret: false
+    configAsSecret: false
+    sshHostCa: true
+    sshUserCa: true
+
+spiffeHelper:
+  ## @param spiffeHelper.image.registry The OCI registry to pull the image from
+  ## @param spiffeHelper.image.repository The repository within the registry
+  ## @param spiffeHelper.image.pullPolicy The image pull policy
+  ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: ghcr.io
+    repository: spiffe/spiffe-helper
+    pullPolicy: IfNotPresent
+    tag: 0.8.0
+
+nginx:
+  ## @param nginx.image.registry The OCI registry to pull the image from
+  ## @param nginx.image.repository The repository within the registry
+  ## @param nginx.image.pullPolicy The image pull policy
+  ## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: nginxinc/nginx-unprivileged
+    pullPolicy: IfNotPresent
+    tag: 1.25.3-alpine
+
+kubectl:
+  ## @param kubectl.image.registry The OCI registry to pull the image from
+  ## @param kubectl.image.repository The repository within the registry
+  ## @param kubectl.image.pullPolicy The image pull policy
+  ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: rancher/kubectl
+    pullPolicy: IfNotPresent
+    tag: ""
+
+yq:
+  ## @param yq.image.registry The OCI registry to pull the image from
+  ## @param yq.image.repository The repository within the registry
+  ## @param yq.image.pullPolicy The image pull policy
+  ## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: mikefarah/yq
+    pullPolicy: IfNotPresent
+    tag: "4.40.5"
+
+busybox:
+  ## @param busybox.image.registry The OCI registry to pull the image from
+  ## @param busybox.image.repository The repository within the registry
+  ## @param busybox.image.pullPolicy The image pull policy
+  ## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: busybox
+    pullPolicy: IfNotPresent
+    tag: "1.36.1-uclibc"
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param podAnnotations [object] Additional pod annotations to add
+podAnnotations: {}
+## @param podLabels [object] Additional pod labels to add
+podLabels: {}
+
+## @param podSecurityContext [object} Specify pod security context settings
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Specify container security context settings
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+  # FIXME
+  runAsUser: 0
+
+fetchCA:
+  ## @param fetchCA.replicaCount Number of replicas to launch
+  replicaCount: 1
+
+  ## @param fetchCA.service.type The type of service to deploy
+  ## @param fetchCA.service.port The port number of the service port
+  service:
+    type: ClusterIP
+    port: 443
+
+  ingress:
+    ## @param fetchCA.ingress.enabled Flag to enable ingress
+    enabled: false
+    ## @param fetchCA.ingress.className Ingress class name
+    className: ""
+    ## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    controllerType: ""
+    ## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      # If Profile Type == https_spiffe:
+      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+    ## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+    host: "spiffe-step-ssh-fetchca"
+
+    ## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+    tlsSecret: ""
+
+    ## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+    hosts: []
+    #  - host: spiffe-step-ssh-fetchca.example.org
+    #    paths:
+    #      - path: /
+    #        pathType: Prefix
+
+    ## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+    tls: []
+    #  - hosts:
+    #      - spiffe-step-ssh-fetchca.example.org
+
+  ## @param fetchCA.autoscaling.enabled Enable autoscaling
+  ## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
+  ## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
+  ## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 100
+    targetCPUUtilizationPercentage: 80
+    # targetMemoryUtilizationPercentage: 80
+
+  ## @param fetchCA.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  spiffeHelper:
+    ## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
+    resources: {}
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+  ## @param fetchCA.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param fetchCA.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param fetchCA.affinity [object] Specify affinity
+  affinity: {}
+
+config:
+  ## @param config.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  ## @param config.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param config.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param config.affinity [object] Specify affinity
+  affinity: {}
diff --git a/tests/integration/spiffe-step-ssh/ingress-values.yaml b/tests/integration/spiffe-step-ssh/ingress-values.yaml
new file mode 100644
index 000000000..d41f117bd
--- /dev/null
+++ b/tests/integration/spiffe-step-ssh/ingress-values.yaml
@@ -0,0 +1,8 @@
+global:
+  spiffe:
+    ingressControllerType: ingress-nginx
+stepIngress:
+  enabled: true
+fetchCA:
+  ingress:
+    enabled: true
diff --git a/tests/integration/spiffe-step-ssh/root-values.yaml b/tests/integration/spiffe-step-ssh/root-values.yaml
new file mode 100644
index 000000000..21c727c1c
--- /dev/null
+++ b/tests/integration/spiffe-step-ssh/root-values.yaml
@@ -0,0 +1,45 @@
+tags:
+  nestedRoot: true
+
+spiffe-oidc-discovery-provider:
+  ingress:
+    enabled: true
+
+internal-spire-server:
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          enabled: false
+        spiffe-step-ssh-config:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              #FIXME move these
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: config
+        spiffe-step-ssh-fetchca:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: fetchca
+          dnsNameTemplates:
+          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
+
+external-spire-server:
+  ingress:
+    enabled: true
+  nodeAttestor:
+    httpChallenge:
+      enabled: true
+      allowedDNSPatterns:
+      - ".*\\.production\\.other"
+      allowNonRootPorts: false
+      tofu: false
diff --git a/tests/integration/spiffe-step-ssh/run-tests.sh b/tests/integration/spiffe-step-ssh/run-tests.sh
new file mode 100755
index 000000000..109792dd7
--- /dev/null
+++ b/tests/integration/spiffe-step-ssh/run-tests.sh
@@ -0,0 +1,170 @@
+#!/usr/bin/env bash
+
+set -xe
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+TESTDIR="${SCRIPTPATH}/../../../.github/tests"
+#DEPS="${TESTDIR}/dependencies"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../../../.github/scripts/parse-versions.sh"
+# shellcheck source=/dev/null
+source "${TESTDIR}/common.sh"
+
+CLEANUP=1
+
+for i in "$@"; do
+  case $i in
+    -c)
+      CLEANUP=0
+      shift # past argument=value
+      ;;
+  esac
+done
+
+teardown() {
+  set +e
+  ls -l /var/run/spiffe/step-ssh/main
+  ls -l /etc/ssh/sshd_config.d
+  openssl s_client -servername spiffe-step-ssh-fetchca.production.other -connect spiffe-step-ssh-fetchca.production.other:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
+  echo spire-agent logs:S
+  journalctl -u spire-agent@main
+  echo spiffe-step-ssh logs:
+  journalctl -u spiffe-step-ssh@main
+  echo step pod:
+  kubectl logs statefulset/spiffe-step-ssh
+  echo fetchca pod:
+  kubectl logs deploy/spiffe-step-ssh-fetchca
+  echo config pod:
+  kubectl logs deploy/spiffe-step-ssh-config
+  echo ingress
+  kubectl get ingress
+  echo describe pods:
+  kubectl describe pods
+  print_helm_releases
+  print_spire_workload_status spire-root-server
+  print_spire_workload_status spire-server spire-system
+
+  if [[ "$1" -ne 0 ]]; then
+    get_namespace_details spire-root-server
+    get_namespace_details spire-server spire-system
+  fi
+
+  if [ "${CLEANUP}" -eq 1 ]; then
+    helm uninstall --namespace spire-server spire 2>/dev/null || true
+    kubectl delete ns spire-server 2>/dev/null || true
+    kubectl delete ns spire-system 2>/dev/null || true
+
+    helm uninstall --namespace mysql spire-root-server 2>/dev/null || true
+    kubectl delete ns spire-root-server 2>/dev/null || true
+  fi
+}
+
+trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT
+
+echo Network interfaces:
+ip a
+
+HIP="$(ip -4 addr show docker0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
+
+echo "Picked IP ${HIP}"
+
+echo "${HIP} test.production.other" | sudo bash -c 'cat >> /etc/hosts'
+
+sudo adduser spiffe-test
+sudo -u spiffe-test mkdir -p /home/spiffe-test/.ssh
+sudo chown spiffe-test --recursive /home/spiffe-test
+sudo -u spiffe-test ssh-keygen -t ed25519 -f /home/spiffe-test/.ssh/id_ed25519 -q -N ""
+sudo -u spiffe-test chmod 600 /home/spiffe-test/.ssh/id_ed25519
+sudo -u spiffe-test cp /home/spiffe-test/.ssh/id_ed25519.pub /home/spiffe-test/.ssh/authorized_keys
+sudo -u spiffe-test ssh -T -n -i /home/spiffe-test/.ssh/id_ed25519 spiffe-test@test.production.other hostname || echo Expected fail here
+
+# Update deps
+helm dep up charts/spire-nested
+
+# List nodes
+kubectl get nodes
+
+# Deploy an ingress controller
+IP=$(kubectl get nodes chart-testing-control-plane -o go-template='{{ range .status.addresses }}{{ if eq .type "InternalIP" }}{{ .address }}{{ end }}{{ end }}')
+helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \
+  --namespace ingress-nginx \
+  --create-namespace \
+  --set "controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP,controller.service.externalIPs[0]=$IP" \
+  --set controller.ingressClassResource.default=true \
+  --wait
+
+# Test the ingress controller. Should 404 as there is no services yet.
+common_test_url "$IP"
+
+kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\        hosts {\n           fallthrough\n        }" | kubectl apply -f -
+kubectl get configmap -n kube-system coredns -o yaml | grep test.production.other || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\           $IP oidc-discovery.production.other\n           $IP spire-server.production.other\n           $HIP test.production.other\n" | kubectl apply -f -
+kubectl rollout restart -n kube-system deployment/coredns
+kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns
+
+helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/root-values.yaml" \
+  --wait spire charts/spire-nested \
+  --set "global.spire.namespaces.create=true" \
+  --set "global.spire.ingressControllerType=ingress-nginx"
+
+kubectl get pods -n spire-server
+kubectl exec -it -n spire-server spire-external-server-0 -- spire-server entry create -parentID spiffe://production.other/spire/agent/http_challenge/test.production.other -spiffeID spiffe://production.other/sshd/test.production.other -selector systemd:id:spiffe-step-ssh@main.service
+
+ENTRIES="$(kubectl exec -i -n spire-server spire-external-server-0 -- spire-server entry show)"
+
+if [[ "${ENTRIES}" == "Found 0 entries" ]]; then
+  echo "${ENTRIES}"
+  exit 1
+fi
+
+kubectl get ingress -n spire-server
+
+echo "${IP} spire-server.production.other spiffe-step-ssh.production.other spiffe-step-ssh-fetchca.production.other" | sudo bash -c 'cat >> /etc/hosts'
+echo Hosts:
+cat /etc/hosts
+
+curl -L https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/scripts/demo.sh | sudo bash
+
+sudo mkdir -p /usr/libexec/spiffe-step-ssh
+sudo mkdir -p /etc/systemd/system/sshd.service.d
+sudo curl -L -o /usr/libexec/spiffe-step-ssh/update.sh https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/scripts/update.sh
+sudo curl -L -o /etc/systemd/system/spiffe-step-ssh@.service https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/systemd/spiffe-step-ssh@.service
+sudo curl -L -o /etc/systemd/system/spiffe-step-ssh-cleanup.service https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/systemd/spiffe-step-ssh-cleanup.service
+sudo curl -L -o /etc/systemd/system/sshd.service.d/10-spiffe-step-ssh.conf https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/conf/10-spiffe-step-ssh.conf
+
+sudo mkdir -p /etc/spire/agent
+sudo cp "${SCRIPTPATH}/spire-agent.conf" /etc/spire/agent/main.conf
+
+PASSWORD=$(openssl rand -base64 48)
+echo "$PASSWORD" > spiffe-step-ssh-password.txt
+step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.production.other --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
+
+# Start things up
+sudo systemctl daemon-reload
+sudo systemctl enable spire-agent@main
+sudo systemctl start spire-agent@main
+
+pushd charts/spiffe-step-ssh
+helm dep up
+popd
+
+helm upgrade --install spiffe-step-ssh charts/spiffe-step-ssh --set caPassword="$(cat spiffe-step-ssh-password.txt)" -f spiffe-step-ssh-values.yaml -f "${SCRIPTPATH}/ingress-values.yaml" --set trustDomain=production.other --wait --timeout 10m
+
+# Is fetchca responding.
+kubectl get configmap -n spire-system spire-bundle-downstream -o go-template='{{ index .data "bundle.crt" }}' > /tmp/ca.pem
+cat /tmp/ca.pem
+curl https://spiffe-step-ssh-fetchca.production.other -s --cacert /tmp/ca.pem
+
+sudo systemctl start spiffe-step-ssh@main
+
+# This is bad, but only for testing. Don't do this at home
+sudo chmod 777  "/var/run/spiffe/"
+sudo chmod 777  "/var/run/spiffe/step-ssh/"
+sudo chmod 777  "/var/run/spiffe/step-ssh/main/"
+common_test_file_exists "/var/run/spiffe/step-ssh/main/ssh_host_rsa_key-cert.pub"
+
+kubectl get configmap spiffe-step-ssh-certs -o 'go-template={{ index .data "ssh_host_ca_key.pub" }}' | sed '/^$/d; s/^/@cert-authority *.production.other /' | sudo -u spiffe-test dd of=/home/spiffe-test/.ssh/known_hosts
+sudo -u spiffe-test cat /home/spiffe-test/.ssh/known_hosts
+
+sudo -u spiffe-test ssh -T -n -i /home/spiffe-test/.ssh/id_ed25519 spiffe-test@test.production.other hostname
diff --git a/tests/integration/spiffe-step-ssh/spire-agent.conf b/tests/integration/spiffe-step-ssh/spire-agent.conf
new file mode 100644
index 000000000..4c5a9f441
--- /dev/null
+++ b/tests/integration/spiffe-step-ssh/spire-agent.conf
@@ -0,0 +1,25 @@
+agent {
+    log_level = "DEBUG"
+    trust_domain = "production.other"
+    server_address = "spire-server.production.other"
+    server_port = 443
+    # Insecure bootstrap is NOT appropriate for production use but is ok for
+    # simple testing/evaluation purposes.
+    insecure_bootstrap = true
+}
+plugins {
+   KeyManager "disk" {
+        plugin_data {
+            directory = "./"
+        }
+    }
+    NodeAttestor "http_challenge" {
+        plugin_data {
+            hostname = "test.production.other"
+            port = 81
+        }
+    }
+    WorkloadAttestor "systemd" {
+        plugin_data {}
+    }
+}