diff --git a/manifests/function/hostconfig-operator/kustomization.yaml b/manifests/function/hostconfig-operator/kustomization.yaml
index 56e20c48f..86f2903a6 100644
--- a/manifests/function/hostconfig-operator/kustomization.yaml
+++ b/manifests/function/hostconfig-operator/kustomization.yaml
@@ -5,3 +5,4 @@ resources:
   - hostconfig.airshipit.org_hostconfigs_crd.yaml
   - rbac
   - deployment.yaml
+  - ssh-key.yaml
diff --git a/manifests/function/hostconfig-operator/replacements/kustomization.yaml b/manifests/function/hostconfig-operator/replacements/kustomization.yaml
new file mode 100644
index 000000000..bb1a72699
--- /dev/null
+++ b/manifests/function/hostconfig-operator/replacements/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ssh-key-replacement.yaml
diff --git a/manifests/function/hostconfig-operator/replacements/ssh-key-replacement.yaml b/manifests/function/hostconfig-operator/replacements/ssh-key-replacement.yaml
new file mode 100644
index 000000000..8626c6861
--- /dev/null
+++ b/manifests/function/hostconfig-operator/replacements/ssh-key-replacement.yaml
@@ -0,0 +1,21 @@
+# These rules inject env vars into the k8scontrol function.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: hco-generated-ssh-key-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2.0.2
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.sshKeys.privateKey}"
+  target:
+    objref:
+      kind: Secret
+      name: hco-ssh-auth
+    fieldrefs:
+      - "data.ssh-privatekey%REPLACEMENT_SSH_PRIVATEKEY%"
diff --git a/manifests/function/hostconfig-operator/ssh-key.yaml b/manifests/function/hostconfig-operator/ssh-key.yaml
new file mode 100644
index 000000000..730444857
--- /dev/null
+++ b/manifests/function/hostconfig-operator/ssh-key.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hco-ssh-auth
+type: kubernetes.io/ssh-auth
+data:
+  ssh-privatekey: REPLACEMENT_SSH_PRIVATEKEY
+  username: ZGVwbG95ZXIK
+
diff --git a/manifests/site/test-site/target/initinfra/kustomization.yaml b/manifests/site/test-site/target/initinfra/kustomization.yaml
index 5669403d8..eefc27230 100644
--- a/manifests/site/test-site/target/initinfra/kustomization.yaml
+++ b/manifests/site/test-site/target/initinfra/kustomization.yaml
@@ -3,5 +3,6 @@ resources:
   - ../catalogues
 transformers:
   - ../../../../type/airship-core/target/initinfra/replacements
+  - ../../../../function/hostconfig-operator/replacements
   - ../../../../../../airshipctl/manifests/function/flux/source-controller/replacements
   - ../../../../../../airshipctl/manifests/function/flux/helm-controller/replacements
diff --git a/tools/deployment/31_deploy_initinfra_target_node.sh b/tools/deployment/31_deploy_initinfra_target_node.sh
index fd8ce475b..c0280fa0e 100755
--- a/tools/deployment/31_deploy_initinfra_target_node.sh
+++ b/tools/deployment/31_deploy_initinfra_target_node.sh
@@ -34,3 +34,24 @@ kubectl \
 
 ./tools/deployment/31_deploy_initinfra_target_node.sh
 
+hosts=$(`kubectl \
+  --kubeconfig $KUBECONFIG \
+  --context $KUBECONFIG_TARGET_CONTEXT \
+  --request-timeout 10s get nodes -o name`)
+
+# Annotate node for hostconfig-operator
+for i in "${!hosts[@]}"
+do
+    kubectl \
+      --kubeconfig $KUBECONFIG \
+      --context $KUBECONFIG_TARGET_CONTEXT \
+      --request-timeout 10s annotate ${hosts[i]} secret=hco-ssh-auth
+    kubectl \
+      --kubeconfig $KUBECONFIG \
+      --context $KUBECONFIG_TARGET_CONTEXT \
+      --request-timeout 10s label ${hosts[i]} node-type=controlplane
+    kubectl \
+      --kubeconfig $KUBECONFIG \
+      --context $KUBECONFIG_TARGET_CONTEXT \
+      --request-timeout 10s label ${hosts[i]} kubernetes.io/role=master
+done
diff --git a/tools/deployment/34_deploy_worker_node.sh b/tools/deployment/34_deploy_worker_node.sh
index 3e71e1810..b93bb883f 100755
--- a/tools/deployment/34_deploy_worker_node.sh
+++ b/tools/deployment/34_deploy_worker_node.sh
@@ -14,6 +14,8 @@
 
 set -ex
 
+export KUBECONFIG=${KUBECONFIG:-"$HOME/.airship/kubeconfig"}
+export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:-"target-cluster"}
 : ${AIRSHIPCTL_PROJECT:="../airshipctl"}
 
 export WORKER_NODE=${WORKER_NODE:-"$(airshipctl phase render workers-target \
@@ -23,3 +25,21 @@ export WORKER_NODE=${WORKER_NODE:-"$(airshipctl phase render workers-target \
 
 cd ${AIRSHIPCTL_PROJECT}
 ./tools/deployment/34_deploy_worker_node.sh
+
+hosts=$(`kubectl \
+  --kubeconfig $KUBECONFIG \
+  --context $KUBECONFIG_TARGET_CONTEXT \
+  --request-timeout 10s get nodes -o name`)
+
+# Annotate node for hostconfig-operator
+for i in "${!hosts[@]}"
+do
+    kubectl \
+      --kubeconfig $KUBECONFIG \
+      --context $KUBECONFIG_TARGET_CONTEXT \
+      --request-timeout 10s annotate ${hosts[i]} secret=hco-ssh-auth
+    kubectl \
+      --kubeconfig $KUBECONFIG \
+      --context $KUBECONFIG_TARGET_CONTEXT \
+      --request-timeout 10s label ${hosts[i]} kubernetes.io/role=master
+done