diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
deleted file mode 100644
index 0645c09e5..000000000
--- a/.github/workflows/docker-hub.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Publish Docker
-on: [push]
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@master
-      with:
-        name: ${{ secrets.DOCKER_USERNAME }}/tapiriik
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/.github/workflows/docker-kubernetes.yml b/.github/workflows/docker-kubernetes.yml
new file mode 100644
index 000000000..7329f6618
--- /dev/null
+++ b/.github/workflows/docker-kubernetes.yml
@@ -0,0 +1,38 @@
+name: Docker build and push, Kubernetes apply
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Docker Login
+        uses: docker/login-action@v1.6.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Kubernetes set context
+        uses: Azure/k8s-set-context@v1
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBE_CONFIG }}
+
+      - name: Docker build and push
+        run: |
+          docker build --tag ${{ secrets.DOCKER_USERNAME }}/tapiriik:${{ github.sha }} .
+          docker push ${{ secrets.DOCKER_USERNAME }}/tapiriik:${{ github.sha }}
+
+      - name: kubectl apply
+        # NB: the secrets need to be friendly to sed, eg & should be escaped as \&
+        run: |
+          sed -i'' -e 's#WEB_ROOT#${{ secrets.WEB_ROOT }}#g' -e 's/ALLOWED_HOSTS/${{ secrets.ALLOWED_HOSTS }}/g' -e 's#REDIS_HOST#${{ secrets.REDIS_HOST }}#g' -e 's#RABBITMQ_BROKER_URL#${{ secrets.RABBITMQ_BROKER_URL }}#g' -e 's#MONGO_HOST#${{ secrets.MONGO_HOST }}#g' -e 's/RUNKEEPER_CLIENT_ID/${{ secrets.RUNKEEPER_CLIENT_ID }}/g' -e 's/RUNKEEPER_CLIENT_SECRET/${{ secrets.RUNKEEPER_CLIENT_SECRET }}/g' -e 's/DROPBOX_APP_KEY/${{ secrets.DROPBOX_APP_KEY }}/g' -e 's/DROPBOX_APP_SECRET/${{ secrets.DROPBOX_APP_SECRET }}/g' -e 's/DROPBOX_FULL_APP_KEY/${{ secrets.DROPBOX_FULL_APP_KEY }}/g' -e 's/DROPBOX_FULL_APP_SECRET/${{ secrets.DROPBOX_FULL_APP_SECRET }}/g' -e 's/STRAVA_CLIENT_ID/${{ secrets.STRAVA_CLIENT_ID }}/g' -e 's/STRAVA_CLIENT_SECRET/${{ secrets.STRAVA_CLIENT_SECRET }}/g' -e 's/SPORTTRACKS_CLIENT_ID/${{ secrets.SPORTTRACKS_CLIENT_ID }}/g' -e 's/SPORTTRACKS_CLIENT_SECRET/${{ secrets.SPORTTRACKS_CLIENT_SECRET }}/g' -e 's/RWGPS_APIKEY/${{ secrets.RWGPS_APIKEY }}/g' kubernetes-secrets.yml
+          sed -i'' -e 's/tapiriik:latest/tapiriik:${{ github.sha }}/g' kubernetes.yml
+          kubectl apply -f kubernetes-secrets.yml --namespace tapiriik
+          kubectl apply -f kubernetes.yml --namespace tapiriik
diff --git a/README.md b/README.md
index 648cf3de9..a4d39ba6a 100644
--- a/README.md
+++ b/README.md
@@ -26,8 +26,9 @@ or don't use Redis at all (by not defining `REDIS_HOST`).
 To run on Kubernetes,
 eg [AKS](https://docs.microsoft.com/en-us/azure/aks/):
 - edit [`kubernetes-secrets.yml`](kubernetes-secrets.yml) (or a copy of it)
-- `kubectl apply -f kubernetes-secrets.yml`
-- `kubectl apply -f kubernetes.yml`
+- `kubectl apply -f kubernetes-secrets.yml --namespace tapiriik`
+- `kubectl apply -f kubernetes.yml --namespace tapiriik`
+- add [TLS ingress](https://docs.microsoft.com/en-us/azure/aks/ingress-tls)
 
 ## Want to help with development?
 
diff --git a/kubernetes-secrets.yml b/kubernetes-secrets.yml
index ce8d7ef96..78773b082 100644
--- a/kubernetes-secrets.yml
+++ b/kubernetes-secrets.yml
@@ -4,17 +4,19 @@ metadata:
   name: tapiriik-secret
 type: Opaque
 stringData:
-  redis-host: "tapiriik-redis"
-  rabbitmq-broker-url: "amqp://guest@tapiriik_rabbitmq//"
-  mongo-host: "mongodb://root:example@tapiriik_mongo:27017/admin"
-  runkeeper-client-id: "####"
-  runkeeper-client-secret: "####"
-  dropbox-app-key: "####"
-  dropbox-app-secret: "####"
-  dropbox-full-app-key: "####"
-  dropbox-full-app-secret: "####"
-  strava-client-id: "####"
-  strava-client-secret: "####"
-  sporttracks-client-id: "####"
-  sporttracks-client-secret: "####"
-  rwgps-api-key: "####"
\ No newline at end of file
+  web-root: "WEB_ROOT"
+  allowed-hosts: "ALLOWED_HOSTS"
+  redis-host: "REDIS_HOST"
+  rabbitmq-broker-url: "RABBITMQ_BROKER_URL"
+  mongo-host: "MONGO_HOST"
+  runkeeper-client-id: "RUNKEEPER_CLIENT_ID"
+  runkeeper-client-secret: "RUNKEEPER_CLIENT_SECRET"
+  dropbox-app-key: "DROPBOX_APP_KEY"
+  dropbox-app-secret: "DROPBOX_APP_SECRET"
+  dropbox-full-app-key: "DROPBOX_FULL_APP_KEY"
+  dropbox-full-app-secret: "DROPBOX_FULL_APP_SECRET"
+  strava-client-id: "STRAVA_CLIENT_ID"
+  strava-client-secret: "STRAVA_CLIENT_SECRET"
+  sporttracks-client-id: "SPORTTRACKS_CLIENT_ID"
+  sporttracks-client-secret: "SPORTTRACKS_CLIENT_SECRET"
+  rwgps-api-key: "RWGPS_APIKEY"
\ No newline at end of file
diff --git a/kubernetes.yml b/kubernetes.yml
index 54f57769f..cf1c8ebe7 100644
--- a/kubernetes.yml
+++ b/kubernetes.yml
@@ -59,7 +59,7 @@ spec:
         "beta.kubernetes.io/os": linux
       containers:
       - name: tapiriik-scheduler
-        image: neilb27/tapiriik:kubernetes
+        image: neilb27/tapiriik:latest
         command: ["python3"]
         args: ["sync_scheduler.py"]
         resources:
@@ -161,7 +161,7 @@ spec:
         "beta.kubernetes.io/os": linux
       containers:
       - name: tapiriik-worker
-        image: neilb27/tapiriik:kubernetes
+        image: neilb27/tapiriik:latest
         command: ["python3"]
         args: ["sync_worker.py"]
         resources:
@@ -265,7 +265,7 @@ spec:
         "beta.kubernetes.io/os": linux
       containers:
       - name: tapiriik-web
-        image: neilb27/tapiriik:kubernetes
+        image: neilb27/tapiriik:latest
         command: ["python3"]
         args: ["manage.py", "runserver", "0.0.0.0:80", "--insecure"]
         resources:
@@ -281,9 +281,15 @@ spec:
         - name: DEBUG
           value: "False"
         - name: WEB_ROOT
-          value: "https://www.siiink.com/"
+          valueFrom:
+            secretKeyRef:
+              name: tapiriik-secret
+              key: web-root
         - name: ALLOWED_HOSTS
-          value: "www.siiink.com"
+          valueFrom:
+            secretKeyRef:
+              name: tapiriik-secret
+              key: allowed-hosts
         - name: SOFT_LAUNCH_SERVICES
           value: "runkeeper,garminconnect,endomondo,trainingpeaks,trainasone,pulsstory,motivato,nikeplus,velohero,trainerroad,smashrun,beginnertriathlete,setio,singletracker,aerobia"
         - name: REDIS_HOST