diff --git a/.woodpecker.yml b/.woodpecker.yml
index 4d2963d..c62c25b 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -79,14 +79,14 @@ steps:
         from_secret: container_registry
       tags: 
         - server-latest
-        - server-${CI_COMMIT_SHA}
+        - server-${CI_COMMIT_TAG}
       username:
         from_secret: container_registry_username
       password:
         from_secret: container_registry_password
       dockerfile: Dockerfile-server
     when:
-      - event: [ push ]
+      - event: [ tag ]
 
   build-server-for-quay:
     depends_on: [generate-dtrack-api, generate-defectdojo]
@@ -106,4 +106,17 @@ steps:
       - event: [tag]
 
 
+  deploy:
+    image: portainer/kubectl-shell:latest
+    depends_on: [build-server]
+    environment:
+      KUBE_CONFIG_CONTENT:
+        from_secret: kube_config
+    commands:
+      - export IMAGE_TAG=$CI_COMMIT_TAG
+      - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
+      - export KUBECONFIG=/tmp/kubeconfig
+      - ./deployment/deploy.sh
+    when:
+      - event: [tag]
 
diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl
new file mode 100644
index 0000000..98fb16d
--- /dev/null
+++ b/deployment/deploy-yml.tmpl
@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dtrack-defectdojo-automation-server
+  labels:
+    app: dtrack-defectdojo-automation-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dtrack-defectdojo-automation-server
+  template:
+    metadata:
+      labels:
+        app: dtrack-defectdojo-automation-server
+    spec:
+      containers:
+        - name:dtrack-defectdojo-automation-server
+          image: %IMAGE%
+          ports:
+            - containerPort: 8000
+              protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dtrack-defectdojo-automation-server
+spec:
+  type: ClusterIP
+  selector:
+    app: dtrack-defectdojo-automation-server
+  ports:
+    - name: http
+      targetPort: 8000
+      port: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dtrack-defectdojo-automation-server
+spec:
+  tls:
+    - hosts:
+        - webservices.hottis.de
+      secretName: webservices-cert
+  rules:
+    - host: webservices.hottis.de
+      http:
+        paths:
+          - path: /sbom-integrator/v1/
+            pathType: Prefix
+            backend:
+              service:
+                name: dtrack-defectdojo-automation-server
+                port:
+                  number: 80
+
diff --git a/deployment/deploy.sh b/deployment/deploy.sh
new file mode 100755
index 0000000..6677b3f
--- /dev/null
+++ b/deployment/deploy.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [ "$IMAGE_TAG" == "" ]; then
+  echo "Make sure IMAGE_TAG is set"
+  exit 1
+fi
+
+IMAGE_NAME=gitea.hottis.de/wn/dtrack-defectdojo-automation-server
+NAMESPACE=webservices
+DEPLOYMENT_DIR=$PWD/deployment
+
+pushd $DEPLOYMENT_DIR >/dev/null
+
+kubectl create namespace $NAMESPACE \
+  --dry-run=client \
+  -o yaml |
+  kubectl -f - apply
+
+cat $DEPLOYMENT_DIR/deploy-yml.tmpl |
+  sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g |
+  kubectl apply -f - -n $NAMESPACE
+
+popd >/dev/null