From 232eea3cc818a2fbb2bda9fcbf576648132f39c2 Mon Sep 17 00:00:00 2001
From: Nabeel Sulieman <nabsul@users.noreply.github.com>
Date: Wed, 23 Feb 2022 20:50:21 -0800
Subject: [PATCH] Prepare V1 Release of KCert (#24)

* Start working towards V1

* Simplify configuration by using environment variables and removing direct access of K8s secret

* Tighten up the permissions given to the service

* Try a little fix

* Minor bug fix

* Remove dangling save button

* Fix double underscore

* Continue work towards managing ingresses

* Handle create/update of certs via ingresses, and retire the old UI based approach

* Update favicon, finish testing renewal flow

* Split out renewal and ingress watching services

* Another run through of cleanup and simplification

* Remove unused GH actions

* Fix the registry names

* Run code cleanup

* Revampt the documentation

* Try conditional for docker build

* Another refactor for action
---
 .dockerignore                          |   3 +-
 .github/workflows/build.yml            |  64 +++++---
 .github/workflows/main.yml             |  23 ---
 .github/workflows/pr.yml               |  20 ---
 .gitignore                             |   2 -
 Controllers/CertificateController.cs   |  67 ---------
 Controllers/ChallengeController.cs     |  34 -----
 Controllers/ConfigurationController.cs |  83 -----------
 Controllers/HomeController.cs          |  49 +++++-
 Controllers/HttpChallengeController.cs |  17 ++-
 Controllers/ManageController.cs        |  43 ------
 Dockerfile                             |   1 -
 KCert.csproj                           |   1 +
 Models/ConfigurationForm.cs            |  16 --
 Models/HomeViewModel.cs                |  30 ----
 Models/KCertParams.cs                  |  88 -----------
 Program.cs                             |  20 ++-
 README.md                              | 197 +++++++++++++++++++++++--
 ServiceAttribute.cs                    |   8 +-
 Services/AcmeClient.cs                 |   4 +-
 Services/BufferedLogger.cs             |   2 +-
 Services/CertClient.cs                 |  37 ++++-
 Services/EmailClient.cs                |  27 ++--
 Services/IngressMonitorService.cs      | 122 +++++++++++++++
 Services/K8sClient.cs                  |  96 +++++++-----
 Services/KCertClient.cs                |  63 ++++----
 Services/KCertConfig.cs                |  72 +++++++--
 Services/RenewalHandler.cs             |  12 +-
 Services/RenewalService.cs             |  33 +++--
 Views/Certificate/Edit.cshtml          |  68 ---------
 Views/Challenge/Index.cshtml           |  14 --
 Views/Configuration/Index.cshtml       |  98 ------------
 Views/Home/Challenge.cshtml            |  16 ++
 Views/Home/Configuration.cshtml        |  24 +++
 Views/Home/Home.cshtml                 |  52 +++++++
 Views/Home/Index.cshtml                |  48 ------
 Views/Manage/Index.cshtml              |  38 -----
 Views/Shared/_Layout.cshtml            |   8 +-
 appsettings.json                       |  32 ++--
 deploy.yml                             |  86 +++++++++--
 docker-compose.yml                     |  13 --
 wwwroot/favicon.ico                    | Bin 1150 -> 15406 bytes
 42 files changed, 827 insertions(+), 904 deletions(-)
 delete mode 100644 .github/workflows/main.yml
 delete mode 100644 .github/workflows/pr.yml
 delete mode 100644 Controllers/CertificateController.cs
 delete mode 100644 Controllers/ChallengeController.cs
 delete mode 100644 Controllers/ConfigurationController.cs
 delete mode 100644 Controllers/ManageController.cs
 delete mode 100644 Models/ConfigurationForm.cs
 delete mode 100644 Models/HomeViewModel.cs
 delete mode 100644 Models/KCertParams.cs
 create mode 100644 Services/IngressMonitorService.cs
 delete mode 100644 Views/Certificate/Edit.cshtml
 delete mode 100644 Views/Challenge/Index.cshtml
 delete mode 100644 Views/Configuration/Index.cshtml
 create mode 100644 Views/Home/Challenge.cshtml
 create mode 100644 Views/Home/Configuration.cshtml
 create mode 100644 Views/Home/Home.cshtml
 delete mode 100644 Views/Home/Index.cshtml
 delete mode 100644 Views/Manage/Index.cshtml
 delete mode 100644 docker-compose.yml

diff --git a/.dockerignore b/.dockerignore
index b30fde1..3da5c0a 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
+.git
+.github
 .vs
 bin
 obj
 *.user
-net5.0
 kubeconfig
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 73dac16..0f84eda 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,15 +2,12 @@ name: Build KCert
 on:
   push:
     branches:
-      - 'main'
+    - 'main'
     tags:
-      - 'v*'
+    - 'v*'
   pull_request:
     branches:
-      - 'main'
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+    - 'main'
 
 jobs:
   build-and-push-image:
@@ -23,28 +20,55 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Log in to the Container registry
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+      - name: Extract metadata (tags, labels) for GHCR
+        id: meta_ghcr
+        uses: docker/metadata-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          images: ghcr.io/nabsul/kcert
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=sha
+
+      - name: Log in to the GHCR registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io/nabsul/kcert
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Build and push GHCR image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta_ghcr.outputs.tags }}
+          labels: ${{ steps.meta_ghcr.outputs.labels }}
+
       - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        if: startsWith(github.ref, 'refs/tags/v')
+        id: meta_docker
+        uses: docker/metadata-action@v3
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: nabsul/kcert
           tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=sha
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+
+      - name: Login to Docker Hub
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+      - name: Build and push Docker Hub image
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: docker/build-push-action@v2
         with:
           context: .
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta_docker.outputs.tags }}
+          labels: ${{ steps.meta_docker.outputs.labels }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
deleted file mode 100644
index eaeb885..0000000
--- a/.github/workflows/main.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# Run on every pull request to check that it builds
-name: Main Branch Continuous Deploy
-on:
-  push:
-    branches: [ main ]
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Build the Docker image
-        run: docker build -t kcert .
-      - name: Log into registry
-        run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USER }} --password-stdin
-      - name: Push to registry
-        run: |
-          IMAGE=nabsul/kcert:main-`printf "%06g" ${{ github.run_number }}`
-          docker tag kcert $IMAGE
-          docker push $IMAGE
-          IMAGE=nabsul/kcert:main-latest
-          docker tag kcert $IMAGE
-          docker push $IMAGE
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
deleted file mode 100644
index fbe0986..0000000
--- a/.github/workflows/pr.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Run on every pull request to check that it builds
-name: Pull Request Validation
-on:
-  pull_request:
-    branches: [ main ]
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Build the Docker image
-        run: docker build -t kcert .
-      - name: Log into registry
-        run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USER }} --password-stdin
-      - name: Push to registry
-        run: |
-          IMAGE=nabsul/kcert:pr-${{ github.sha }}
-          docker tag kcert $IMAGE
-          docker push $IMAGE
diff --git a/.gitignore b/.gitignore
index 9bfd4b6..8b425d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,4 @@
 bin
 obj
 *.user
-net5.0
-kubeconfig
 appsettings.local.json
diff --git a/Controllers/CertificateController.cs b/Controllers/CertificateController.cs
deleted file mode 100644
index 93e0eaf..0000000
--- a/Controllers/CertificateController.cs
+++ /dev/null
@@ -1,67 +0,0 @@
-using KCert.Services;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Logging;
-using System.Linq;
-using System.Text.Json;
-using System.Threading.Tasks;
-
-namespace KCert.Controllers;
-
-[Route("certificate")]
-public class CertificateController : Controller
-{
-    private readonly KCertClient _kcert;
-    private readonly K8sClient _kube;
-    private readonly CertClient _cert;
-    private readonly ILogger<CertificateController> _log;
-
-    public CertificateController(KCertClient kcert, K8sClient kube, CertClient cert, ILogger<CertificateController> log)
-    {
-        _kcert = kcert;
-        _kube = kube;
-        _cert = cert;
-        _log = log;
-    }
-
-    [HttpGet]
-    public IActionResult NewAsync() => View("Edit");
-
-    [HttpPost]
-    public async Task<IActionResult> CreateAsync(string ns, string name, string[] hosts)
-    {
-        _log.LogInformation(JsonSerializer.Serialize(new { ns, name, hosts }));
-        await _kcert.SyncHostsAsync(hosts);
-        await _kcert.RenewCertAsync(ns, name, hosts);
-        return RedirectToAction("Index", "Home");
-    }
-
-    [HttpGet("{ns}/{name}")]
-    public async Task<IActionResult> EditAsync(string ns, string name)
-    {
-        var cert = await _kube.GetSecretAsync(ns, name);
-        return View(cert);
-    }
-
-    [HttpGet("delete/{ns}/{name}")]
-    public async Task<IActionResult> DeleteAsync(string ns, string name)
-    {
-        await _kube.DeleteSecretAsync(ns, name);
-        return RedirectToAction("Index", "Home");
-    }
-
-    [HttpPost("{ns}/{name}")]
-    public async Task<IActionResult> SaveAsync(string ns, string name, string[] hosts)
-    {
-        var secret = await _kube.GetSecretAsync(ns, name);
-        var cert = _cert.GetCert(secret);
-        var currentHosts = _cert.GetHosts(cert);
-
-        // If there's a change, renew the cert
-        if (hosts.Length != currentHosts.Count || hosts.Intersect(currentHosts).Count() != hosts.Length)
-        {
-            await _kcert.RenewCertAsync(ns, name, hosts);
-        }
-
-        return RedirectToAction("Index", "Home");
-    }
-}
diff --git a/Controllers/ChallengeController.cs b/Controllers/ChallengeController.cs
deleted file mode 100644
index ec1df17..0000000
--- a/Controllers/ChallengeController.cs
+++ /dev/null
@@ -1,34 +0,0 @@
-using KCert.Services;
-using Microsoft.AspNetCore.Mvc;
-using System.Threading.Tasks;
-
-namespace KCert.Controllers;
-
-[Route("challenge")]
-public class ChallengeController : Controller
-{
-    private readonly KCertClient _kcert;
-    private readonly K8sClient _kube;
-    private readonly KCertConfig _cfg;
-
-    public ChallengeController(KCertClient kcert, K8sClient kube, KCertConfig cfg)
-    {
-        _kcert = kcert;
-        _kube = kube;
-        _cfg = cfg;
-    }
-
-    [HttpGet]
-    public async Task<IActionResult> IndexAsync(string op)
-    {
-        var ingress = await _kube.GetIngressAsync(_cfg.KCertNamespace, _cfg.KCertIngressName);
-        return View(ingress);
-    }
-
-    [HttpGet("refresh")]
-    public async Task<IActionResult> RefreshAsync()
-    {
-        await _kcert.SyncHostsAsync();
-        return RedirectToAction("Index");
-    }
-}
diff --git a/Controllers/ConfigurationController.cs b/Controllers/ConfigurationController.cs
deleted file mode 100644
index f78964b..0000000
--- a/Controllers/ConfigurationController.cs
+++ /dev/null
@@ -1,83 +0,0 @@
-using KCert.Models;
-using KCert.Services;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Logging;
-using System;
-using System.Linq;
-using System.Threading.Tasks;
-
-namespace KCert.Controllers;
-
-[Route("configuration")]
-public class ConfigurationController : Controller
-{
-    private readonly KCertClient _kcert;
-    private readonly EmailClient _email;
-    private readonly CertClient _cert;
-    private readonly AcmeClient _acme;
-    private readonly ILogger<ConfigurationController> _log;
-
-    private static string TermsOfServiceUrl;
-
-    public ConfigurationController(KCertClient kcert, EmailClient email, CertClient cert, ILogger<ConfigurationController> log, AcmeClient acme)
-    {
-        _kcert = kcert;
-        _email = email;
-        _cert = cert;
-        _log = log;
-        _acme = acme;
-    }
-
-    [HttpGet]
-    public async Task<IActionResult> IndexAsync()
-    {
-        if (TermsOfServiceUrl == null)
-        {
-            TermsOfServiceUrl = await _acme.GetTermsOfServiceUrlAsync();
-        }
-
-        ViewBag.TermsOfService = TermsOfServiceUrl;
-        var p = await _kcert.GetConfigAsync();
-        return View(p ?? new KCertParams());
-    }
-
-    [HttpGet("test-email")]
-    public async Task<IActionResult> TestEmailAsync()
-    {
-        var p = await _kcert.GetConfigAsync();
-        await _email.SendTestEmailAsync(p);
-        return RedirectToAction("Index");
-    }
-
-
-    [HttpPost]
-    public async Task<IActionResult> SaveAsync([FromForm] ConfigurationForm form)
-    {
-        var p = await _kcert.GetConfigAsync() ?? new KCertParams();
-
-        p.AcmeDirUrl = new Uri(form.AcmeDir);
-        p.AcmeEmail = form.AcmeEmail;
-        p.EnableAutoRenew = form.EnableAutoRenew;
-        p.SmtpHost = form.SmtpHost;
-        p.SmtpPort = form.SmtpPort;
-        p.SmtpUser = form.SmtpUser;
-        p.SmtpPass = form.SmtpPass;
-        p.EmailFrom = form.EmailFrom;
-        p.TermsAccepted = form.TermsAccepted;
-
-        if (!(form?.AcmeKey?.All(c => c == '*') ?? false))
-        {
-            _log.LogInformation("Setting key value from form");
-            p.AcmeKey = form.AcmeKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(p.AcmeKey))
-        {
-            _log.LogInformation("Generating new key");
-            p.AcmeKey = _cert.GenerateNewKey();
-        }
-
-        await _kcert.SaveConfigAsync(p);
-        return RedirectToAction("Index");
-    }
-}
diff --git a/Controllers/HomeController.cs b/Controllers/HomeController.cs
index 9600dcb..8840ca6 100644
--- a/Controllers/HomeController.cs
+++ b/Controllers/HomeController.cs
@@ -1,8 +1,8 @@
-using System.Diagnostics;
+using KCert.Models;
+using KCert.Services;
 using Microsoft.AspNetCore.Mvc;
-using KCert.Models;
+using System.Diagnostics;
 using System.Threading.Tasks;
-using KCert.Services;
 
 namespace KCert.Controllers;
 
@@ -11,26 +11,59 @@ public class HomeController : Controller
 {
     private readonly KCertClient _kcert;
     private readonly K8sClient _kube;
+    private readonly KCertConfig _cfg;
+    private readonly EmailClient _email;
+    private readonly AcmeClient _acme;
 
-    public HomeController(KCertClient kcert, K8sClient kube)
+    private static string TermsOfServiceUrl;
+
+    public HomeController(KCertClient kcert, K8sClient kube, KCertConfig cfg, EmailClient email, AcmeClient acme)
     {
         _kcert = kcert;
         _kube = kube;
+        _cfg = cfg;
+        _email = email;
+        _acme = acme;
     }
 
-    [HttpGet]
-    public async Task<IActionResult> IndexAsync()
+    [HttpGet("")]
+    public async Task<IActionResult> HomeAsync()
     {
-        ViewBag.HostsUpdated = await _kcert.SyncHostsAsync();
         var secrets = await _kube.GetManagedSecretsAsync();
         return View(secrets);
     }
 
+    [HttpGet("challenge")]
+    public async Task<IActionResult> ChallengeAsync()
+    {
+        var ingress = await _kube.GetIngressAsync(_cfg.KCertNamespace, _cfg.KCertIngressName);
+        return View(ingress);
+    }
+
+    [HttpGet("configuration")]
+    public async Task<IActionResult> ConfigurationAsync()
+    {
+        if (TermsOfServiceUrl == null)
+        {
+            TermsOfServiceUrl = await _acme.GetTermsOfServiceUrlAsync();
+        }
+
+        ViewBag.TermsOfService = TermsOfServiceUrl;
+        return View();
+    }
+
+    [HttpGet("test-email")]
+    public async Task<IActionResult> TestEmailAsync()
+    {
+        await _email.SendTestEmailAsync();
+        return RedirectToAction("Configuration");
+    }
+
     [HttpGet("renew/{ns}/{name}")]
     public async Task<IActionResult> RenewAsync(string ns, string name)
     {
         await _kcert.RenewCertAsync(ns, name);
-        return RedirectToAction("Index");
+        return RedirectToAction("Home");
     }
 
     [Route("error")]
diff --git a/Controllers/HttpChallengeController.cs b/Controllers/HttpChallengeController.cs
index 5c9e237..01f99af 100644
--- a/Controllers/HttpChallengeController.cs
+++ b/Controllers/HttpChallengeController.cs
@@ -1,30 +1,31 @@
 using KCert.Services;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
-using System.Threading.Tasks;
 
 namespace KCert.Controllers;
 
 [Route(".well-known/acme-challenge")]
 public class HttpChallengeController : ControllerBase
 {
-    private readonly KCertClient _kcert;
     private readonly CertClient _cert;
     private readonly ILogger<HttpChallengeController> _log;
 
-    public HttpChallengeController(ILogger<HttpChallengeController> log, KCertClient kcert, CertClient cert)
+    public HttpChallengeController(ILogger<HttpChallengeController> log, CertClient cert)
     {
         _log = log;
-        _kcert = kcert;
         _cert = cert;
     }
 
     [HttpGet("{key}")]
-    public async Task<IActionResult> GetChallengeResultsAsync(string key)
+    public IActionResult GetChallengeResults(string key)
     {
-        _log.LogInformation($"Received ACME Challenge: {key}");
-        var p = await _kcert.GetConfigAsync();
-        var thumb = _cert.GetThumbprint(p.AcmeKey);
+        _log.LogInformation("Received ACME Challenge: {key}", key);
+        var thumb = _cert.GetThumbprint(key);
+        if (thumb == null)
+        {
+            return NotFound();
+        }
+
         return Ok($"{key}.{thumb}");
     }
 }
diff --git a/Controllers/ManageController.cs b/Controllers/ManageController.cs
deleted file mode 100644
index 0407369..0000000
--- a/Controllers/ManageController.cs
+++ /dev/null
@@ -1,43 +0,0 @@
-using KCert.Services;
-using Microsoft.AspNetCore.Mvc;
-using System.Threading.Tasks;
-
-namespace KCert.Controllers;
-
-[Route("manage")]
-public class ManageController : Controller
-{
-    private readonly K8sClient _kube;
-
-    public ManageController(K8sClient kube)
-    {
-        _kube = kube;
-    }
-
-    [HttpGet]
-    public async Task<IActionResult> IndexAsync(string op, string ns, string name)
-    {
-        if (op == "manage")
-        {
-            await _kube.ManageSecretAsync(ns, name);
-            return RedirectToAction();
-        }
-
-        var secrets = await _kube.GetUnmanagedSecretsAsync();
-        return View(secrets);
-    }
-
-    [HttpGet("{ns}/{name}/remove")]
-    public async Task<IActionResult> UnmanageAsync(string ns, string name)
-    {
-        await _kube.UnmanageSecretAsync(ns, name);
-        return RedirectToAction("Index", "Home");
-    }
-
-    [HttpGet("{ns}/{name}/add")]
-    public async Task<IActionResult> ManageAsync(string ns, string name)
-    {
-        await _kube.ManageSecretAsync(ns, name);
-        return RedirectToAction("Index");
-    }
-}
diff --git a/Dockerfile b/Dockerfile
index 1424ed7..f60b8d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,6 +8,5 @@ RUN dotnet publish "KCert.csproj" --no-restore -c Release -o /app
 FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine AS final
 WORKDIR /app
 COPY --from=build /app .
-# COPY wwwroot ./wwwroot
 EXPOSE 80
 ENTRYPOINT ["dotnet", "KCert.dll"]
diff --git a/KCert.csproj b/KCert.csproj
index 77b8dd7..582e7e6 100644
--- a/KCert.csproj
+++ b/KCert.csproj
@@ -2,6 +2,7 @@
 
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
+    <UserSecretsId>0f4473c6-d397-4e27-a6ac-375fbf20315e</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/Models/ConfigurationForm.cs b/Models/ConfigurationForm.cs
deleted file mode 100644
index b3273a5..0000000
--- a/Models/ConfigurationForm.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-namespace KCert.Models;
-
-public class ConfigurationForm
-{
-    public string AcmeDir { get; set; }
-    public string AcmeEmail { get; set; }
-    public string AcmeKey { get; set; }
-    public bool TermsAccepted { get; set; }
-
-    public bool EnableAutoRenew { get; set; }
-    public string EmailFrom { get; set; }
-    public string SmtpHost { get; set; }
-    public int SmtpPort { get; set; }
-    public string SmtpUser { get; set; }
-    public string SmtpPass { get; set; }
-}
diff --git a/Models/HomeViewModel.cs b/Models/HomeViewModel.cs
deleted file mode 100644
index 8ec7f9d..0000000
--- a/Models/HomeViewModel.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-using k8s.Models;
-using KCert.Services;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-
-namespace KCert.Models;
-
-public class HomeViewModel
-{
-    public string Namespace { get; set; }
-    public string SecretName { get; set; }
-    public string[] Hosts { get; set; }
-    public DateTime? Created { get; set; }
-    public DateTime? Expires { get; set; }
-    public bool HasChallengeEntry { get; set; }
-
-    public HomeViewModel(V1Secret s, HashSet<string> configuredHosts, CertClient certClient)
-    {
-        var cert = certClient.GetCert(s);
-        var hosts = new string[] { cert.Subject[3..] };
-
-        Namespace = s.Namespace();
-        SecretName = s.Name();
-        Hosts = hosts;
-        HasChallengeEntry = hosts.All(configuredHosts.Contains);
-        Created = cert.NotBefore;
-        Expires = cert.NotAfter;
-    }
-}
diff --git a/Models/KCertParams.cs b/Models/KCertParams.cs
deleted file mode 100644
index c5aa698..0000000
--- a/Models/KCertParams.cs
+++ /dev/null
@@ -1,88 +0,0 @@
-using k8s.Models;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-
-namespace KCert.Models;
-
-public class KCertParams
-{
-    public Uri AcmeDirUrl { get; set; }
-    public bool TermsAccepted { get; set; }
-    public string AcmeEmail { get; set; }
-    public string AcmeKey { get; set; }
-
-    public bool EnableAutoRenew { get; set; }
-    public string EmailFrom { get; set; }
-    public string SmtpHost { get; set; }
-    public int SmtpPort { get; set; }
-    public string SmtpUser { get; set; }
-    public string SmtpPass { get; set; }
-
-    public KCertParams() { }
-
-    public KCertParams(V1Secret secret)
-    {
-        var data = secret.Data.ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
-        foreach (var p in typeof(KCertParams).GetProperties())
-        {
-            if (!data.TryGetValue(p.Name, out var value))
-            {
-                continue;
-            }
-
-            object result = null;
-            if (value != null)
-            {
-                if (!GetValLookup.TryGetValue(p.PropertyType, out var func))
-                {
-                    throw new Exception($"Don't know how to get Property {p.Name} of type {p.PropertyType}");
-                }
-
-                result = func(Encoding.UTF8.GetString(value));
-            }
-
-            p.SetValue(this, result);
-        }
-    }
-
-    public IDictionary<string, byte[]> Export()
-    {
-        var result = new Dictionary<string, byte[]>();
-        foreach (var p in typeof(KCertParams).GetProperties())
-        {
-            byte[] value = null;
-            var propValue = p.GetValue(this);
-            if (propValue != null)
-            {
-                if (!SetValLookup.TryGetValue(p.PropertyType, out var func))
-                {
-                    throw new Exception($"Don't know how to set Property {p.Name} of type {p.PropertyType}");
-                }
-
-                value = Encoding.UTF8.GetBytes(func(propValue));
-            }
-
-            result.Add(p.Name, value);
-        }
-
-        return result;
-    }
-
-    private static readonly Dictionary<Type, Func<string, object>> GetValLookup = new()
-    {
-        { typeof(string), (str) => str },
-        { typeof(bool), (str) => bool.Parse(str) },
-        { typeof(Uri), (str) => new Uri(str) },
-        { typeof(int), (str) => int.Parse(str) },
-    };
-
-    private static readonly Dictionary<Type, Func<object, string>> SetValLookup = new()
-    {
-        { typeof(string), (obj) => (string)obj },
-        { typeof(bool), (obj) => ((bool)obj).ToString() },
-        { typeof(Uri), (obj) => ((Uri)obj).AbsoluteUri },
-        { typeof(int), (obj) => obj.ToString() },
-    };
-}
diff --git a/Program.cs b/Program.cs
index f1f5cb1..23d7304 100644
--- a/Program.cs
+++ b/Program.cs
@@ -4,9 +4,25 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using System;
+
+if (args.Length > 0 && args[^1] == "generate-key")
+{
+    var key = CertClient.GenerateNewKey();
+    Console.WriteLine(key);
+    return;
+}
 
 Host.CreateDefaultBuilder(args)
-    .ConfigureAppConfiguration((ctx, cfg) => cfg.AddEnvironmentVariables())
+    .ConfigureAppConfiguration((ctx, cfg) =>
+    {
+        cfg.AddUserSecrets<Program>(optional: true);
+        cfg.AddEnvironmentVariables();
+    })
     .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>())
-    .ConfigureServices(services => services.AddHostedService<RenewalService>())
+    .ConfigureServices(services =>
+    {
+        services.AddHostedService<RenewalService>();
+        services.AddHostedService<IngressMonitorService>();
+    })
     .Build().Run();
diff --git a/README.md b/README.md
index 4e26915..5faaca5 100644
--- a/README.md
+++ b/README.md
@@ -1,26 +1,197 @@
 # KCert: A Simple Let's Encrypt Cert Manager for Kubernetes
 
-KCert is a simple, easy to run and understand alternative to [cert-manager](https://github.com/jetstack/cert-manager):
+KCert is a simple alternative to [cert-manager](https://github.com/jetstack/cert-manager):
 
-- Instead of 26000 lines of yaml, `KCert` deploys with less than 100 lines
+- Instead of 26000 lines of yaml, `KCert` deploys with less than 150 lines
 - Instead of custom resources, `KCert` uses the existing standard Kubernetes objects
 - The codebase is small and easy to understand
 
+## Installing KCert
+
+The following instructions assume that you will be using the included `deploy.yml` file as your template for install KCert.
+If you are customizing your setup you will likely need to modify the following instructions accordingly.
+
+Below you can find more details, but setting up KCert involves the following steps:
+
+- Create SMTP credentials for KCert to send automatic email notifications (or skip SMTP related instructions)
+- Generate a ECDSA key by running `docker run -it nabsul/kcert:1.0.0 dotnet KCert.dll generate-key`
+- Create the KCert namespace with `kubectl create namespace kcert`
+- Create the KCert secret with `kubectl -n kcert create secret generic kcert --from-literal=acme=[...] --from-literal=smtp=[...]`
+- Fill in the `deploy.yml` file and run `kubectl apply -f deploy.yml`
+- Start `kubectl -n kcert port-forward svc/kcert 80` and view the dashboard at `http://localhost`
+
+### Create KCert secrets
+
+It's bad practice to save secrets in yaml files, so we will be creating them separately.
+KCert configuration involves two secrets:
+
+- The ACME ECDSA key which is needed to create and renew certificates
+- The optional SMTP password if you want to have email notifications
+
+You can create the ECDSA key using KCert from the command line:
+
+- If you have .NET Core installed you can check out this repo and run `dotnet run generate-key`
+- If you have Docker (or Podman) you can run `docker run -it nabsul/kcert:v1.0.0 dotnet KCert.dll generate-key`
+
+You can then create your Kubernetes secret with the following (replace the placeholders with your own values):
+
+```sh
+kubectl create namespace kcert
+kubectl -n kcert create secret generic kcert --from-literal=acme=[YOUR ACME KEY] --from-literal=smtp=[YOUR SMTP PASSWORD]
+```
+
+### Deploy KCert
+
+Starting with the `deploy.yml` template in this repo, find the `env:` section.
+Fill in all the required values (marked with `#` comments).
+If you don't want to set up email notifications you can delete all environment variables that start with `SMTP__`.
+
+Once you've configured your settings, deploy KCert by running `kubectl apply -f ./deploy.yml`.
+Congratulations, KCert should now be running!
+
+To check that everything is running as expected:
+
+- Run `kubectl -n kcert logs svc/kcert` and make sure there are no error messages
+- Run `kubectl -n kcert port-forward svc/kcert 80` and go to `http://localhost:80` in your browser
+
+## Uninstalling KCert
+
+KCert does not create many resources,
+and most of them are restricted to the kcert namespace.
+Removing KCert from your cluster is as simple as executing these three commands:
+
+```sh
+kubectl delete namespace kcert
+kubectl delete clusterrolebinding kcert
+kubectl delete clusterrole kcert
+```
+
+Note that certificates created by KCert in other namespaces will NOT be deleted.
+You can keep those certificates or manually delete them.
+
+## Creating Certificates
+
+KCert watches for changes to ingresses in cluster and reacts to them accordingly.
+KCert will ignore an ingress unless it is labelled with `kubernetes.io/ingress.class=nginx`.
+For example, you could configure an ingress as follows:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test1-ingress
+  labels:
+    kcert.dev/ingress: "managed"
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+spec:
+  tls:
+  - hosts:
+    - test1.kcert.dev
+    - test2.kcert.dev
+    secretName: test1-tls
+  rules:
+  - host: test1.kcert.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hello-world
+            port:
+              number: 80
+  - host: test2.kcert.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hello-world
+            port:
+              number: 80
+```
+
+KCert should automatically detect this new ingress and generate a TLS secret called `test1-tls`
+for the two domains listed above.
+You could also create one certificate per host as follows:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test1-ingress
+  labels:
+    kcert.dev/ingress: "managed"
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+spec:
+  tls:
+  - hosts:
+    - test1.kcert.dev
+    secretName: test1-tls
+  tls:
+  - hosts:
+    - test2.kcert.dev
+    secretName: test2-tls
+  rules:
+  - host: test1.kcert.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hello-world
+            port:
+              number: 80
+  - host: test2.kcert.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hello-world
+            port:
+              number: 80
+```
+
+## Automatic Certificate Renewal
+
+Once every 6 hours KCert will check for certificates that are expiring in 30 days or less.
+It will attempt to automatically renew those certificates.
+If you have email notifications set up, you will receive a notifications of success of failure of the renewal process.
+
+## Further Configuration Settings
+
+KCert uses the standard .NET Core configuration library to manage its settings.
+The [appsettings.json](https://github.com/nabsul/kcert/blob/main/appsettings.json)
+contains the full list of settings with reasonable default values.
+
+All settings shown in `appsettings.json` can be modified via environment variables.
+For example, you can override the value of the `Acme:RenewalCheckTimeHours` setting
+with a `ACME__RENEWALCHECKTIMEHOURS` environment variable.
+Note that there are two underscore (`_`) characters in between the two parts of the setting name.
+For more information see the [official .NET Core documentation](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-6.0).
+
 ## How it Works
 
-- An ingress definition routes `.acme/challenge` requests to the application for HTTP challenge request
+- An ingress definition routes `.acme/challenge` requests to KCert for HTTP challenge requests
 - Service provides a web UI and to manually manage and certs
-- Automatic renewal can be be enabled from the configuration
+- KCert will automatically check for certificates needing renewal every 6 hours
+- KCert will renew a certificate if it expires in less than 30 days
+- KCert watches for created and updated ingresses in the cluster
+- KCert will automatically create and manage certificates for ingresses with the `kcert.dev/kcert=managed` label
 
-## How to Use
+## Building from Scratch
 
-- Deploy to your cluster using: `kubectl apply -f deploy.yml`
-- To access the web UI run `kubectl -n kcert port-forward svc/kcert 8080:80` and open your browser at `https://localhost:8080`
-- Go to the configuration tab and configure your settings (email address, optional smtp settings, etc.)
-- Go to "Unmanaged Certs" and select existing certs to be managed by KCert
-- Create new certs or renew existing ones through the UI
-- Turn on auto-renewal to automatically renew certs when they have less than 30 days validity
+To build your own container image: `docker build -t [your tag] .`
 
-## Building from Scratch
+## Running Locally
 
-To build your own: `docker build -t [your tag] .`
+You can run KCert locally with `dotnet run`.
+If you have Kubectl configured to connect to your cluster,
+KCert will use those settings to do the same.
+It will behave as if it is running in the cluster and you will be able to explore any settings that might be there.
diff --git a/ServiceAttribute.cs b/ServiceAttribute.cs
index bdee89d..d6d2acd 100644
--- a/ServiceAttribute.cs
+++ b/ServiceAttribute.cs
@@ -1,8 +1,8 @@
 using System;
 
-namespace KCert
+namespace KCert;
+
+[AttributeUsage(AttributeTargets.Class)]
+public class ServiceAttribute : Attribute
 {
-    public class ServiceAttribute : Attribute
-    {
-    }
 }
diff --git a/Services/AcmeClient.cs b/Services/AcmeClient.cs
index 5a5ec5f..a878c1f 100644
--- a/Services/AcmeClient.cs
+++ b/Services/AcmeClient.cs
@@ -19,9 +19,9 @@ public class AcmeClient
     private const string ContentType = "application/jose+json";
     private const string Alg = "ES256";
 
-    private static readonly JsonSerializerOptions options = new JsonSerializerOptions { PropertyNameCaseInsensitive = true };
+    private static readonly JsonSerializerOptions options = new() { PropertyNameCaseInsensitive = true };
 
-    private readonly HttpClient _http = new HttpClient();
+    private readonly HttpClient _http = new();
     private readonly CertClient _cert;
 
     public AcmeClient(CertClient cert)
diff --git a/Services/BufferedLogger.cs b/Services/BufferedLogger.cs
index 9edc2ca..818a19f 100644
--- a/Services/BufferedLogger.cs
+++ b/Services/BufferedLogger.cs
@@ -9,7 +9,7 @@ namespace KCert.Services;
 public class BufferedLogger<TT> : ILogger<TT>
 {
     private readonly ILogger<TT> _inner;
-    private readonly Queue<string> _buff = new Queue<string>();
+    private readonly Queue<string> _buff = new();
 
     public BufferedLogger(ILogger<TT> inner)
     {
diff --git a/Services/CertClient.cs b/Services/CertClient.cs
index 2c08658..0fa4c81 100644
--- a/Services/CertClient.cs
+++ b/Services/CertClient.cs
@@ -20,15 +20,17 @@ public class CertClient
     private const string SanOid = "2.5.29.17";
 
     private readonly RSA _rsa = RSA.Create(2048);
-
+    private readonly Dictionary<string, DateTime> _validKeys = new();
+    private readonly KCertConfig _cfg;
     private readonly ILogger<CertClient> _log;
 
-    public CertClient(ILogger<CertClient> log)
+    public CertClient(KCertConfig cfg, ILogger<CertClient> log)
     {
+        _cfg = cfg;
         _log = log;
     }
 
-    public X509Certificate2 GetCert(V1Secret secret) => new X509Certificate2(secret.Data["tls.crt"]);
+    public X509Certificate2 GetCert(V1Secret secret) => new(secret.Data["tls.crt"]);
 
     public List<string> GetHosts(X509Certificate2 cert)
     {
@@ -55,16 +57,39 @@ public object GetJwk(ECDsa sign)
         };
     }
 
-    public string GenerateNewKey()
+    public static string GenerateNewKey()
     {
         var sign = ECDsa.Create();
         sign.KeySize = 256;
-        return Base64UrlTextEncoder.Encode(sign.ExportECPrivateKey());
+        var key = sign.ExportECPrivateKey();
+        return Base64UrlTextEncoder.Encode(key);
+    }
+    public void AddChallengeKey(string key)
+    {
+        if (_cfg.AcceptAllChallenges)
+        {
+            return;
+        }
+
+        var threshold = TimeSpan.FromHours(1);
+        var now = DateTime.UtcNow;
+        _validKeys.Add(key, now);
+        foreach (var p in _validKeys.Where(p => now - p.Value > threshold))
+        {
+            _log.LogInformation("Removing old key: {k}", p.Key);
+            _validKeys.Remove(p.Key);
+        }
     }
 
     public string GetThumbprint(string key)
     {
-        var sign = GetSigner(key);
+        if (!_cfg.AcceptAllChallenges && !_validKeys.ContainsKey(key))
+        {
+            _log.LogWarning("Rejected thumb request for {k}", key);
+            return null;
+        }
+
+        var sign = GetSigner(_cfg.AcmeKey);
         var jwk = GetJwk(sign);
         var jwkJson = JsonSerializer.Serialize(jwk);
         var jwkBytes = Encoding.UTF8.GetBytes(jwkJson);
diff --git a/Services/EmailClient.cs b/Services/EmailClient.cs
index b272ff3..ae003d0 100644
--- a/Services/EmailClient.cs
+++ b/Services/EmailClient.cs
@@ -15,45 +15,47 @@ public class EmailClient
     private const string TestMessage = "If you received this, then KCert is able to send emails!";
 
     private readonly ILogger<EmailClient> _log;
+    private readonly KCertConfig _cfg;
 
-    public EmailClient(ILogger<EmailClient> log)
+    public EmailClient(ILogger<EmailClient> log, KCertConfig cfg)
     {
         _log = log;
+        _cfg = cfg;
     }
 
-    public async Task SendTestEmailAsync(KCertParams p)
+    public async Task SendTestEmailAsync()
     {
         _log.LogInformation("Attempting to send a test email.");
-        await SendAsync(p, TestSubject, TestMessage);
+        await SendAsync(TestSubject, TestMessage);
     }
 
-    public async Task NotifyRenewalResultAsync(KCertParams p, string secretNamespace, string secretName, RenewalException ex)
+    public async Task NotifyRenewalResultAsync(string secretNamespace, string secretName, RenewalException ex)
     {
-        await SendAsync(p, RenewalSubject(secretNamespace, secretName, ex), RenewalMessage(secretNamespace, secretName, ex));
+        await SendAsync(RenewalSubject(secretNamespace, secretName, ex), RenewalMessage(secretNamespace, secretName, ex));
     }
 
-    private async Task SendAsync(KCertParams p, string subject, string text)
+    private async Task SendAsync(string subject, string text)
     {
-        if (!CanSendEmails(p))
+        if (!CanSendEmails())
         {
             _log.LogInformation("Cannot send email email because it's not configured correctly");
             return;
         }
 
-        var client = new SmtpClient(p.SmtpHost, p.SmtpPort)
+        var client = new SmtpClient(_cfg.SmtpHost, _cfg.SmtpPort)
         {
             EnableSsl = true,
-            Credentials = new NetworkCredential(p.SmtpUser, p.SmtpPass),
+            Credentials = new NetworkCredential(_cfg.SmtpUser, _cfg.SmtpPass),
         };
 
-        var message = new MailMessage(p.EmailFrom, p.AcmeEmail, subject, text);
+        var message = new MailMessage(_cfg.SmtpEmailFrom, _cfg.AcmeEmail, subject, text);
 
         await client.SendMailAsync(message);
     }
 
-    private static bool CanSendEmails(KCertParams p)
+    private bool CanSendEmails()
     {
-        var allFields = new[] { p.SmtpHost, p.SmtpUser, p.SmtpPass, p.EmailFrom, p.AcmeEmail };
+        var allFields = new[] { _cfg.SmtpHost, _cfg.SmtpUser, _cfg.SmtpPass, _cfg.SmtpEmailFrom, _cfg.AcmeEmail };
         return !allFields.Any(string.IsNullOrWhiteSpace);
     }
 
@@ -77,5 +79,4 @@ private static string RenewalMessage(string secretNamespace, string secretName,
 
         return string.Join('\n', lines);
     }
-
 }
diff --git a/Services/IngressMonitorService.cs b/Services/IngressMonitorService.cs
new file mode 100644
index 0000000..6d6b076
--- /dev/null
+++ b/Services/IngressMonitorService.cs
@@ -0,0 +1,122 @@
+using k8s;
+using k8s.Models;
+using KCert.Models;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace KCert.Services;
+
+[Service]
+public class IngressMonitorService : IHostedService
+{
+    private readonly ILogger<IngressMonitorService> _log;
+    private readonly KCertClient _kcert;
+    private readonly K8sClient _k8s;
+    private readonly CertClient _cert;
+    private readonly EmailClient _email;
+
+    public IngressMonitorService(ILogger<IngressMonitorService> log, KCertClient kcert, K8sClient k8s, CertClient cert, EmailClient email)
+    {
+        _log = log;
+        _kcert = kcert;
+        _k8s = k8s;
+        _cert = cert;
+        _email = email;
+    }
+
+    public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+    public Task StartAsync(CancellationToken cancellationToken)
+    {
+        _ = WatchIngressesAsync(cancellationToken);
+        return Task.CompletedTask;
+    }
+
+    private async Task WatchIngressesAsync(CancellationToken tok)
+    {
+        try
+        {
+            _log.LogInformation("Watching for ingress changes");
+            await _k8s.WatchIngressesAsync(HandleIngressEventAsync, tok);
+        }
+        catch (Exception ex)
+        {
+            _log.LogError(ex, "Ingress watcher failed");
+        }
+    }
+
+    private async Task HandleIngressEventAsync(WatchEventType type, V1Ingress ingress, CancellationToken tok)
+    {
+        _log.LogInformation("event [{type}] for {ns}-{name}", type, ingress.Namespace(), ingress.Name());
+        if (type != WatchEventType.Added && type != WatchEventType.Modified)
+        {
+            return;
+        }
+
+        // fetch all ingresses to figure out which certs need have which hosts
+        var nsLookup = new Dictionary<(string, string), HashSet<string>>();
+        await foreach (var ing in _k8s.GetAllIngressesAsync())
+        {
+            _log.LogInformation("Processing ingress {ns}:{n}", ing.Namespace(), ing.Name());
+            foreach (var tls in ing?.Spec?.Tls ?? new List<V1IngressTLS>())
+            {
+                var key = (ing.Namespace(), tls.SecretName);
+                if (!nsLookup.TryGetValue(key, out var hosts))
+                {
+                    hosts = new HashSet<string>();
+                    nsLookup.Add(key, hosts);
+                }
+
+                foreach (var h in tls.Hosts)
+                {
+                    hosts.Add(h);
+                }
+            }
+        }
+
+        foreach (var ((ns, name), hosts) in nsLookup)
+        {
+            _log.LogInformation("Handling cert {ns} - {name} hosts: {h}", ns, name, string.Join(", ", hosts));
+            await TryUpdateSecretAsync(ns, name, hosts, tok);
+        }
+    }
+
+    private async Task TryUpdateSecretAsync(string ns, string name, IEnumerable<string> hosts, CancellationToken tok)
+    {
+        var secret = await _k8s.GetSecretAsync(ns, name);
+
+        if (secret != null)
+        {
+            var cert = _cert.GetCert(secret);
+            var certHosts = _cert.GetHosts(cert).ToHashSet();
+            if (hosts.All(h => certHosts.Contains(h)))
+            {
+                // nothing to do, cert already has all the hosts it needs to have
+                _log.LogInformation("Certificate already has all the needed hosts configured");
+                return;
+            }
+        }
+
+        try
+        {
+            if (await _kcert.AddChallengeHostsAsync(hosts))
+            {
+                _log.LogInformation("Giving challenge ingress time to propagate");
+                await Task.Delay(TimeSpan.FromSeconds(10), tok);
+            }
+
+            await _kcert.RenewCertAsync(ns, name, hosts.ToArray());
+            await _kcert.RemoveChallengeHostsAsync(hosts);
+            await _email.NotifyRenewalResultAsync(ns, name, null);
+        }
+        catch (RenewalException ex)
+        {
+            await _email.NotifyRenewalResultAsync(ns, name, ex);
+        }
+    }
+}
diff --git a/Services/K8sClient.cs b/Services/K8sClient.cs
index 52b527e..e5d1f45 100644
--- a/Services/K8sClient.cs
+++ b/Services/K8sClient.cs
@@ -1,12 +1,14 @@
 using k8s;
 using k8s.Exceptions;
 using k8s.Models;
+using Microsoft.Extensions.Logging;
 using Microsoft.Rest;
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace KCert.Services;
@@ -15,27 +17,61 @@ namespace KCert.Services;
 public class K8sClient
 {
     private const string TlsSecretType = "kubernetes.io/tls";
-    private const string LabelKey = "kcert.dev/label";
+    private const string SecretLabelKey = "kcert.dev/secret";
+    private const string SecretLabelValue = "managed";
+    public const string IngressLabelKey = "kcert.dev/ingress";
+    public const string IngressLabelValue = "managed";
     private const string TlsTypeSelector = "type=kubernetes.io/tls";
 
     private readonly KCertConfig _cfg;
+
+    private readonly ILogger<K8sClient> _log;
+
     private readonly Kubernetes _client;
 
-    public K8sClient(KCertConfig cfg)
+    public K8sClient(KCertConfig cfg, ILogger<K8sClient> log)
     {
         _cfg = cfg;
+        _log = log;
         _client = new Kubernetes(GetConfig());
     }
 
+    public async Task WatchIngressesAsync(Func<WatchEventType, V1Ingress, CancellationToken, Task> callback, CancellationToken tok)
+    {
+        var label = $"{IngressLabelKey}={IngressLabelValue}";
+        _log.LogInformation("Watching for all ingresses with: {label}", label);
+        var message = _client.ListIngressForAllNamespacesWithHttpMessagesAsync(watch: true, cancellationToken: tok, labelSelector: label);
+        await foreach (var (type, item) in message.WatchAsync<V1Ingress, V1IngressList>())
+        {
+            await callback(type, item, tok);
+        }
+    }
+
+    public async IAsyncEnumerable<V1Ingress> GetAllIngressesAsync()
+    {
+        var label = $"{IngressLabelKey}={IngressLabelValue}";
+        string tok = null;
+        do
+        {
+            var result = await _client.ListIngressForAllNamespacesAsync(labelSelector: label, continueParameter: tok);
+            tok = result.Continue();
+            foreach (var i in result.Items)
+            {
+                yield return i;
+            }
+        }
+        while (tok != null);
+    }
+
     public async Task<List<V1Secret>> GetManagedSecretsAsync()
     {
-        var result = await _client.ListSecretForAllNamespacesAsync(fieldSelector: TlsTypeSelector, labelSelector: $"{LabelKey}={_cfg.Label}");
+        var result = await _client.ListSecretForAllNamespacesAsync(fieldSelector: TlsTypeSelector, labelSelector: $"{SecretLabelKey}={SecretLabelValue}");
         return result.Items.ToList();
     }
 
     public async Task<List<V1Secret>> GetUnmanagedSecretsAsync()
     {
-        var result = await _client.ListSecretForAllNamespacesAsync(fieldSelector: TlsTypeSelector, labelSelector: $"!{LabelKey}");
+        var result = await _client.ListSecretForAllNamespacesAsync(fieldSelector: TlsTypeSelector, labelSelector: $"!{SecretLabelKey}");
         return result.Items.ToList();
     }
 
@@ -43,7 +79,7 @@ public async Task ManageSecretAsync(string ns, string name)
     {
         var secret = await _client.ReadNamespacedSecretAsync(name, ns);
         secret.Metadata.Labels ??= new Dictionary<string, string>();
-        secret.Metadata.Labels[LabelKey] = _cfg.Label;
+        secret.Metadata.Labels[SecretLabelKey] = SecretLabelValue;
         await _client.ReplaceNamespacedSecretAsync(secret, name, ns);
     }
 
@@ -51,7 +87,7 @@ public async Task UnmanageSecretAsync(string ns, string name)
     {
         var secret = await _client.ReadNamespacedSecretAsync(name, ns);
         secret.Metadata.Labels = secret.Metadata.Labels ?? new Dictionary<string, string>();
-        secret.Metadata.Labels.Remove(LabelKey);
+        secret.Metadata.Labels.Remove(SecretLabelKey);
         await _client.ReplaceNamespacedSecretAsync(secret, name, ns);
     }
 
@@ -127,57 +163,37 @@ public async Task<V1Ingress> GetIngressAsync(string ns, string name)
         }
     }
 
-    public async Task UpsertIngressAsync(string ns, string name, Action<V1Ingress> setValues)
-    {
-        var ingress = await GetIngressAsync(ns, name);
-        if (ingress == null)
-        {
-            await CreateIngressAsync(ns, name, setValues);
-            return;
-        }
-
-        setValues(ingress);
-        await _client.ReplaceNamespacedIngressAsync(ingress, name, ns);
-    }
-
-    private async Task CreateIngressAsync(string ns, string name, Action<V1Ingress> setValues)
+    public async Task UpdateIngressAsync(V1Ingress ingress)
     {
-        var ingress = new V1Ingress
-        {
-            Metadata = new V1ObjectMeta
-            {
-                Name = name,
-                NamespaceProperty = ns,
-                Annotations = new Dictionary<string, string> { { "kubernetes.io/ingress.class", "nginx" } },
-            },
-            Spec = new V1IngressSpec(),
-        };
-
-        setValues(ingress);
-        await _client.CreateNamespacedIngressAsync(ingress, ns);
+        await _client.ReplaceNamespacedIngressAsync(ingress, ingress.Name(), ingress.Namespace());
     }
 
     public async Task UpdateTlsSecretAsync(string ns, string name, string key, string cert)
     {
-        bool create = false;
         var secret = await GetSecretAsync(ns, name);
-        if (secret == null)
+        if (secret != null)
         {
-            secret = InitSecret(name);
-            create = true;
+            UpdateSecretData(secret, ns, name, key, cert);
+            await _client.ReplaceNamespacedSecretAsync(secret, name, ns);
+            return;
         }
 
+        secret = InitSecret(name);
+        UpdateSecretData(secret, ns, name, key, cert);
+        await _client.CreateNamespacedSecretAsync(secret, ns);
+    }
+
+    private static void UpdateSecretData(V1Secret secret, string ns, string name, string key, string cert)
+    {
         if (secret.Type != TlsSecretType)
         {
             throw new Exception($"Secret {ns}:{name} is not a TLS secret type");
         }
 
         secret.Metadata.Labels ??= new Dictionary<string, string>();
-        secret.Metadata.Labels[LabelKey] = _cfg.Label;
+        secret.Metadata.Labels[SecretLabelKey] = SecretLabelValue;
         secret.Data["tls.key"] = Encoding.UTF8.GetBytes(key);
         secret.Data["tls.crt"] = Encoding.UTF8.GetBytes(cert);
-        var task = create ? _client.CreateNamespacedSecretAsync(secret, ns) : _client.ReplaceNamespacedSecretAsync(secret, name, ns);
-        await task;
     }
 
     private static V1Secret InitSecret(string name)
diff --git a/Services/KCertClient.cs b/Services/KCertClient.cs
index b12c1e1..74b71b8 100644
--- a/Services/KCertClient.cs
+++ b/Services/KCertClient.cs
@@ -1,6 +1,4 @@
 using k8s.Models;
-using KCert.Models;
-using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -15,26 +13,13 @@ public class KCertClient
     private readonly RenewalHandler _getCert;
     private readonly CertClient _cert;
     private readonly KCertConfig _cfg;
-    private readonly ILogger<KCertClient> _log;
 
-    public KCertClient(K8sClient kube, KCertConfig cfg, RenewalHandler getCert, CertClient cert, ILogger<KCertClient> log)
+    public KCertClient(K8sClient kube, KCertConfig cfg, RenewalHandler getCert, CertClient cert)
     {
         _kube = kube;
         _cfg = cfg;
         _getCert = getCert;
         _cert = cert;
-        _log = log;
-    }
-
-    public async Task<KCertParams> GetConfigAsync()
-    {
-        var s = await _kube.GetSecretAsync(_cfg.KCertNamespace, _cfg.KCertSecretName);
-        return s == null ? null : new KCertParams(s);
-    }
-
-    public async Task SaveConfigAsync(KCertParams p)
-    {
-        await _kube.SaveSecretDataAsync(_cfg.KCertNamespace, _cfg.KCertSecretName, p.Export());
     }
 
     public async Task RenewCertAsync(string ns, string secretName, string[] hosts = null)
@@ -51,37 +36,43 @@ public async Task RenewCertAsync(string ns, string secretName, string[] hosts =
             hosts = _cert.GetHosts(cert).ToArray();
         }
 
-        var p = await GetConfigAsync();
-        await _getCert.RenewCertAsync(ns, secretName, hosts, p);
+        await _getCert.RenewCertAsync(ns, secretName, hosts);
     }
 
-    public async Task<bool> SyncHostsAsync(IEnumerable<string> moreHosts = null)
+    public async Task<bool> AddChallengeHostsAsync(IEnumerable<string> hosts)
     {
-        moreHosts ??= Enumerable.Empty<string>();
         var kcertIngress = await _kube.GetIngressAsync(_cfg.KCertNamespace, _cfg.KCertIngressName);
-        var configuredHosts = kcertIngress?.Spec.Rules.Select(r => r.Host).Distinct().ToArray() ?? Array.Empty<string>();
-
-        var secrets = await _kube.GetManagedSecretsAsync();
-        var allHosts = secrets.Select(_cert.GetCert).SelectMany(_cert.GetHosts)
-            .Concat(moreHosts)
-            .Distinct().ToArray();
-
-        if (configuredHosts.Length == allHosts.Length && configuredHosts.Intersect(allHosts).Count() == allHosts.Length)
+        var configuredHosts = kcertIngress.Spec.Rules.Select(r => r.Host).ToHashSet();
+        var changed = false;
+        foreach (var host in hosts.Where(h => !configuredHosts.Contains(h)))
         {
-            return false;
+            changed = true;
+            kcertIngress.Spec.Rules.Add(CreateRule(host));
         }
 
-        try
+        if (changed)
         {
-            var rules = allHosts.Select(CreateRule).ToList();
-            await _kube.UpsertIngressAsync(_cfg.KCertNamespace, _cfg.KCertIngressName, i => i.Spec.Rules = rules);
-            return true;
+            await _kube.UpdateIngressAsync(kcertIngress);
         }
-        catch (Exception ex)
+
+        return changed;
+    }
+
+    public async Task<bool> RemoveChallengeHostsAsync(IEnumerable<string> hosts)
+    {
+        var toRemove = hosts.ToHashSet();
+        var kcertIngress = await _kube.GetIngressAsync(_cfg.KCertNamespace, _cfg.KCertIngressName);
+
+        var filteredRules = kcertIngress.Spec.Rules.Where(r => !toRemove.Contains(r.Host)).ToList();
+
+        if (filteredRules.Count == kcertIngress.Spec.Rules.Count)
         {
-            _log.LogError(ex, "err");
-            throw;
+            return false;
         }
+
+        kcertIngress.Spec.Rules = filteredRules;
+        await _kube.UpdateIngressAsync(kcertIngress);
+        return true;
     }
 
     private V1IngressRule CreateRule(string host)
diff --git a/Services/KCertConfig.cs b/Services/KCertConfig.cs
index eccd710..0ab7943 100644
--- a/Services/KCertConfig.cs
+++ b/Services/KCertConfig.cs
@@ -14,16 +14,64 @@ public KCertConfig(IConfiguration cfg)
     }
 
     public string K8sConfigFile => _cfg["Config"];
-    public string KCertNamespace => _cfg.GetValue<string>("Namespace");
-    public string Label => _cfg.GetValue<string>("Label");
-    public string KCertSecretName => _cfg.GetValue<string>("SecretName");
-    public string KCertServiceName => _cfg.GetValue<string>("ServiceName");
-    public string KCertIngressName => _cfg.GetValue<string>("IngressName");
-    public int KCertServicePort => _cfg.GetValue<int>("ServicePort");
-
-    public TimeSpan AcmeWaitTime => TimeSpan.FromSeconds(_cfg.GetValue<int>("AcmeWaitTimeSeconds"));
-    public int AcmeNumRetries => _cfg.GetValue<int>("AcmeNumRetries");
-
-    public TimeSpan RenewalTimeBetweenChecks => TimeSpan.FromHours(_cfg.GetValue<int>("RenewalCheckTimeHours"));
-    public TimeSpan RenewalExpirationLimit => TimeSpan.FromDays(_cfg.GetValue<int>("RenewalExpirationRenewalDays"));
+    public bool AcceptAllChallenges => GetBool("KCert:AcceptAllChallenges");
+    public string KCertNamespace => GetString("KCert:Namespace");
+    public string KCertSecretName => GetString("KCert:SecretName");
+    public string KCertServiceName => GetString("KCert:ServiceName");
+    public string KCertIngressName => GetString("KCert:IngressName");
+    public int KCertServicePort => GetInt("KCert:ServicePort");
+
+    public TimeSpan AcmeWaitTime => TimeSpan.FromSeconds(_cfg.GetValue<int>("Acme:ValidationWaitTimeSeconds"));
+    public int AcmeNumRetries => _cfg.GetValue<int>("Acme:ValidationNumRetries");
+    public bool EnableAutoRenew => GetBool("Acme:AutoRenewal");
+    public TimeSpan RenewalTimeBetweenChecks => TimeSpan.FromHours(_cfg.GetValue<int>("Acme:RenewalCheckTimeHours"));
+    public TimeSpan RenewalExpirationLimit => TimeSpan.FromDays(_cfg.GetValue<int>("Acme:RenewalExpirationRenewalDays"));
+
+    public Uri AcmeDir => new(GetString("Acme:DirUrl"));
+    public string AcmeEmail => GetString("Acme:Email");
+    public string AcmeKey => GetString("Acme:Key");
+    public bool AcmeAccepted => GetBool("Acme:TermsAccepted");
+
+    public string SmtpEmailFrom => GetString("Smtp:EmailFrom");
+    public string SmtpHost => GetString("Smtp:Host");
+    public int SmtpPort => GetInt("Smtp:Port");
+    public string SmtpUser => GetString("Smtp:User");
+    public string SmtpPass => GetString("Smtp:Pass");
+
+    public object AllConfigs => new
+    {
+        KCert = new
+        {
+            Namespace = KCertNamespace,
+            IngressName = KCertIngressName,
+            SecertName = KCertSecretName,
+            ServiceName = KCertServiceName,
+            ServicePort = KCertServicePort
+        },
+        ACME = new
+        {
+            ValidationWaitTimeSeconds = AcmeWaitTime,
+            ValidationNumRetries = AcmeNumRetries,
+            AutoRenewal = EnableAutoRenew,
+            RenewalCheckTimeHours = RenewalTimeBetweenChecks,
+            RenewalExpirationRenewalDays = RenewalExpirationLimit,
+            TermsAccepted = AcmeAccepted,
+            DirUrl = AcmeDir,
+            Email = AcmeEmail,
+            Key = HideString(AcmeKey)
+        },
+        SMTP = new
+        {
+            EmailFrom = SmtpEmailFrom,
+            Host = SmtpHost,
+            Port = SmtpPort,
+            User = SmtpUser,
+            Pass = HideString(SmtpPass)
+        },
+    };
+
+    private static string HideString(string val) => string.IsNullOrEmpty(val) ? null : "[REDACTED]";
+    private string GetString(string key) => _cfg.GetValue<string>(key);
+    private int GetInt(string key) => _cfg.GetValue<int>(key);
+    private bool GetBool(string key) => _cfg.GetValue<bool>(key);
 }
diff --git a/Services/RenewalHandler.cs b/Services/RenewalHandler.cs
index 083c1bd..7e54595 100644
--- a/Services/RenewalHandler.cs
+++ b/Services/RenewalHandler.cs
@@ -25,29 +25,29 @@ public RenewalHandler(BufferedLogger<RenewalHandler> log, AcmeClient acme, K8sCl
         _cert = cert;
     }
 
-    public async Task RenewCertAsync(string ns, string secretName, string[] hosts, KCertParams p)
+    public async Task RenewCertAsync(string ns, string secretName, string[] hosts)
     {
         _log.Clear();
 
         try
         {
-            var (kid, initNonce) = await InitAsync(p.AcmeKey, p.AcmeDirUrl, p.AcmeEmail, p.TermsAccepted);
+            var (kid, initNonce) = await InitAsync(_cfg.AcmeKey, _cfg.AcmeDir, _cfg.AcmeEmail, _cfg.AcmeAccepted);
             _log.LogInformation("Initialized renewal process for secret {ns}/{secretName} - hosts {hosts} - kid {kid}",
                 ns, secretName, string.Join(",", hosts), kid);
 
-            var (orderUri, finalizeUri, authorizations, orderNonce) = await CreateOrderAsync(p.AcmeKey, hosts, kid, initNonce);
+            var (orderUri, finalizeUri, authorizations, orderNonce) = await CreateOrderAsync(_cfg.AcmeKey, hosts, kid, initNonce);
             _log.LogInformation("Order {orderUri} created with finalizeUri {finalizeUri}", orderUri, finalizeUri);
 
             var validateNonce = orderNonce;
             foreach (var authUrl in authorizations)
             {
-                validateNonce = await ValidateAuthorizationAsync(p.AcmeKey, kid, validateNonce, authUrl);
+                validateNonce = await ValidateAuthorizationAsync(_cfg.AcmeKey, kid, validateNonce, authUrl);
                 _log.LogInformation("Validated auth: {authUrl}", authUrl);
             }
 
-            var (certUri, finalizeNonce) = await FinalizeOrderAsync(p.AcmeKey, orderUri, finalizeUri, hosts, kid, validateNonce);
+            var (certUri, finalizeNonce) = await FinalizeOrderAsync(_cfg.AcmeKey, orderUri, finalizeUri, hosts, kid, validateNonce);
             _log.LogInformation("Finalized order and received cert URI: {certUri}", certUri);
-            await SaveCertAsync(p.AcmeKey, ns, secretName, certUri, kid, finalizeNonce);
+            await SaveCertAsync(_cfg.AcmeKey, ns, secretName, certUri, kid, finalizeNonce);
             _log.LogInformation("Saved cert");
         }
         catch (Exception ex)
diff --git a/Services/RenewalService.cs b/Services/RenewalService.cs
index d92154e..e5cbb66 100644
--- a/Services/RenewalService.cs
+++ b/Services/RenewalService.cs
@@ -32,7 +32,13 @@ public RenewalService(ILogger<RenewalService> log, KCertClient kcert, KCertConfi
 
     public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
 
-    public async Task StartAsync(CancellationToken cancellationToken)
+    public Task StartAsync(CancellationToken cancellationToken)
+    {
+        _ = StartInnerAsync(cancellationToken);
+        return Task.CompletedTask;
+    }
+
+    public async Task StartInnerAsync(CancellationToken cancellationToken)
     {
         int numFailures = 0;
         while (numFailures < MaxServiceFailures && !cancellationToken.IsCancellationRequested)
@@ -68,30 +74,22 @@ private async Task RunLoopAsync(CancellationToken tok)
 
     private async Task StartRenewalJobAsync(CancellationToken tok)
     {
-        var p = await _kcert.GetConfigAsync();
-        var autoRenewalEnabled = p?.EnableAutoRenew ?? false;
-        if (!autoRenewalEnabled)
+        if (!_cfg.EnableAutoRenew)
         {
             return;
         }
 
-        if (await _kcert.SyncHostsAsync())
-        {
-            _log.LogInformation("Challenge ingress was updated. Give it time to propagate...");
-            await Task.Delay(TimeSpan.FromSeconds(10), tok);
-        }
-
         _log.LogInformation("Checking for certs that need renewals...");
         foreach (var secret in await _k8s.GetManagedSecretsAsync())
         {
             tok.ThrowIfCancellationRequested();
-            await TryRenewAsync(p, secret, tok);
+            await TryRenewAsync(secret, tok);
         }
 
         _log.LogInformation("Renewal check completed.");
     }
 
-    private async Task TryRenewAsync(KCertParams p, V1Secret secret, CancellationToken tok)
+    private async Task TryRenewAsync(V1Secret secret, CancellationToken tok)
     {
         var cert = _cert.GetCert(secret);
         var hosts = _cert.GetHosts(cert);
@@ -107,12 +105,19 @@ private async Task TryRenewAsync(KCertParams p, V1Secret secret, CancellationTok
 
         try
         {
+            if (await _kcert.AddChallengeHostsAsync(hosts))
+            {
+                _log.LogInformation("Giving challenge ingress time to propagate");
+                await Task.Delay(TimeSpan.FromSeconds(10), tok);
+            }
+
             await _kcert.RenewCertAsync(secret.Namespace(), secret.Name());
-            await _email.NotifyRenewalResultAsync(p, secret.Namespace(), secret.Name(), null);
+            await _kcert.RemoveChallengeHostsAsync(hosts);
+            await _email.NotifyRenewalResultAsync(secret.Namespace(), secret.Name(), null);
         }
         catch (RenewalException ex)
         {
-            await _email.NotifyRenewalResultAsync(p, secret.Namespace(), secret.Name(), ex);
+            await _email.NotifyRenewalResultAsync(secret.Namespace(), secret.Name(), ex);
         }
     }
 }
diff --git a/Views/Certificate/Edit.cshtml b/Views/Certificate/Edit.cshtml
deleted file mode 100644
index 69883eb..0000000
--- a/Views/Certificate/Edit.cshtml
+++ /dev/null
@@ -1,68 +0,0 @@
-@inject CertClient _cert
-@model V1Secret
-@{ 
-    ViewData["Title"] = "Edit Cert";
-    var header = Model == null ? "New Cert" : $"Edit Cert: {Model.Namespace()} - {Model.Name()}";
-    var hosts = Model == null ? new List<string>{""} : _cert.GetHosts(_cert.GetCert(Model));
-}
-
-<h2>@header</h2>
-
-@if (Model != null)
-{
-<p>
-    <a class="btn btn-danger" asp-action="Delete" asp-route-ns="@Model.Namespace()" asp-route-name="@Model.Name()">Delete</a>
-</p>
-}
-
-<div id="HostForm" style="display: none;">
-    <form method="post" asp-action="Save">
-        @if(Model == null)
-        { 
-        <div class="form-group">
-            <label>Certificate Namespace</label>
-            <input type="text" class="form-control" name="ns" />
-        </div>
-        <div class="form-group">
-            <label>Certificate Name</label>
-            <input type="text" class="form-control" name="name" />
-        </div>
-        }
-        <div class="form-group" v-for="(h, i) in hosts">
-            <label>Host {{ i+1 }}:</label>
-            <div class="input-group">
-                <input type="text" :aria-label="`Host Number ${i}`" class="form-control" name="hosts[]" v-model="h">
-                <button type="button" class="btn btn-danger" @@click="deleteHost(i)">Delete</button>
-            </div>
-        </div>
-        <div>
-            <button type="button" class="btn btn-success" @@click="addHost()">Add Host</button>
-            <button type="submit" class="btn btn-primary">Save</button>
-        </div>
-    </form>
-</div>
-
-@section Scripts {
-<script src="https://unpkg.com/vue@next"></script>
-<script>
-    const hosts = @Html.Raw(JsonSerializer.Serialize(hosts));
-    const app = {
-        mounted() {
-            document.getElementById('HostForm').style.display = 'block'
-        },
-        data() {
-            return { hosts: hosts }
-        },
-        methods: {
-            addHost() {
-                this.hosts.push('')
-            },
-            deleteHost(idx) {
-                this.hosts.splice(idx, 1)
-            }
-        }
-    }
-
-    Vue.createApp(app).mount('#HostForm')
-</script>
-}
\ No newline at end of file
diff --git a/Views/Challenge/Index.cshtml b/Views/Challenge/Index.cshtml
deleted file mode 100644
index f3b7bdd..0000000
--- a/Views/Challenge/Index.cshtml
+++ /dev/null
@@ -1,14 +0,0 @@
-@model V1Ingress
-@{ 
-    ViewData["Title"] = "Challenge Routes";
-    var options = new JsonSerializerOptions { WriteIndented = true };
-    var data = Model?.Spec?.Rules?.Select(r => new { r.Host, Paths = r.Http.Paths.Select(p => p.Path) });
-}
-
-<h2>Ingress: @Model?.Namespace() - @Model?.Name()</h2>
-
-<p><a class="btn btn-primary" asp-action="Refresh">Refresh</a></p>
-
-<pre>
-@Html.Raw(JsonSerializer.Serialize(data, options))
-</pre>
\ No newline at end of file
diff --git a/Views/Configuration/Index.cshtml b/Views/Configuration/Index.cshtml
deleted file mode 100644
index 3c6577f..0000000
--- a/Views/Configuration/Index.cshtml
+++ /dev/null
@@ -1,98 +0,0 @@
-@model KCertParams
-@{ 
-    ViewData["Title"] = "Configuration";
-
-    var directories = new List<SelectListItem>
-        {
-        new SelectListItem{ Value = "https://acme-staging-v02.api.letsencrypt.org/directory", Text = "Staging"},
-        new SelectListItem{ Value = "https://acme-v02.api.letsencrypt.org/directory", Text = "Production"},
-    };
-}
-
-<h2>KCert Configuration Settings</h2>
-
-<form method="post" asp-action="Save">
-    <div class="form-group">
-        <label for="AcmeDir">ACME Directory URL</label>
-        <select id="AcmeDir" name="AcmeDir" class="form-control" asp-for="AcmeDirUrl" asp-items="directories"></select>
-        <small id="AcmeDirHelp" class="form-text text-muted">The mail URL for the ACME server.</small>
-    </div>
-    <div class="form-group">
-        <label for="AcmeEmail">ACME Account Email Address</label>
-        <input asp-for="AcmeEmail" type="email" class="form-control" id="AcmeEmail" name="AcmeEmail" aria-describedby="AcmeEmailHelp">
-        <small id="AcmeEmailHelp" class="form-text text-muted">Email address to use for account.</small>
-    </div>
-    <div class="form-group">
-        <label for="AcmeKey">ACME Key</label>
-        <input id="AcmeKeyField" asp-for="AcmeKey" type="text" class="form-control" aria-describedby="AcmeKeyHelp" value="******">
-        <small id="AcmeKeyHelp" class="form-text text-muted">Account RSA Key. Leave empty to generate a new one. <a href="#" onclick="showKey()">show</a></small>
-    </div>
-    <div class="form-group form-check">
-        <div>
-            <input asp-for="TermsAccepted" type="checkbox" class="form-check-input" id="TermsAccepted" name="TermsAccepted">
-            <label class="form-check-label" for="TermsAccepted">Accept <a href="@ViewBag.TermsOfService" target="_blank">ACME Terms of Service</a></label>
-        </div>
-        <div>
-            <input asp-for="EnableAutoRenew" type="checkbox" class="form-check-input" id="EnableAutoRenew" name="EnableAutoRenew">
-            <label class="form-check-label" for="EnableAutoRenew">Automatically Renew Certs</label>
-        </div>
-    </div>
-    <div>
-        <button type="submit" class="btn btn-primary">Save</button>
-    </div>
-
-    <hr />
-    
-    <h4>Email Settings <small>(optional)</small></h4>
-
-    <div class="form-group">
-        <label for="EmailFrom">From Address</label>
-        <input asp-for="EmailFrom" type="email" class="form-control" id="EmailFrom" name="EmailFrom" aria-describedby="EmailFromHelp">
-        <small id="EmailFromHelp" class="form-text text-muted">The email address from which emails are coming from.</small>
-    </div>
-    <div class="form-group">
-        <label for="SmtpHost">SMTP Host</label>
-        <input asp-for="SmtpHost" type="text" class="form-control" id="SmtpHost" name="SmtpHost" aria-describedby="SmtpHostHelp">
-        <small id="SmtpHostHelp" class="form-text text-muted">The host name of the SMTP server.</small>
-    </div>
-    <div class="form-group">
-        <label for="SmtpPort">SMTP Port</label>
-        <input asp-for="SmtpPort" type="number" class="form-control" id="SmtpPort" name="SmtpPort" aria-describedby="SmtpPortHelp">
-        <small id="SmtpPortHelp" class="form-text text-muted">The port of the SMTP server.</small>
-    </div>
-    <div class="form-group">
-        <label for="SmtpUser">SMTP User Name</label>
-        <input asp-for="SmtpUser" type="text" class="form-control" id="SmtpUser" name="SmtpUser" aria-describedby="SmtpUserHelp">
-        <small id="SmtpUserHelp" class="form-text text-muted">The SMTP user name.</small>
-    </div>
-    <div class="form-group">
-        <label for="SmtpPass">SMTP Password</label>
-        <input asp-for="SmtpPass" type="password" class="form-control" id="SmtpPass" name="SmtpPass" aria-describedby="SmtpPassHelp" value="@Model.SmtpPass">
-        <small id="SmtpPassHelp" class="form-text text-muted">The SMTP user password.</small>
-    </div>
-    <div>
-        <button type="submit" class="btn btn-primary">Save</button>
-        @if (!string.IsNullOrWhiteSpace(Model.SmtpHost))
-        {
-        <a class="btn btn-info" asp-action="TestEmail">Send Test Email</a>
-        }
-    </div>
-</form>
-
-@section Scripts {
-<script>
-    const configState = {
-        key: {
-            show: false,
-            value: "@Model.AcmeKey",
-        },
-    }
-
-    const showKey = () => {
-        const cfg = configState.key
-        const el = document.getElementById('AcmeKeyField')
-        el.value = cfg.show ? '******' : configState.key.value
-        cfg.show = !cfg.show
-    }
-</script>
-}
\ No newline at end of file
diff --git a/Views/Home/Challenge.cshtml b/Views/Home/Challenge.cshtml
new file mode 100644
index 0000000..2c241f2
--- /dev/null
+++ b/Views/Home/Challenge.cshtml
@@ -0,0 +1,16 @@
+@model V1Ingress
+@{ 
+    ViewData["Title"] = "Challenge Routes";
+    var options = new JsonSerializerOptions { WriteIndented = true };
+}
+
+<h2>Challenge Ingress</h2>
+
+<p>
+    The Challenge Ingress ".well-known/acme-challenge" requests to KCert for validation.
+    There is a "dummy.example.test" entry in the routes because we can't have an empty Ingress.
+</p>
+
+<pre>
+@Html.Raw(JsonSerializer.Serialize(Model?.Spec?.Rules, options))
+</pre>
diff --git a/Views/Home/Configuration.cshtml b/Views/Home/Configuration.cshtml
new file mode 100644
index 0000000..7035c8c
--- /dev/null
+++ b/Views/Home/Configuration.cshtml
@@ -0,0 +1,24 @@
+@inject KCertConfig _cfg
+@{
+    ViewData["Title"] = "Configuration";
+    var options = new JsonSerializerOptions { WriteIndented = true };
+    var data = _cfg.AllConfigs;
+}
+
+<h2>KCert Configuration</h2>
+
+<p>
+    The following is a summary KCert settings. Settings can be overridden using environment variables such as
+    "KCERT__SERVICENAME" (with two underscores) to configure the "KCert:ServiceName" value.
+</p>
+
+<pre>
+@Html.Raw(JsonSerializer.Serialize(data, options))
+</pre>
+
+@if (!string.IsNullOrWhiteSpace(_cfg.SmtpHost))
+{
+<div>
+    <a class="btn btn-info" asp-action="TestEmail">Send Test Email</a>
+</div>
+}
diff --git a/Views/Home/Home.cshtml b/Views/Home/Home.cshtml
new file mode 100644
index 0000000..cdf25ef
--- /dev/null
+++ b/Views/Home/Home.cshtml
@@ -0,0 +1,52 @@
+@inject CertClient _cert
+@model List<V1Secret>
+@{
+    ViewData["Title"] = "Ingress";
+    var rows = Model.Select(r =>
+    {
+        var cert = _cert.GetCert(r);
+        var hosts = _cert.GetHosts(cert);
+        return new
+        {
+            Namespace = r.Namespace(),
+            Secret = r.Name(),
+            Hosts = string.Join("<br>", hosts.Select(h => $"<a target='_blank' href='https://{h}'>{h}</a>")),
+            Created = cert?.NotBefore.ToString("s"),
+            Expiration = cert?.NotAfter.ToString("s")
+        };
+    });
+}
+
+<h2>Managed Certificates</h2>
+
+<div>
+    <table class="table">
+        <thead>
+            <tr>
+                <th scope="col">Namespace</th>
+                <th scope="col">Secret</th>
+                <th scope="col">Hosts</th>
+                <th scope="col">Created</th>
+                <th scope="col">Expiration</th>
+                <th scope="col">Actions</th>
+            </tr>
+        </thead>
+        <tbody>
+            @foreach (var row in rows)
+            {
+            <tr>
+                <td>@row.Namespace</td>
+                <td>@row.Secret</td>
+                <td>@Html.Raw(row.Hosts)</td>
+                <td>@row.Created</td>
+                <td>@row.Expiration</td>
+                <td>
+                    <a class="btn btn-primary" asp-action="Renew" asp-route-ns="@row.Namespace" asp-route-name="@row.Secret">
+                        Renew
+                    </a>
+                </td>
+            </tr>
+            }
+        </tbody>
+    </table>
+</div>
diff --git a/Views/Home/Index.cshtml b/Views/Home/Index.cshtml
deleted file mode 100644
index 044fbec..0000000
--- a/Views/Home/Index.cshtml
+++ /dev/null
@@ -1,48 +0,0 @@
-@inject CertClient _cert
-@model List<V1Secret>
-@{ ViewData["Title"] = "Ingress"; }
-
-<h2>Managed Certificates</h2>
-
-@if (ViewBag.HostsUpdated)
-{
-    <div class="alert alert-info" role="alert">
-        Challenge Ingress was updated.
-    </div>
-
-}
-
-<p><a class="btn btn-primary" asp-controller="Certificate" asp-action="New">New Cert</a></p>
-
-<div>
-    <table class="table">
-        <thead>
-            <tr>
-                <th scope="col">Namespace</th>
-                <th scope="col">Secret</th>
-                <th scope="col">Hosts</th>
-                <th scope="col">Created</th>
-                <th scope="col">Expiration</th>
-                <th scope="col">Actions</th>
-            </tr>
-        </thead>
-        <tbody>
-            @foreach (var row in Model)
-            {
-                var cert = _cert.GetCert(row);
-                var hosts = _cert.GetHosts(cert);
-<tr>
-    <td>@row.Namespace()</td>
-    <td>@row.Name()</td>
-    <td>@Html.Raw(string.Join("<br>", hosts.Select(h => $"<a target='_blank' href='https://{h}'>{h}</a>")))</td>
-    <td>@cert?.NotBefore.ToString("s")</td>
-    <td>@cert?.NotAfter.ToString("s")</td>
-    <td>
-        <a class="btn btn-primary" asp-action="Renew" asp-route-ns="@row.Namespace()" asp-route-name="@row.Name()">Renew</a>
-        <a class="btn btn-warning" asp-controller="Certificate" asp-action="Edit" asp-route-ns="@row.Namespace()" asp-route-name="@row.Name()">Edit</a>
-        <a class="btn btn-info" asp-controller="Manage" asp-action="Unmanage" asp-route-ns="@row.Namespace()" asp-route-name="@row.Name()">Unmanage</a>
-    </td>
-</tr>            }
-        </tbody>
-    </table>
-</div>
diff --git a/Views/Manage/Index.cshtml b/Views/Manage/Index.cshtml
deleted file mode 100644
index 18b472e..0000000
--- a/Views/Manage/Index.cshtml
+++ /dev/null
@@ -1,38 +0,0 @@
-@inject CertClient _cert
-@model List<V1Secret>
-@{ 
-    ViewData["Title"] = "Ingress";
-    var secrets = Model;
-}
-
-<h2>Managed TLS Secrets</h2>
-
-<div>
-    <table class="table">
-        <thead>
-            <tr>
-                <th scope="col">Namespace</th>
-                <th scope="col">Secret</th>
-                <th scope="col">Hosts</th>
-                <th scope="col">Created</th>
-                <th scope="col">Expiration</th>
-                <th scope="col">Actions</th>
-            </tr>
-        </thead>
-        <tbody>
-            @foreach (var row in secrets)
-            {
-                var cert = _cert.GetCert(row);
-                var hosts = _cert.GetHosts(cert);
-            <tr>
-                <td>@row.Namespace()</td>
-                <td>@row.Name()</td>
-                <td>@Html.Raw(string.Join("<br>", hosts.Select(h => $"<a target='_blank' href='https://{h}'>{h}</a>")))</td>
-                <td>@cert?.NotBefore.ToString("s")</td>
-                <td>@cert?.NotAfter.ToString("s")</td>
-                <td><a class="btn btn-primary" asp-action="Manage" asp-route-ns="@row.Namespace()" asp-route-name="@row.Name()">Manage</a></td>
-            </tr>           
-            }
-        </tbody>
-    </table>
-</div>
diff --git a/Views/Shared/_Layout.cshtml b/Views/Shared/_Layout.cshtml
index dd89d2a..bde0570 100644
--- a/Views/Shared/_Layout.cshtml
+++ b/Views/Shared/_Layout.cshtml
@@ -10,11 +10,9 @@
     <div class="container">
         <header>
             <nav class="navbar navbar-expand-lg navbar-light bg-light">
-                <a class="navbar-brand" asp-controller="Home" asp-action="Index">KCert</a>
-                <a class="nav-link" asp-controller="Home" asp-action="Index">Home</a>
-                <a class="nav-link" asp-controller="Manage" asp-action="Index">Unmanaged Certs</a>
-                <a class="nav-link" asp-controller="Challenge" asp-action="Index">Challenge Ingress</a>
-                <a class="nav-link" asp-controller="Configuration" asp-action="Index">Configuration</a>
+                <a class="navbar-brand" asp-action="Home">KCert</a>
+                <a class="nav-link" asp-action="Challenge">Challenge Ingress</a>
+                <a class="nav-link" asp-action="Configuration">Configuration</a>
             </nav>
         </header>
         <main role="main" class="pb-3">
diff --git a/appsettings.json b/appsettings.json
index 132c6fb..d88f56d 100644
--- a/appsettings.json
+++ b/appsettings.json
@@ -1,20 +1,18 @@
 {
-  "Logging": {
-    "LogLevel": {
-      "Default": "Information",
-      "Microsoft": "Warning",
-      "Microsoft.Hosting.Lifetime": "Information"
-    }
+  "KCert": {
+    "Namespace": "kcert",
+    "IngressName": "kcert",
+    "SecretName": "kcert",
+    "ServiceName": "kcert",
+    "ServicePort": 80,
+    "AcceptAllChallenges": false
   },
-  "AllowedHosts": "*",
-  "Namespace": "kcert",
-  "Label": "kcert",
-  "SecretName": "kcert",
-  "ServiceName": "kcert",
-  "IngressName": "kcert",
-  "ServicePort": 80,
-  "AcmeWaitTimeSeconds": 10,
-  "AcmeNumRetries": 5,
-  "RenewalCheckTimeHours": 6,
-  "RenewalExpirationRenewalDays": 30
+  "Acme": {
+    "DirUrl": "https://acme-staging-v02.api.letsencrypt.org/directory",
+    "ValidationWaitTimeSeconds": 10,
+    "ValidationNumRetries": 5,
+    "RenewalCheckTimeHours": 6,
+    "RenewalExpirationRenewalDays": 30,
+    "AutoRenewal": true
+  }
 }
diff --git a/deploy.yml b/deploy.yml
index e7d2099..2085c20 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -15,14 +15,11 @@ metadata:
   name: kcert
 rules:
 - apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["get", "list"]
-- apiGroups: [""]
-  resources: ["secrets", "services"]
-  verbs: ["get", "list", "create", "update", "patch", "delete"]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "update", "patch"]
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses"]
-  verbs: ["get", "create", "update", "patch", "delete"]
+  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -37,6 +34,31 @@ roleRef:
   name: kcert
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kcert
+  namespace: kcert
+rules:
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  resourceNames: ["kcert"]
+  verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kcert
+  namespace: kcert
+subjects:
+- kind: ServiceAccount
+  name: kcert
+  namespace: kcert
+roleRef:
+  kind: ClusterRole
+  name: kcert
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -57,15 +79,39 @@ spec:
       serviceAccountName: kcert
       containers:
       - name: kcert
-        image: nabsul/kcert:v0.9.2
+        image: ghcr.io/nabsul/kcert:sha-fe8d892
         ports:
         - containerPort: 80
           name: http
         env:
-        - name: ASPNETCORE_ENVIRONMENT
-          value: Development
-        - name: KCERT_NAMESPACE
+        - name: NAMESPACE
           value: kcert
+        - name: ENABLEAUTORENEWAL
+          value: "true"
+        - name: ACME__DIRURL
+          value: https://acme-v02.api.letsencrypt.org/directory
+        - name: ACME__TERMSACCEPTED
+          value: # You must set this to "true" to indicate your acceptance of Let's Encrypt's terms of service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)
+        - name: ACME__EMAIL
+          value: # Your email address for Let's Encrypt and email notifications
+        - name: ACME__KEY
+          valueFrom:
+            secretKeyRef:
+              name: kcert
+              key: acme
+        - name: SMTP__EMAILFROM
+          value: # The address from which you will send automated emails
+        - name: SMTP__HOST
+          value: SMTP host for email notifications
+        - name: SMTP__PORT
+          value: "587" # Change this if necessary
+        - name: SMTP__USER
+          value: # SMTP user name
+        - name: SMTP__PASS
+          valueFrom:
+            secretKeyRef:
+              name: kcert
+              key: smtp
 ---
 apiVersion: v1
 kind: Service
@@ -82,3 +128,23 @@ spec:
       targetPort: 80
   selector:
     app: kcert
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kcert
+  namespace: kcert
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+  - host: dummy.example.test # needed because we can't have an empty ingress
+    http:
+      paths:
+      - path: /.well-known/acme-challenge
+        pathType: Prefix
+        backend:
+          service:
+            name: kcert
+            port:
+              number: 80
diff --git a/docker-compose.yml b/docker-compose.yml
deleted file mode 100644
index db285d5..0000000
--- a/docker-compose.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-version: "3"
-services:
-  kcert:
-    build: .
-    ports:
-      - "8081:80"
-    environment:
-      - ASPNETCORE_ENVIRONMENT=development
-      - KCERT_CONFIG=/kubeconfig/config
-      - KCERT_LABEL=kcert-dev
-      - KCERT_NAMESPACE=kcert-dev
-    volumes:
-      - ./kubeconfig:/kubeconfig
diff --git a/wwwroot/favicon.ico b/wwwroot/favicon.ico
index a8387e667c6e5e0a47281f1d5ae27e33e6f75b12..1847f2a2c9676a23f60ed2112170d77df1218fba 100644
GIT binary patch
literal 15406
zcmeHNYmgPi6&|Diqd)ws3sDQ75R({1W6;tnL$pX$Qh5@~BwD4VWnwh3N>M4bBx=-B
zOREU5JOc8DrEo<l0YO;a4-vxRiYSle;c{p0WA2?h_s+EE>wCL*9zAnsmWAClx2vXR
zrl-$2U!Und-F?o{v~#p`we!!{=-#5;f1ajYr)gSCOYMEc1)A1Mb)!brzh9<l9T#fa
z2x>zlL{Y1!o3fmmdePIFsV!x?Sjww>8ni-IU*rnf^!I7QS!TxNA-eLx70f9dXI9rz
z{;lxQ-}pP~a_zrk*(G-{`^Y-xR?7^<t(dH|cZTF+AKS$1?L%u=ru9<h<PO!|yE~Zv
z&X1W}&hmGnB);9u$sb|XXN#2d=7tHiwyr~R$Fkzqm+G{P71lj2X}teR$gdpV#vJn`
zZ*To?Hg8)dIilz@u85_t5^mS2@aFlI_wlyY{sn@Z_suI;JPY~gKlFkE-RU#0WM;=i
zNuOOhHda39_5XgKxmHbIrQMU6KI<B;GcZAYHPgu|J$snB{z=KJd}uXu=v(=Vc3x+0
ze3rjE#U5tNznK~HZe-=pm&yO&RxMWC{;H%G{YZ3gy^QFF^^I0N$4+MsoX#BNv`V9p
zq7rtdg|0Dl!9GP5Hc|Ud&wnnSKsxSDq-V9R((1h%GP&%jTy|ReerexRlYKV(9mGA5
zvV&Nf@BK5j2ag_UP1Wc8kZkuTmcbeu(?8hl%E?cBSAO+FJ{oi5MBjI`#~SUmySev%
z&uzM69+&G2Un3lwRgD9Dea*Jr>EjDr#hq{X+T#Ull)#KW^sd*vO$)0Z=54U10ZWon
z-10BUSMYBnzqIS^5bMf`?Zk)HoN3=<71~oIErqp@rIN4D`4QjS`1rdn%P#u`=Tlh!
zgzuAlp}k7=R422KuIE?f<SxDk%Dwl8RPsxErc0LMq1?4Z@~EELC#vP$wRGAi{Y<tI
zdXBnB>ED<;TJG-zbGK4t#@rh?Z+-T)RPBmS@@{T=F0pK2ijr@Awpj8M55?`TN#42T
zzZBKJyRq<A*(R#b-g=dMi}pse@$>Pm>Rl`|eT3wlfBzoeck!Zo+IZzeJ*(u4eYN0;
zd;WvJNZH_(UvanhvwY69UgB#PC0Ep|<QI3o$(&L~^2CFaKg#!>f-bxC=f3aa1>-`r
zNpe@ohy5`-o)IkNUF_jGU(&Nnwk=q4%YW4`@}WoAO<%zor0p)r-=_U}u)tm=>9=ST
z)qi}?ue>+Np4Ne#WcO<OZJfnIbI_@>%CXIS?_cg(%y3?@_RnY5-kC~Vaq@w|J{q>K
zg^zpBU8UVqLKveeGBd9VVQ3_ukF&sBbV{daZ5>(XHH@DLRdXhYLuDJxP0zDx?y&DF
ztbNpn)1ot6uuXC6%f2?oywR+<<8}H!yJ*cQ_KGI#PT?rC53M5GIod}f#=x1l<7}(X
zx|*+%XM%r|XKMe@S^M`1|II+2f%rKzA<ll+Ti^_QHucbrvoFryQGS8{mwNa~$VIE&
zLsy)igg$GT$-}?fGv%W3G+sI~(^`rHHEtTptzqlnSP8ShPG^<3GE-WthV-=F4vID$
zD`6ITA4=GT4hgdyGoo(j-3Rx0Z=}z`JXafGZ+;&fwy60Zn*ZV3Fb2q<0Dq#f;1-5+
zs6lbi43C{9U-OOmH?i`8<;u(IoX-s6AKE{V+~T%>D`_~dt~QqY;7>$X^C<{=#2K?~
z<5&r2+7mmNYn#1iTJhvodF&QvTXXXyYES;<>4*oa`-FIBRB^~}X)G8MqRqAchPkDl
zC^GJ&@tx}_-VDEqeeivy-#U^JeSn|aSae$mgXm9M{5r(}tbKDrzC<qubHh{8p99^&
zNA8k;qc6p^3oIMs|4fS?@pdOh_ZSy4zCm#g6aH|gmJ`qy{7&H*#ixJLPx>E5@sPGi
z81Qexe<uEIuKl+(#`BTwlYFRV_Dlb`;Oo7o(LeAog@3b#!{t6bj4#fg?)I@Q4I#o`
zYIkp9R_9y>za1`&Pvi+yy2)oqe(yN{ZBqQeWp{6k#N(JJSnl0lOWo%wE)qND$%lqG
zkFhXpAH4c)^qdU;FqU8S0NH|EBz|j8E7|V4pPhWM#VwQQU)AzNR74op*=6Hoe;eV9
z`kn+o>~<|47mm#U8}e;<T(WMX^%*1hSW@8@bynxR-gzEj+oLdh>yzL|Tm$(i%0jj!
zzviz#J)$r6;Wf(Uq7v(Y7e`;88{tQ6pz`%@AvSP#nf=v=KHUQc;>5^PiYv(3=__V0
zT|9mxe%w&*P|aTY_X);3*YVhN9R8?0D=)Sr&vE#9ye<$Y@M40WUnK*3Cd5?Y3Ub&~
zv}x<&@MG=9_=qYt?B9Z)hH&V!e-LYH!LK(~qTZJ!?MEDb?B5WpiPR<S6-#6{gYi+s
zD9Q)hqq@!OjYYSI`kfTBw_PLr*neV-BcD-Kus;mN7inyiKAlR<)%F&A@~a*^Yxs4F
zvGIKm<teBNawpKntCzysfB0io0m7)*p_fOJ=Op?EpZtnH(tf}nf0mG_U*0?bw8x$o
z@#(07IBtK$-jd?Sp4d7-IRp^}IXajtUY$Y5k%jD9m2x~W&Wf8~V91FrtotV`eDrs^
z9;sclF2?Qsxt>y-zhG;yPg53}%htZx%xl-N4pbx8J|!1_CH1km?G@6Ae|_=lD6#(Q
zdla+dX}=858}@g>xs3JO$$sf+mF|(}K*y{VY4P*5iRNom!TC#`0qT9mxq;^eQ650r
zQl@-weWp4mI_>!3|E+!|^u@yipv<i=hW<JBJMcU3e$ZG;TI?@Z`f^mfV+YUh6CggX
zy6hwCm1j47)=2W5ysM-EpECIw;Fk%?!ui0Mdp+gt{F%>{O3z-#>iP1rKV-|0%YgkK
z&J_6-<9p8)_5T^-JCOBs*1`D#a~)$dxRwtptOKd1rtI*1XzHY?lYtlmLpcUn&nFnd
pcD0rZF_iNMC<kIF=WmD{6qyS#nCC-%ynFL!fWKLq8tAJAz5!Bb9PI!A

literal 1150
zcmbu9K@P$&3<O<?2lUi4M{azJ_wY>~0k*1<R@NphkScXN-reTZh$WwOjeK9@af#R>
z;+8v6lAUL<>-D_9Yme4HbG*OgpYhh6(dqqR`dww5onL2U!e-TFDJ!q8QI=}d-#NYJ
zz^KgVU7cxWGqTWB?aMKz(G2y#yGMJ~a3-Vo>Z`Mx!_d+nRi}4sl!LaaYDT;?s#TqG
MbbU^5e+pl~57{4MX8-^I