diff --git a/services/comms/mas-configmap.yaml b/services/comms/mas-configmap.yaml
index a41ebeb..5e6cfdd 100644
--- a/services/comms/mas-configmap.yaml
+++ b/services/comms/mas-configmap.yaml
@@ -31,13 +31,13 @@ data:
     clients:
       - client_id: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
         client_auth_method: client_secret_basic
-        client_secret_file: /etc/mas/admin-client/client_secret
+        client_secret_file: /vault/secrets/mas-admin-secret
 
     secrets:
-      encryption_file: /etc/mas/secrets/encryption
+      encryption_file: /vault/secrets/mas-encryption
       keys:
         - kid: "othrys-rsa-1"
-          key_file: /etc/mas/keys/rsa_key
+          key_file: /vault/secrets/mas-rsa-key
 
     passwords:
       enabled: true
diff --git a/services/comms/mas-deployment.yaml b/services/comms/mas-deployment.yaml
index 532c9da..afe6135 100644
--- a/services/comms/mas-deployment.yaml
+++ b/services/comms/mas-deployment.yaml
@@ -117,26 +117,6 @@ spec:
             - name: rendered
               mountPath: /rendered
               readOnly: true
-            - name: vault-secrets
-              mountPath: /etc/mas/secrets/encryption
-              subPath: mas-encryption
-              readOnly: true
-            - name: vault-secrets
-              mountPath: /etc/mas/secrets/matrix_shared_secret
-              subPath: mas-matrix-shared
-              readOnly: true
-            - name: vault-secrets
-              mountPath: /etc/mas/secrets/keycloak_client_secret
-              subPath: mas-kc-secret
-              readOnly: true
-            - name: vault-secrets
-              mountPath: /etc/mas/keys/rsa_key
-              subPath: mas-rsa-key
-              readOnly: true
-            - name: vault-secrets
-              mountPath: /etc/mas/admin-client/client_secret
-              subPath: mas-admin-secret
-              readOnly: true
           resources:
             requests:
               cpu: 200m
@@ -153,8 +133,6 @@ spec:
                 path: config.yaml
         - name: rendered
           emptyDir: {}
-        - name: vault-secrets
-          emptyDir: {}
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/keycloak/ingress.yaml b/services/keycloak/ingress.yaml
index 39f6cb0..9efb18e 100644
--- a/services/keycloak/ingress.yaml
+++ b/services/keycloak/ingress.yaml
@@ -6,6 +6,8 @@ metadata:
   namespace: sso
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   ingressClassName: traefik
   rules:
diff --git a/services/oauth2-proxy/ingress.yaml b/services/oauth2-proxy/ingress.yaml
index 0f5830c..39f71da 100644
--- a/services/oauth2-proxy/ingress.yaml
+++ b/services/oauth2-proxy/ingress.yaml
@@ -7,6 +7,8 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
     traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-errors@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   ingressClassName: traefik
   rules: