diff --git a/services/communication/mas-configmap.yaml b/services/communication/mas-configmap.yaml
index cc859ba..25d4eb3 100644
--- a/services/communication/mas-configmap.yaml
+++ b/services/communication/mas-configmap.yaml
@@ -14,7 +14,9 @@ data:
 
     secrets:
       encryption_file: /etc/mas/secrets/encryption
-      keys_dir: /etc/mas/keys
+      keys:
+        - kid: "othrys-rsa-1"
+          key_file: /etc/mas/keys/rsa_key
 
     passwords:
       enabled: true
@@ -23,7 +25,7 @@ data:
       kind: synapse
       homeserver: live.bstein.dev
       endpoint: "http://othrys-synapse-matrix-synapse:8008/"
-      secret_file: /etc/mas/secrets/matrix_shared_secret
+      secret: "@@MATRIX_SHARED_SECRET@@"
 
     upstream_oauth2:
       providers:
@@ -33,7 +35,7 @@ data:
           human_name: "Keycloak"
           brand_name: "keycloak"
           client_id: "othrys-mas"
-          client_secret_file: /etc/mas/secrets/keycloak_client_secret
+          client_secret: "@@KEYCLOAK_CLIENT_SECRET@@"
           token_endpoint_auth_method: client_secret_post
           scope: "openid profile email"
           claims_imports:
diff --git a/services/communication/mas-deployment.yaml b/services/communication/mas-deployment.yaml
index 58df3c0..8f5bf0e 100644
--- a/services/communication/mas-deployment.yaml
+++ b/services/communication/mas-deployment.yaml
@@ -37,7 +37,14 @@ spec:
               set -euo pipefail
               umask 077
               DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')"
-              sed "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" /etc/mas/config.yaml > /rendered/config.yaml
+              MATRIX_SECRET_ESCAPED="$(printf '%s' "${MATRIX_SHARED_SECRET}" | sed 's/[\\/&]/\\&/g')"
+              KC_SECRET_ESCAPED="$(printf '%s' "${KEYCLOAK_CLIENT_SECRET}" | sed 's/[\\/&]/\\&/g')"
+
+              sed \
+                -e "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" \
+                -e "s/@@MATRIX_SHARED_SECRET@@/${MATRIX_SECRET_ESCAPED}/g" \
+                -e "s/@@KEYCLOAK_CLIENT_SECRET@@/${KC_SECRET_ESCAPED}/g" \
+                /etc/mas/config.yaml > /rendered/config.yaml
               chmod 0644 /rendered/config.yaml
           env:
             - name: MAS_DB_PASSWORD
@@ -45,6 +52,16 @@ spec:
                 secretKeyRef:
                   name: mas-db
                   key: password
+            - name: MATRIX_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mas-secrets-runtime
+                  key: matrix_shared_secret
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mas-secrets-runtime
+                  key: keycloak_client_secret
           volumeMounts:
             - name: config
               mountPath: /etc/mas/config.yaml