From e92cfa7dba9f86442406471d90b94c2d095f9f16 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 14 Jan 2026 14:17:26 -0300
Subject: [PATCH] vault: move comms and mailu workloads to injector

---
 services/comms/atlasbot-deployment.yaml       | 44 ++++++++++++----
 services/comms/bstein-force-leave-job.yaml    | 18 +++----
 services/comms/coturn.yaml                    | 45 ++++++++++++----
 services/comms/guest-name-job.yaml            | 46 +++++++++++++----
 services/comms/guest-register-deployment.yaml | 14 ++---
 services/comms/livekit.yaml                   | 48 ++++++++++++-----
 services/comms/mas-deployment.yaml            | 51 +++++++++++++++----
 .../comms/mas-local-users-ensure-job.yaml     | 48 +++++++++++++----
 services/comms/othrys-kick-numeric-job.yaml   | 48 +++++++++++++----
 services/comms/pin-othrys-job.yaml            | 46 +++++++++++++----
 services/comms/reset-othrys-room-job.yaml     | 46 +++++++++++++----
 services/comms/scripts/comms_vault_env.sh     |  2 +-
 services/comms/seed-othrys-room.yaml          | 46 +++++++++++++----
 .../synapse-seeder-admin-ensure-job.yaml      | 48 +++++++++++++----
 services/comms/synapse-user-seed-job.yaml     | 48 +++++++++++++----
 services/mailu/mailu-sync-cronjob.yaml        | 28 ++++++----
 services/mailu/mailu-sync-job.yaml            | 30 +++++++----
 services/mailu/mailu-sync-listener.yaml       | 27 ++++++----
 services/mailu/scripts/mailu_vault_env.sh     |  2 +-
 19 files changed, 521 insertions(+), 164 deletions(-)

diff --git a/services/comms/atlasbot-deployment.yaml b/services/comms/atlasbot-deployment.yaml
index 0622d32..5aa433f 100644
--- a/services/comms/atlasbot-deployment.yaml
+++ b/services/comms/atlasbot-deployment.yaml
@@ -17,6 +17,41 @@ spec:
         app: atlasbot
       annotations:
         checksum/atlasbot-configmap: manual-atlasbot-4
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       serviceAccountName: atlasbot
       nodeSelector:
@@ -58,9 +93,6 @@ spec:
             - name: kb
               mountPath: /kb
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -82,12 +114,6 @@ spec:
                 path: catalog/runbooks.json
               - key: atlas-http.mmd
                 path: diagrams/atlas-http.mmd
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/bstein-force-leave-job.yaml b/services/comms/bstein-force-leave-job.yaml
index 42428d8..e694127 100644
--- a/services/comms/bstein-force-leave-job.yaml
+++ b/services/comms/bstein-force-leave-job.yaml
@@ -2,28 +2,26 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: bstein-leave-rooms-7
+  name: bstein-leave-rooms-8
   namespace: comms
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
     spec:
       restartPolicy: Never
       serviceAccountName: comms-vault
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
       containers:
         - name: leave
           image: python:3.11-slim
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
           env:
             - name: MAS_ADMIN_CLIENT_ID
               value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
diff --git a/services/comms/coturn.yaml b/services/comms/coturn.yaml
index ac7e57b..6c3f61c 100644
--- a/services/comms/coturn.yaml
+++ b/services/comms/coturn.yaml
@@ -14,6 +14,42 @@ spec:
     metadata:
       labels:
         app: coturn
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       serviceAccountName: comms-vault
       nodeSelector:
@@ -73,9 +109,6 @@ spec:
             - name: tls
               mountPath: /etc/coturn/tls
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -90,12 +123,6 @@ spec:
         - name: tls
           secret:
             secretName: turn-live-tls
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/guest-name-job.yaml b/services/comms/guest-name-job.yaml
index 1f9004e..7e58e46 100644
--- a/services/comms/guest-name-job.yaml
+++ b/services/comms/guest-name-job.yaml
@@ -14,16 +14,47 @@ spec:
     spec:
       backoffLimit: 0
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "comms"
+            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+            vault.hashicorp.com/agent-inject-template-mas-db__password: |
+              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
         spec:
           restartPolicy: Never
           serviceAccountName: comms-vault
           volumes:
-            - name: vault-secrets
-              csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: comms-vault
             - name: vault-scripts
               configMap:
                 name: comms-vault-env
@@ -32,9 +63,6 @@ spec:
             - name: rename
               image: python:3.11-slim
               volumeMounts:
-                - name: vault-secrets
-                  mountPath: /vault/secrets
-                  readOnly: true
                 - name: vault-scripts
                   mountPath: /vault/scripts
                   readOnly: true
diff --git a/services/comms/guest-register-deployment.yaml b/services/comms/guest-register-deployment.yaml
index bdf5c37..d3e218c 100644
--- a/services/comms/guest-register-deployment.yaml
+++ b/services/comms/guest-register-deployment.yaml
@@ -14,6 +14,11 @@ spec:
     metadata:
       annotations:
         checksum/config: guest-register-proxy-5
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
       labels:
         app.kubernetes.io/name: matrix-guest-register
     spec:
@@ -84,9 +89,6 @@ spec:
               mountPath: /app/server.py
               subPath: server.py
               readOnly: true
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
           command:
             - python
             - /app/server.py
@@ -97,9 +99,3 @@ spec:
             items:
               - key: server.py
                 path: server.py
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
diff --git a/services/comms/livekit.yaml b/services/comms/livekit.yaml
index adad92a..b204d6e 100644
--- a/services/comms/livekit.yaml
+++ b/services/comms/livekit.yaml
@@ -14,6 +14,42 @@ spec:
     metadata:
       annotations:
         checksum/config: livekit-config-v5
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
       labels:
         app: livekit
     spec:
@@ -49,9 +85,6 @@ spec:
             - name: config
               mountPath: /etc/livekit
               readOnly: false
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -90,9 +123,6 @@ spec:
               readOnly: true
             - name: runtime-keys
               mountPath: /var/run/livekit
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -114,12 +144,6 @@ spec:
           emptyDir: {}
         - name: runtime-keys
           emptyDir: {}
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/mas-deployment.yaml b/services/comms/mas-deployment.yaml
index c7e6821..ef9a5ab 100644
--- a/services/comms/mas-deployment.yaml
+++ b/services/comms/mas-deployment.yaml
@@ -14,6 +14,48 @@ spec:
     metadata:
       annotations:
         checksum/config: v5-adminapi-7
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__encryption: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__encryption: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.encryption }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__rsa_key: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__rsa_key: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.rsa_key }}{{- end -}}
       labels:
         app: matrix-authentication-service
     spec:
@@ -57,9 +99,6 @@ spec:
             - name: rendered
               mountPath: /rendered
               readOnly: false
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -114,12 +153,6 @@ spec:
                 path: config.yaml
         - name: rendered
           emptyDir: {}
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/mas-local-users-ensure-job.yaml b/services/comms/mas-local-users-ensure-job.yaml
index ab44505..3d7ef72 100644
--- a/services/comms/mas-local-users-ensure-job.yaml
+++ b/services/comms/mas-local-users-ensure-job.yaml
@@ -2,22 +2,53 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-local-users-ensure-7
+  name: mas-local-users-ensure-8
   namespace: comms
 spec:
   backoffLimit: 1
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       restartPolicy: Never
       serviceAccountName: comms-vault
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
@@ -26,9 +57,6 @@ spec:
         - name: ensure
           image: python:3.11-slim
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
diff --git a/services/comms/othrys-kick-numeric-job.yaml b/services/comms/othrys-kick-numeric-job.yaml
index 59ef560..979b670 100644
--- a/services/comms/othrys-kick-numeric-job.yaml
+++ b/services/comms/othrys-kick-numeric-job.yaml
@@ -2,11 +2,48 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: othrys-kick-numeric-2
+  name: othrys-kick-numeric-3
   namespace: comms
 spec:
   backoffLimit: 0
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       restartPolicy: Never
       serviceAccountName: comms-vault
@@ -111,19 +148,10 @@ spec:
                       kick(token, room_id, user_id)
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/pin-othrys-job.yaml b/services/comms/pin-othrys-job.yaml
index babb6d1..a0699d6 100644
--- a/services/comms/pin-othrys-job.yaml
+++ b/services/comms/pin-othrys-job.yaml
@@ -14,6 +14,43 @@ spec:
     spec:
       backoffLimit: 0
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "comms"
+            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+            vault.hashicorp.com/agent-inject-template-mas-db__password: |
+              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
         spec:
           restartPolicy: Never
           serviceAccountName: comms-vault
@@ -119,19 +156,10 @@ spec:
                   pin(room_id, token, eid)
                   PY
               volumeMounts:
-                - name: vault-secrets
-                  mountPath: /vault/secrets
-                  readOnly: true
                 - name: vault-scripts
                   mountPath: /vault/scripts
                   readOnly: true
           volumes:
-            - name: vault-secrets
-              csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: comms-vault
             - name: vault-scripts
               configMap:
                 name: comms-vault-env
diff --git a/services/comms/reset-othrys-room-job.yaml b/services/comms/reset-othrys-room-job.yaml
index 6e20979..dfbad68 100644
--- a/services/comms/reset-othrys-room-job.yaml
+++ b/services/comms/reset-othrys-room-job.yaml
@@ -14,6 +14,43 @@ spec:
     spec:
       backoffLimit: 0
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "comms"
+            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+            vault.hashicorp.com/agent-inject-template-mas-db__password: |
+              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
         spec:
           restartPolicy: Never
           serviceAccountName: comms-vault
@@ -262,19 +299,10 @@ spec:
                   print(f"new_room_id={new_room_id}")
                   PY
               volumeMounts:
-                - name: vault-secrets
-                  mountPath: /vault/secrets
-                  readOnly: true
                 - name: vault-scripts
                   mountPath: /vault/scripts
                   readOnly: true
           volumes:
-            - name: vault-secrets
-              csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: comms-vault
             - name: vault-scripts
               configMap:
                 name: comms-vault-env
diff --git a/services/comms/scripts/comms_vault_env.sh b/services/comms/scripts/comms_vault_env.sh
index 98b3fc4..b14abdd 100644
--- a/services/comms/scripts/comms_vault_env.sh
+++ b/services/comms/scripts/comms_vault_env.sh
@@ -4,7 +4,7 @@ set -eu
 vault_dir="/vault/secrets"
 
 read_secret() {
-  cat "${vault_dir}/$1"
+  tr -d '\r\n' < "${vault_dir}/$1"
 }
 
 export TURN_STATIC_AUTH_SECRET="$(read_secret turn-shared-secret__TURN_STATIC_AUTH_SECRET)"
diff --git a/services/comms/seed-othrys-room.yaml b/services/comms/seed-othrys-room.yaml
index 0508e0e..2a926af 100644
--- a/services/comms/seed-othrys-room.yaml
+++ b/services/comms/seed-othrys-room.yaml
@@ -12,6 +12,43 @@ spec:
     spec:
       backoffLimit: 0
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "comms"
+            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+            vault.hashicorp.com/agent-inject-template-mas-db__password: |
+              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
         spec:
           restartPolicy: Never
           serviceAccountName: comms-vault
@@ -132,9 +169,6 @@ spec:
                 - name: synapse-config
                   mountPath: /config
                   readOnly: true
-                - name: vault-secrets
-                  mountPath: /vault/secrets
-                  readOnly: true
                 - name: vault-scripts
                   mountPath: /vault/scripts
                   readOnly: true
@@ -142,12 +176,6 @@ spec:
             - name: synapse-config
               secret:
                 secretName: othrys-synapse-matrix-synapse
-            - name: vault-secrets
-              csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: comms-vault
             - name: vault-scripts
               configMap:
                 name: comms-vault-env
diff --git a/services/comms/synapse-seeder-admin-ensure-job.yaml b/services/comms/synapse-seeder-admin-ensure-job.yaml
index 3cccc5f..86068fd 100644
--- a/services/comms/synapse-seeder-admin-ensure-job.yaml
+++ b/services/comms/synapse-seeder-admin-ensure-job.yaml
@@ -2,11 +2,48 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-seeder-admin-ensure-3
+  name: synapse-seeder-admin-ensure-4
   namespace: comms
 spec:
   backoffLimit: 2
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       restartPolicy: OnFailure
       serviceAccountName: comms-vault
@@ -32,19 +69,10 @@ spec:
               UPDATE users SET admin = 1 WHERE name = '@othrys-seeder:live.bstein.dev';
               SQL
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/comms/synapse-user-seed-job.yaml b/services/comms/synapse-user-seed-job.yaml
index f895958..a85ba28 100644
--- a/services/comms/synapse-user-seed-job.yaml
+++ b/services/comms/synapse-user-seed-job.yaml
@@ -2,12 +2,49 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-user-seed-3
+  name: synapse-user-seed-4
   namespace: comms
 spec:
   backoffLimit: 1
   ttlSecondsAfterFinished: 3600
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "comms"
+        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
+        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
+          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
+        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
+          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
+        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
+          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
+        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
+          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
+        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
+          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
+        vault.hashicorp.com/agent-inject-template-mas-db__password: |
+          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
+        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
+          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
     spec:
       restartPolicy: Never
       serviceAccountName: comms-vault
@@ -106,19 +143,10 @@ spec:
                   conn.close()
               PY
           volumeMounts:
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
       volumes:
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: comms-vault
         - name: vault-scripts
           configMap:
             name: comms-vault-env
diff --git a/services/mailu/mailu-sync-cronjob.yaml b/services/mailu/mailu-sync-cronjob.yaml
index 4d73afa..e4ef9be 100644
--- a/services/mailu/mailu-sync-cronjob.yaml
+++ b/services/mailu/mailu-sync-cronjob.yaml
@@ -10,6 +10,25 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "mailu-mailserver"
+            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
+            vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
+              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
+            vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
+              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
+            vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
+              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
+            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
+              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
+            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
+            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
+              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
         spec:
           restartPolicy: OnFailure
           serviceAccountName: mailu-vault-sync
@@ -41,9 +60,6 @@ spec:
                 - name: sync-script
                   mountPath: /app/sync.py
                   subPath: sync.py
-                - name: vault-secrets
-                  mountPath: /vault/secrets
-                  readOnly: true
                 - name: vault-scripts
                   mountPath: /vault/scripts
                   readOnly: true
@@ -59,12 +75,6 @@ spec:
               configMap:
                 name: mailu-sync-script
                 defaultMode: 0444
-            - name: vault-secrets
-              csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: mailu-vault
             - name: vault-scripts
               configMap:
                 name: mailu-vault-env
diff --git a/services/mailu/mailu-sync-job.yaml b/services/mailu/mailu-sync-job.yaml
index 370f212..b1cee93 100644
--- a/services/mailu/mailu-sync-job.yaml
+++ b/services/mailu/mailu-sync-job.yaml
@@ -2,10 +2,29 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mailu-sync-2
+  name: mailu-sync-3
   namespace: mailu-mailserver
 spec:
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "mailu-mailserver"
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
+        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
+          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
+        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
+          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
     spec:
       restartPolicy: OnFailure
       serviceAccountName: mailu-vault-sync
@@ -37,9 +56,6 @@ spec:
             - name: sync-script
               mountPath: /app/sync.py
               subPath: sync.py
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -55,12 +71,6 @@ spec:
           configMap:
             name: mailu-sync-script
             defaultMode: 0444
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: mailu-vault
         - name: vault-scripts
           configMap:
             name: mailu-vault-env
diff --git a/services/mailu/mailu-sync-listener.yaml b/services/mailu/mailu-sync-listener.yaml
index f90164c..cfc915f 100644
--- a/services/mailu/mailu-sync-listener.yaml
+++ b/services/mailu/mailu-sync-listener.yaml
@@ -28,6 +28,24 @@ spec:
     metadata:
       labels:
         app: mailu-sync-listener
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "mailu-mailserver"
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
+        vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
+          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
+        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
+          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
+        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
+        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
+          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
     spec:
       restartPolicy: Always
       serviceAccountName: mailu-vault-sync
@@ -62,9 +80,6 @@ spec:
             - name: listener-script
               mountPath: /app/listener.py
               subPath: listener.py
-            - name: vault-secrets
-              mountPath: /vault/secrets
-              readOnly: true
             - name: vault-scripts
               mountPath: /vault/scripts
               readOnly: true
@@ -84,12 +99,6 @@ spec:
           configMap:
             name: mailu-sync-listener
             defaultMode: 0444
-        - name: vault-secrets
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: mailu-vault
         - name: vault-scripts
           configMap:
             name: mailu-vault-env
diff --git a/services/mailu/scripts/mailu_vault_env.sh b/services/mailu/scripts/mailu_vault_env.sh
index 082a51a..1ba7dce 100644
--- a/services/mailu/scripts/mailu_vault_env.sh
+++ b/services/mailu/scripts/mailu_vault_env.sh
@@ -4,7 +4,7 @@ set -eu
 vault_dir="/vault/secrets"
 
 read_secret() {
-  cat "${vault_dir}/$1"
+  tr -d '\r\n' < "${vault_dir}/$1"
 }
 
 export MAILU_DB_NAME="$(read_secret mailu-db-secret__database)"