vault: move comms and mailu workloads to injector

2026-01-14 14:17:26 -03:00 · 2026-01-14 14:17:26 -03:00 · e92cfa7dba
commit e92cfa7dba
parent d559aeb464
19 changed files with 521 additions and 164 deletions
--- a/services/comms/atlasbot-deployment.yaml
+++ b/services/comms/atlasbot-deployment.yaml
@ -17,6 +17,41 @@ spec:
        app: atlasbot
      annotations:
        checksum/atlasbot-configmap: manual-atlasbot-4
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      serviceAccountName: atlasbot
      nodeSelector:
@ -58,9 +93,6 @@ spec:
            - name: kb
              mountPath: /kb
              readOnly: true
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -82,12 +114,6 @@ spec:
                path: catalog/runbooks.json
              - key: atlas-http.mmd
                path: diagrams/atlas-http.mmd
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/bstein-force-leave-job.yaml
+++ b/services/comms/bstein-force-leave-job.yaml
@ -2,28 +2,26 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: bstein-leave-rooms-7
+  name: bstein-leave-rooms-8
  namespace: comms
 spec:
  backoffLimit: 0
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
    spec:
      restartPolicy: Never
      serviceAccountName: comms-vault
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
      containers:
        - name: leave
          image: python:3.11-slim
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
          env:
            - name: MAS_ADMIN_CLIENT_ID
              value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
--- a/services/comms/coturn.yaml
+++ b/services/comms/coturn.yaml
@ -14,6 +14,42 @@ spec:
    metadata:
      labels:
        app: coturn
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      serviceAccountName: comms-vault
      nodeSelector:
@ -73,9 +109,6 @@ spec:
            - name: tls
              mountPath: /etc/coturn/tls
              readOnly: true
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -90,12 +123,6 @@ spec:
        - name: tls
          secret:
            secretName: turn-live-tls
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/guest-name-job.yaml
+++ b/services/comms/guest-name-job.yaml
@ -14,16 +14,47 @@ spec:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "comms"
            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
            vault.hashicorp.com/agent-inject-template-mas-db__password: |
              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
        spec:
          restartPolicy: Never
          serviceAccountName: comms-vault
          volumes:
            - name: vault-secrets
              csi:
                driver: secrets-store.csi.k8s.io
                readOnly: true
                volumeAttributes:
                  secretProviderClass: comms-vault
            - name: vault-scripts
              configMap:
                name: comms-vault-env
@ -32,9 +63,6 @@ spec:
            - name: rename
              image: python:3.11-slim
              volumeMounts:
                - name: vault-secrets
                  mountPath: /vault/secrets
                  readOnly: true
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
--- a/services/comms/guest-register-deployment.yaml
+++ b/services/comms/guest-register-deployment.yaml
@ -14,6 +14,11 @@ spec:
    metadata:
      annotations:
        checksum/config: guest-register-proxy-5
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
      labels:
        app.kubernetes.io/name: matrix-guest-register
    spec:
@ -84,9 +89,6 @@ spec:
              mountPath: /app/server.py
              subPath: server.py
              readOnly: true
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
          command:
            - python
            - /app/server.py
@ -97,9 +99,3 @@ spec:
            items:
              - key: server.py
                path: server.py
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
--- a/services/comms/livekit.yaml
+++ b/services/comms/livekit.yaml
@ -14,6 +14,42 @@ spec:
    metadata:
      annotations:
        checksum/config: livekit-config-v5
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
      labels:
        app: livekit
    spec:
@ -49,9 +85,6 @@ spec:
            - name: config
              mountPath: /etc/livekit
              readOnly: false
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -90,9 +123,6 @@ spec:
              readOnly: true
            - name: runtime-keys
              mountPath: /var/run/livekit
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -114,12 +144,6 @@ spec:
          emptyDir: {}
        - name: runtime-keys
          emptyDir: {}
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/mas-deployment.yaml
+++ b/services/comms/mas-deployment.yaml
@ -14,6 +14,48 @@ spec:
    metadata:
      annotations:
        checksum/config: v5-adminapi-7
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__encryption: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__encryption: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.encryption }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__rsa_key: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__rsa_key: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.rsa_key }}{{- end -}}
      labels:
        app: matrix-authentication-service
    spec:
@ -57,9 +99,6 @@ spec:
            - name: rendered
              mountPath: /rendered
              readOnly: false
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -114,12 +153,6 @@ spec:
                path: config.yaml
        - name: rendered
          emptyDir: {}
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/mas-local-users-ensure-job.yaml
+++ b/services/comms/mas-local-users-ensure-job.yaml
@ -2,22 +2,53 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-local-users-ensure-7
+  name: mas-local-users-ensure-8
  namespace: comms
 spec:
  backoffLimit: 1
  ttlSecondsAfterFinished: 3600
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      restartPolicy: Never
      serviceAccountName: comms-vault
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
@ -26,9 +57,6 @@ spec:
        - name: ensure
          image: python:3.11-slim
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
--- a/services/comms/othrys-kick-numeric-job.yaml
+++ b/services/comms/othrys-kick-numeric-job.yaml
@ -2,11 +2,48 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: othrys-kick-numeric-2
+  name: othrys-kick-numeric-3
  namespace: comms
 spec:
  backoffLimit: 0
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      restartPolicy: Never
      serviceAccountName: comms-vault
@ -111,19 +148,10 @@ spec:
                      kick(token, room_id, user_id)
              PY
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/pin-othrys-job.yaml
+++ b/services/comms/pin-othrys-job.yaml
@ -14,6 +14,43 @@ spec:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "comms"
            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
            vault.hashicorp.com/agent-inject-template-mas-db__password: |
              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
        spec:
          restartPolicy: Never
          serviceAccountName: comms-vault
@ -119,19 +156,10 @@ spec:
                  pin(room_id, token, eid)
                  PY
              volumeMounts:
                - name: vault-secrets
                  mountPath: /vault/secrets
                  readOnly: true
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
          volumes:
            - name: vault-secrets
              csi:
                driver: secrets-store.csi.k8s.io
                readOnly: true
                volumeAttributes:
                  secretProviderClass: comms-vault
            - name: vault-scripts
              configMap:
                name: comms-vault-env
--- a/services/comms/reset-othrys-room-job.yaml
+++ b/services/comms/reset-othrys-room-job.yaml
@ -14,6 +14,43 @@ spec:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "comms"
            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
            vault.hashicorp.com/agent-inject-template-mas-db__password: |
              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
        spec:
          restartPolicy: Never
          serviceAccountName: comms-vault
@ -262,19 +299,10 @@ spec:
                  print(f"new_room_id={new_room_id}")
                  PY
              volumeMounts:
                - name: vault-secrets
                  mountPath: /vault/secrets
                  readOnly: true
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
          volumes:
            - name: vault-secrets
              csi:
                driver: secrets-store.csi.k8s.io
                readOnly: true
                volumeAttributes:
                  secretProviderClass: comms-vault
            - name: vault-scripts
              configMap:
                name: comms-vault-env
--- a/services/comms/scripts/comms_vault_env.sh
+++ b/services/comms/scripts/comms_vault_env.sh
@ -4,7 +4,7 @@ set -eu
 vault_dir="/vault/secrets"
 read_secret() {
-  cat "${vault_dir}/$1"
+  tr -d '\r\n' < "${vault_dir}/$1"
 }
 export TURN_STATIC_AUTH_SECRET="$(read_secret turn-shared-secret__TURN_STATIC_AUTH_SECRET)"
--- a/services/comms/seed-othrys-room.yaml
+++ b/services/comms/seed-othrys-room.yaml
@ -12,6 +12,43 @@ spec:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "comms"
            vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
            vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
              {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
            vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
              {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
            vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
              {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
            vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
            vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
            vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
              {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
            vault.hashicorp.com/agent-inject-template-mas-db__password: |
              {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
            vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
              {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
        spec:
          restartPolicy: Never
          serviceAccountName: comms-vault
@ -132,9 +169,6 @@ spec:
                - name: synapse-config
                  mountPath: /config
                  readOnly: true
                - name: vault-secrets
                  mountPath: /vault/secrets
                  readOnly: true
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
@ -142,12 +176,6 @@ spec:
            - name: synapse-config
              secret:
                secretName: othrys-synapse-matrix-synapse
            - name: vault-secrets
              csi:
                driver: secrets-store.csi.k8s.io
                readOnly: true
                volumeAttributes:
                  secretProviderClass: comms-vault
            - name: vault-scripts
              configMap:
                name: comms-vault-env
--- a/services/comms/synapse-seeder-admin-ensure-job.yaml
+++ b/services/comms/synapse-seeder-admin-ensure-job.yaml
@ -2,11 +2,48 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-seeder-admin-ensure-3
+  name: synapse-seeder-admin-ensure-4
  namespace: comms
 spec:
  backoffLimit: 2
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      restartPolicy: OnFailure
      serviceAccountName: comms-vault
@ -32,19 +69,10 @@ spec:
              UPDATE users SET admin = 1 WHERE name = '@othrys-seeder:live.bstein.dev';
              SQL
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/comms/synapse-user-seed-job.yaml
+++ b/services/comms/synapse-user-seed-job.yaml
@ -2,12 +2,49 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-user-seed-3
+  name: synapse-user-seed-4
  namespace: comms
 spec:
  backoffLimit: 1
  ttlSecondsAfterFinished: 3600
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      restartPolicy: Never
      serviceAccountName: comms-vault
@ -106,19 +143,10 @@ spec:
                  conn.close()
              PY
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
--- a/services/mailu/mailu-sync-cronjob.yaml
+++ b/services/mailu/mailu-sync-cronjob.yaml
@ -10,6 +10,25 @@ spec:
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "mailu-mailserver"
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
        spec:
          restartPolicy: OnFailure
          serviceAccountName: mailu-vault-sync
@ -41,9 +60,6 @@ spec:
                - name: sync-script
                  mountPath: /app/sync.py
                  subPath: sync.py
                - name: vault-secrets
                  mountPath: /vault/secrets
                  readOnly: true
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
@ -59,12 +75,6 @@ spec:
              configMap:
                name: mailu-sync-script
                defaultMode: 0444
            - name: vault-secrets
              csi:
                driver: secrets-store.csi.k8s.io
                readOnly: true
                volumeAttributes:
                  secretProviderClass: mailu-vault
            - name: vault-scripts
              configMap:
                name: mailu-vault-env
--- a/services/mailu/mailu-sync-job.yaml
+++ b/services/mailu/mailu-sync-job.yaml
@ -2,10 +2,29 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mailu-sync-2
+  name: mailu-sync-3
  namespace: mailu-mailserver
 spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "mailu-mailserver"
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
    spec:
      restartPolicy: OnFailure
      serviceAccountName: mailu-vault-sync
@ -37,9 +56,6 @@ spec:
            - name: sync-script
              mountPath: /app/sync.py
              subPath: sync.py
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -55,12 +71,6 @@ spec:
          configMap:
            name: mailu-sync-script
            defaultMode: 0444
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: mailu-vault
        - name: vault-scripts
          configMap:
            name: mailu-vault-env
--- a/services/mailu/mailu-sync-listener.yaml
+++ b/services/mailu/mailu-sync-listener.yaml
@ -28,6 +28,24 @@ spec:
    metadata:
      labels:
        app: mailu-sync-listener
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "mailu-mailserver"
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
        vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
          {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
        vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
          {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
    spec:
      restartPolicy: Always
      serviceAccountName: mailu-vault-sync
@ -62,9 +80,6 @@ spec:
            - name: listener-script
              mountPath: /app/listener.py
              subPath: listener.py
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
@ -84,12 +99,6 @@ spec:
          configMap:
            name: mailu-sync-listener
            defaultMode: 0444
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: mailu-vault
        - name: vault-scripts
          configMap:
            name: mailu-vault-env
--- a/services/mailu/scripts/mailu_vault_env.sh
+++ b/services/mailu/scripts/mailu_vault_env.sh
@ -4,7 +4,7 @@ set -eu
 vault_dir="/vault/secrets"
 read_secret() {
-  cat "${vault_dir}/$1"
+  tr -d '\r\n' < "${vault_dir}/$1"
 }
 export MAILU_DB_NAME="$(read_secret mailu-db-secret__database)"