diff --git a/sso-mfa/k8s/privacyidea/deployment.yaml b/sso-mfa/k8s/privacyidea/deployment.yaml
index 6ff3ecd..a1505d4 100644
--- a/sso-mfa/k8s/privacyidea/deployment.yaml
+++ b/sso-mfa/k8s/privacyidea/deployment.yaml
@@ -64,7 +64,13 @@ spec:
               containerPort: 8080
               protocol: TCP
 
-          # ── Environment — sensitive values from Secret ──────────────────
+          # ── Environment ─────────────────────────────────────────────────
+          # Tell gpappsoft entrypoint to use our mounted pi.cfg instead of
+          # the image's built-in /privacyidea/etc/pi.cfg.
+          env:
+            - name: PRIVACYIDEA_CONFIGFILE
+              value: /etc/privacyidea/pi.cfg
+          # Sensitive values from Secret (PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI)
           envFrom:
             - secretRef:
                 name: privacyidea-config