diff --git a/manifests/prod/addons/argo-cd/resources/ingress-ui.yaml b/manifests/prod/addons/argo-cd/resources/ingress-ui.yaml
index a8bc783..325669c 100644
--- a/manifests/prod/addons/argo-cd/resources/ingress-ui.yaml
+++ b/manifests/prod/addons/argo-cd/resources/ingress-ui.yaml
@@ -19,8 +19,7 @@ spec:
             name: argocd-server
             port:
               name: http
-    host: argocd.prod.adamland.xyz
+    host: &domain argocd.prod.adamland.xyz
   tls:
-  - hosts:
-    - argocd.prod.adamland.xyz
+  - hosts: [*domain]
     secretName: argocd-ui-tls
diff --git a/manifests/prod/addons/kube-prometheus-stack/kustomization.yaml b/manifests/prod/addons/kube-prometheus-stack/kustomization.yaml
index 1e030e6..9314718 100644
--- a/manifests/prod/addons/kube-prometheus-stack/kustomization.yaml
+++ b/manifests/prod/addons/kube-prometheus-stack/kustomization.yaml
@@ -6,7 +6,6 @@ namespace: monitoring
 helmCharts:
   - name: kube-prometheus-stack
     includeCRDs: true
-#    valuesFile: values.yaml # https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
     releaseName: kube-prometheus-stack
     version: 52.1.0
     repo: https://prometheus-community.github.io/helm-charts
diff --git a/manifests/prod/addons/kube-prometheus-stack/values-grafana.yaml b/manifests/prod/addons/kube-prometheus-stack/values-grafana.yaml
index 1fe0c3f..be4e022 100644
--- a/manifests/prod/addons/kube-prometheus-stack/values-grafana.yaml
+++ b/manifests/prod/addons/kube-prometheus-stack/values-grafana.yaml
@@ -1,29 +1,47 @@
 grafana:
+  grafana.ini:
+    # https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#how-to-securely-reference-secrets-in-grafanaini
+    auth:
+      signout_redirect_url: "https://authentik.prod.adamland.xyz/application/o/grafana/end-session/"
+      oauth_auto_login: true
+    auth.generic_oauth:
+      name: authentik
+      enabled: true
+      client_id: $__file{/etc/secrets/authentik-oauth/client_id}
+      client_secret: $__file{/etc/secrets/authentik-oauth/client_secret}
+      scopes: "openid profile email"
+      auth_url: "https://authentik.prod.adamland.xyz/application/o/authorize/"
+      token_url: "https://authentik.prod.adamland.xyz/application/o/token/"
+      api_url: "https://authentik.prod.adamland.xyz/application/o/userinfo/"
+      # Optionally map user groups to Grafana roles
+      role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
+
   ingress:
     enabled: true
+    ingressClass: nginx
     hosts: &grafanaHost [grafana.prod.adamland.xyz]
     annotations:
-     kubernetes.io/ingress.class: nginx
-     kubernetes.io/tls-acme: "true"
-     cert-manager.io/cluster-issuer: letsencrypt-prod
+      cert-manager.io/cluster-issuer: letsencrypt-prod
     tls:
       - secretName: grafana-tls
         hosts: *grafanaHost
 
   replicas: 2
-#  autoscaling:
-#    enabled: true
-#  podDisruptionBudget:
-#    apiVersion: v1
-#    maxUnavailable: 1
 
   envFromSecret: "api-tokens-grafana-cloud"
 
   additionalDataSources:
   - name: Loki
     basicAuth: true
-    basicAuthPassword: $API_TOKEN_GRAFANA_READ # this gets hydrated from an environment variable
+    basicAuthPassword: $API_TOKEN_READ_PROMETHEUS # this gets hydrated from an environment variable
     basicAuthUser: 640440
     editable: false
     type: loki
     url: https://logs-prod-008.grafana.net
+
+extraSecretMounts:
+- name: authentik-oauth-grafana
+  secretName: authentik-oauth-grafana
+  defaultMode: 0440
+  mountPath: /etc/secrets/authentik-oauth
+  readOnly: true
\ No newline at end of file