diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml
index e4c37b87..6e3f80d6 100644
--- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml
@@ -30,4 +30,37 @@ spec:
       namespace: observability
   values:
     replicas: 2
-    envFromSecret: grafana-secret
\ No newline at end of file
+    envFromSecret: grafana-secret
+    grafana.ini:
+      analytics:
+        check_for_updates: false
+        check_for_plugin_updates: false
+        reporting_enabled: false
+      auth:
+        oauth_auto_login: true
+        oauth_allow_insecure_email_lookup: true
+      auth.generic_oauth:
+        enabled: true
+        name: Authentik
+        icon: signin
+        scopes: openid profile email
+        empty_scopes: false
+        login_attribute_path: preferred_username
+        groups_attribute_path: groups
+        name_attribute_path: name
+        use_pkce: true
+        client_id: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
+        client_secret: # Set by env vars
+        auth_url: https://auth.hsn.dev/application/o/authorize/
+        token_url: https://auth.hsn.dev/application/o/token/
+        api_url: https://auth.hsn.dev/application/o/userinfo/
+        role_attribute_path: |
+          contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
+      auth.basic:
+        enabled: false
+      auth.anonymous:
+        enabled: false
+        # org_id: 1
+        # org_role: Viewer
+      news:
+        news_feed_enabled: false
\ No newline at end of file