diff --git a/apps/authentik/templates/grafana-sso-secret.yaml b/apps/authentik/templates/grafana-sso-secret.yaml
index c62d825..e335873 100644
--- a/apps/authentik/templates/grafana-sso-secret.yaml
+++ b/apps/authentik/templates/grafana-sso-secret.yaml
@@ -4,8 +4,11 @@ metadata:
   name: authentik-client-secret-grafana
   namespace: monitoring
   labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 type: Opaque
 stringData:
-  client-id: "grafana"
-  client-secret: {{ randAlphaNum 32 | quote }}
+  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana"
+  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: {{ randAlphaNum 40 | quote }}
diff --git a/apps/authentik/templates/rbac.yaml b/apps/authentik/templates/rbac.yaml
index fc99c48..f695b82 100644
--- a/apps/authentik/templates/rbac.yaml
+++ b/apps/authentik/templates/rbac.yaml
@@ -4,7 +4,10 @@ metadata:
   name: authentik-read-grafana-secret
   namespace: monitoring # The namespace where the secret exists
   labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
@@ -17,7 +20,10 @@ metadata:
   name: authentik-read-grafana-secret-binding
   namespace: monitoring # The namespace where the secret and role exist
   labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
diff --git a/apps/monitoring/grafana/values.yaml b/apps/monitoring/grafana/values.yaml
index fe035ed..a5c0657 100644
--- a/apps/monitoring/grafana/values.yaml
+++ b/apps/monitoring/grafana/values.yaml
@@ -108,8 +108,8 @@ grafana:
     auth.generic_oauth:
       enabled: true
       name: Authentik
-      client_id: "$__from_env{client-id}"
-      client_secret: "$__from_env{client-secret}"
+      client_id: "$__from_env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID}"
+      client_secret: "$__from_env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}"
       scopes: openid profile email
       auth_url: https://auth.noxxos.nl/application/o/authorize/
       token_url: https://auth.noxxos.nl/application/o/token/