diff --git a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
index 21da68e..e92e380 100644
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -39,6 +39,18 @@ spec:
       - hosts:
         - grafana.observability.t09.de
         secretName: grafana-net-tls
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              env:
+                - name: OAUTH_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: clientSecret
+                      name: dex-grafana-client
   config:
     log.console:
       level: debug
@@ -53,7 +65,7 @@ spec:
       allow_sign_up: "true"
       use_refresh_token: "true"
       client_id: grafana
-      client_secret: "grafana123" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      client_secret: $__env{OAUTH_CLIENT_SECRET}
       scopes: openid email profile offline_access groups
       auth_url: https://dex.observability.t09.de/auth
       token_url: https://dex.observability.t09.de/token