diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml
new file mode 100644
index 000000000..679941afa
--- /dev/null
+++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kube-prometheus-stack
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: kube-prometheus-stack-secret
+    template:
+      engineVersion: v2
+      data:
+        # App
+        MINIO_PROM_TOKEN: "{{ .MINIO__PROMETHEUS_TOKEN }}"
+        PIKVM_USERNAME: "{{ .username }}"
+        PIKVM_PASSWORD: "{{ .password }}"
+  dataFrom:
+    - extract:
+        key: minio
+    - extract:
+        key: PiKVM
diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml
index 6319482e8..ece5f058c 100644
--- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml
@@ -240,11 +240,11 @@ spec:
         pathType: Prefix
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
+          # nginx.ingress.kubernetes.io/auth-method: GET
+          # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
+          # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
+          # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+          # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
           hajimari.io/appName: "Alert Manager"
           hajimari.io/icon: mdi:alert-decagram-outline
         hosts: ["alert-manager.${SECRET_CLUSTER_DOMAIN}"]
diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml
index 6080e4e51..adae1e16c 100644
--- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml
+++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml
@@ -4,6 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ./prometheusrule.yaml
   - ./scrapeconfig.yaml
diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml
index cbad724c5..09dee23eb 100644
--- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml
+++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml
@@ -39,6 +39,14 @@ spec:
   staticConfigs:
     - targets: ["pikvm.${SECRET_INTERNAL_DOMAIN}"]
   metricsPath: /api/export/prometheus/metrics
+  basicAuth:
+    username:
+      name: kube-prometheus-stack-secret
+      key: PIKVM_USERNAME
+    password:
+      name: kube-prometheus-stack-secret
+      key: PIKVM_PASSWORD
+  scheme: HTTPS
   relabelings:
     - action: replace
       targetLabel: job
@@ -57,3 +65,22 @@ spec:
     - action: replace
       targetLabel: job
       replacement: *name
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: ScrapeConfig
+metadata:
+  name: &name minio
+spec:
+  staticConfigs:
+    - targets: ["s3.${SECRET_INTERNAL_DOMAIN}"]
+  metricsPath: /minio/v2/metrics/cluster
+  authorization:
+    credentials:
+      name: kube-prometheus-stack-secret
+      key: MINIO_PROM_TOKEN
+  scheme: HTTPS
+  relabelings:
+    - action: replace
+      targetLabel: job
+      replacement: *name