diff --git a/grafana/kustomization.yaml b/grafana/kustomization.yaml
index 5aed120..dee8cb3 100644
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -24,8 +24,6 @@ helmCharts:
       log: {level: warn}
       server:
         root_url: https://grafana.k-space.ee/
-      security:
-        disable_initial_admin_creation: true
       auth:
         oauth_allow_insecure_email_lookup: true
       auth.basic:
@@ -35,23 +33,22 @@ helmCharts:
           auto_login: true
           name: auth.k-space.ee
           role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
+          allow_sign_up: true
           allow_assign_grafana_admin: true
-          client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
-          client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
-          scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
-          auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
-          token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
-          api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
-          signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
           use_pkce: true
-    extraSecretMounts:
-      - name: oidc-client-grafana-owner-secrets
-        secretName: oidc-client-grafana-owner-secrets
-        mountPath: /etc/secrets/oidc-client-grafana-owner-secrets
-        defaultMode: 0440
-        subPath: .
-        readOnly: true
+          use_refresh_token: true
+    env:
+      GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true # not supported by helm chart through grafana.ini, only env
+      # helm chart says to use file ref in grafana.ini, but it doesn't work since the secrets are fitlered out there
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$(OIDC_CLIENT_ID)"
+      GF_AUTH_GENERIC_OAUTH_SECRET: "$(OIDC_CLIENT_SECRET)"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "$(OIDC_AVAILABLE_SCOPES)"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$(OIDC_IDP_AUTH_URI)"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$(OIDC_IDP_TOKEN_URI)"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "$(OIDC_IDP_USERINFO_URI)"
+      GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
     envFromSecrets:
+     - name: oidc-client-grafana-owner-secrets
      - name: grafana-database
     datasources:
       prometheus.yaml: