diff --git a/services/jitsi/deployment.yaml b/services/jitsi/deployment.yaml
index cda62a3..680ec8d 100644
--- a/services/jitsi/deployment.yaml
+++ b/services/jitsi/deployment.yaml
@@ -142,7 +142,7 @@ spec:
             - { name: JVB_TCP_HARVESTER_DISABLED, value: "false" }
             - { name: JVB_TCP_PORT, value: "4443" }
             - name: JVB_OPTS
-              value: "-Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443"
+              value: "-Dorg.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443"
           volumeMounts:
             - { name: cfg, mountPath: /config }
       volumes:
diff --git a/services/jitsi/jvb-configmap.yaml b/services/jitsi/jvb-configmap.yaml
index b86d649..59cb165 100644
--- a/services/jitsi/jvb-configmap.yaml
+++ b/services/jitsi/jvb-configmap.yaml
@@ -16,6 +16,7 @@ data:
       }
     }
   sip-communicator.properties: |
+    org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
     org.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false
     org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
     org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443
diff --git a/services/monitoring/helmrelease.yaml b/services/monitoring/helmrelease.yaml
index d0bcda6..a07d207 100644
--- a/services/monitoring/helmrelease.yaml
+++ b/services/monitoring/helmrelease.yaml
@@ -248,6 +248,8 @@ spec:
     service:
       type: ClusterIP
     env:
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ""
       GF_AUTH_ANONYMOUS_ENABLED: "true"
       GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer"
       GF_SECURITY_ALLOW_EMBEDDING: "true"
@@ -259,17 +261,9 @@ spec:
       GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token"
       GF_AUTH_GENERIC_OAUTH_API_URL: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo"
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups, 'admin') && 'Admin' || 'Viewer'"
+      GF_AUTH_GENERIC_OAUTH_USE_PKCE: "true"
       GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: "false"
       GF_AUTH_SIGNOUT_REDIRECT_URL: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/logout?redirect_uri=https://metrics.bstein.dev/"
-    envValueFrom:
-      GF_AUTH_GENERIC_OAUTH_CLIENT_ID:
-        secretKeyRef:
-          name: grafana-oidc
-          key: client_id
-      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
-        secretKeyRef:
-          name: grafana-oidc
-          key: client_secret
     grafana.ini:
       server:
         domain: metrics.bstein.dev