diff --git a/apps/authelia/release.yaml b/apps/authelia/release.yaml
index 2e68d12..82b1a21 100644
--- a/apps/authelia/release.yaml
+++ b/apps/authelia/release.yaml
@@ -80,6 +80,8 @@ spec:
           - domain: traefik.${domain}
             policy: one_factor
             subject: "group:lldap_admin"
+          - domain: grafana.${domain}
+            policy: one_factor
           # Deny by default, mainly a placeholder to allow patching in other rules
           - domain: "*"
             policy: deny
diff --git a/apps/grafana/release.yaml b/apps/grafana/release.yaml
index 06c9f96..cf5d76f 100644
--- a/apps/grafana/release.yaml
+++ b/apps/grafana/release.yaml
@@ -21,6 +21,10 @@ spec:
         - grafana.${domain}
       tls:
         - secretName: ${domain//./-}-tls
+      annotations:
+        traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
+        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml
+        traefik.ingress.kubernetes.io/router.tls: "true"
 
     envValueFrom:
       LDAP_ADMIN_PASSWORD:
@@ -32,6 +36,16 @@ spec:
       auth.ldap:
         enabled: true
 
+      auth.proxy:
+        enabled: true
+        header_name: Remote-User
+        header_property: username
+        auto_sign_up: true
+        headers: Groups:Remote-Group
+        enable_login_token: false
+        sync_ttl: 0
+        signout_redirect_url: https://login.${domain}/logout?rd=https://grafana.${domain}
+
       database:
         type: postgres
         host: $__file{/etc/secrets/db/host}