diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
index f5fe5f7ec..8530381a4 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
@@ -1,59 +1,36 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: alertmanager-config-secret
+  name: alertmanager-ntfy-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: alertmanager-config-secret
+    app.kubernetes.io/name: alertmanager-ntfy-config
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ntfy_password
       remoteRef:
-        key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager
-        property: ntfy_password
+        key: / cl01tl/ntfy/users/cl01tl
+        property: password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: garage-metric-secret
+  name: garage-metric-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: garage-metric-secret
+    app.kubernetes.io/name: garage-metric-token
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
-        key: /garage/token
-        property: metric
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ntfy-alertmanager-config-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ntfy-alertmanager-config-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ntfy_password
-      remoteRef:
-        key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager
-        property: ntfy_password
-    - secretKey: config
-      remoteRef:
-        key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager
-        property: config
+        key: /ps10rp/garage/config
+        property: metrics-token
diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/templates/namespace.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/templates/namespace.yaml
index d11082f59..bbbe36926 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/templates/namespace.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: kube-prometheus-stack
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: kube-prometheus-stack
+    app.kubernetes.io/name: {{ .Release.Namespace }}
     {{- include "custom.labels" . | nindent 4 }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/templates/scrape-config.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/templates/scrape-config.yaml
index 61b597302..744bd251e 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/templates/scrape-config.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/templates/scrape-config.yaml
@@ -74,4 +74,4 @@ spec:
     type: Bearer
     credentials:
       key: token
-      name: garage-metric-secret
+      name: garage-metric-token
diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/templates/secret-provider-class.yaml
new file mode 100644
index 000000000..a2ddb1ce2
--- /dev/null
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/templates/secret-provider-class.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: ntfy-alertmanager-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ntfy-alertmanager-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: ntfy-alertmanager
+    objects: |
+      - objectName: config
+        fileName: config
+        secretPath: secret/data/cl01tl/kube-prometheus-stack/ntfy-alertmanager
+        secretKey: config
diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
index cdb335750..f34a9f287 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
@@ -43,7 +43,7 @@ kube-prometheus-stack:
             namespace: traefik
     alertmanagerSpec:
       secrets:
-        - alertmanager-config-secret
+        - alertmanager-ntfy-config
   grafana:
     enabled: false
   kubeApiServer:
@@ -120,11 +120,18 @@ ntfy-alertmanager:
     main:
       type: deployment
       replicas: 1
+      strategy: Recreate
+      serviceAccount:
+        name: ntfy-alertmanager
       containers:
         main:
           image:
             repository: xenrox/ntfy-alertmanager
             tag: 1.0.0@sha256:81788c7905774b7b0b2ed6833b2bc4826a90a42e4b738706edcedd5f489e7a73
+  serviceAccount:
+    ntfy-alertmanager:
+      enabled: true
+      staticToken: true
   service:
     main:
       controller: main
@@ -134,9 +141,13 @@ ntfy-alertmanager:
           targetPort: 8080
   persistence:
     config:
-      enabled: true
-      type: secret
-      name: ntfy-alertmanager-config-secret
+      type: custom
+      volumeSpec:
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: ntfy-alertmanager-config
       advancedMounts:
         main:
           main: