diff --git a/rire/factory.c-one-infra.de/stacks/monitoring/kube-prometheus/manifests/secret-admin-password.yaml b/rire/factory.c-one-infra.de/stacks/monitoring/kube-prometheus/manifests/secret-admin-password.yaml
new file mode 100644
index 0000000..1473a79
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/monitoring/kube-prometheus/manifests/secret-admin-password.yaml
@@ -0,0 +1,36 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Password
+metadata:
+  name: grafana-admin-password-generator
+  namespace: monitoring 
+spec:
+  length: 36
+  digits: 5
+  symbols: 5
+  symbolCharacters: "/-+"
+  noUpper: false
+  allowRepeat: true
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-admin-password-generator
+  namespace: monitoring 
+spec:
+  refreshInterval: "0"
+  target:
+    name: kube-prometheus-stack-grafana-admin-password
+    template:
+      engineVersion: v2
+      data:
+        admin-user: admin
+        admin-password: "{{.INITIAL_ADMIN_PASSWORD}}"
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: grafana-admin-password-generator
+      rewrite:
+        - transform:
+            template: "INITIAL_ADMIN_PASSWORD"