diff --git a/07_KubePrometheusStack/grafana-certificate.gomplate.yaml b/07_KubePrometheusStack/grafana-certificate.gomplate.yaml
new file mode 100644
index 0000000..a9327c0
--- /dev/null
+++ b/07_KubePrometheusStack/grafana-certificate.gomplate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-ingress-certificate
+  namespace: {{.Env.PROMETHEUS_NAMESPACE}}
+spec:
+  secretName: grafana-certificate-secret
+  issuerRef:
+    name: cloudflare-cluster-issuer
+    kind: ClusterIssuer
+  dnsNames:
+  - {{.Env.GRAFANA_HOST}}
diff --git a/07_KubePrometheusStack/justfile b/07_KubePrometheusStack/justfile
index 9ac6441..98cc645 100644
--- a/07_KubePrometheusStack/justfile
+++ b/07_KubePrometheusStack/justfile
@@ -1,7 +1,7 @@
 set fallback := true
 
 export PROMETHEUS_NAMESPACE := env("PROMETHEUS_NAMESPACE", "monitoring")
-#export GRAFANA_HOST := env("GRAFANA_HOST")
+export GRAFANA_HOST := env("GRAFANA_HOST", "")
 
 [private]
 default:
@@ -14,23 +14,25 @@ add-helm-repo:
 
 
 install:
-    @just add-helm-repo
+    just add-helm-repo
 
-    gomplate -f kube-stack-config-values-gomplate.yaml -o kube-stack-config-values.yaml
+    gomplate -f kube-stack-config-values.gomplate.yaml -o kube-stack-config-values.yaml
 
     @helm upgrade --cleanup-on-fail --install kube-prometheus-stack prometheus-community/kube-prometheus-stack \
         --namespace ${PROMETHEUS_NAMESPACE} \
         --create-namespace \
-        --debug \
         --wait \
         -f kube-stack-config-values.yaml
 
-    echo "kubectl port-forward svc/prometheus-grafana 8080:80 -n monitoring"
-    echo "kubectl port-forward svc/prometheus-kube-prometheus-prometheus 9090 -n monitoring"
-    echo "kubectl port-forward svc/prometheus-kube-prometheus-alertmanager 9093 -n monitoring"
+    echo "kubectl port-forward svc/kube-prometheus-stack-grafana 8080:80 -n ${PROMETHEUS_NAMESPACE}"
+    echo "kubectl port-forward svc/kube-prometheus-stack-prometheus 9090 -n ${PROMETHEUS_NAMESPACE}"
+    echo "kubectl port-forward svc/kube-prometheus-stack-alertmanager 9093 -n ${PROMETHEUS_NAMESPACE}"
 
     echo "Get Grafana Password:"
     echo "kubectl get secret --namespace monitoring -l app.kubernetes.io/component=admin-secret -o jsonpath=\"{.items[0].data.admin-password}\" | base64 --decode ; echo"
 
+    gomplate -f ./grafana-certificate.gomplate.yaml | kubectl apply -f -
+
+
 uninstall:
     helm uninstall kube-prometheus-stack -n ${PROMETHEUS_NAMESPACE}
\ No newline at end of file
diff --git a/07_KubePrometheusStack/kube-stack-config-values-gomplate.yaml b/07_KubePrometheusStack/kube-stack-config-values-gomplate.yaml
deleted file mode 100644
index e65cd8c..0000000
--- a/07_KubePrometheusStack/kube-stack-config-values-gomplate.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-grafana:
-  enabled: true
-
-  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    hosts:
-      - {{ .Env.GRAFANA_HOST }}
-    tls:
-      - hosts:
-          - {{ .Env.GRAFANA_HOST }}
diff --git a/07_KubePrometheusStack/kube-stack-config-values.gomplate.yaml b/07_KubePrometheusStack/kube-stack-config-values.gomplate.yaml
new file mode 100644
index 0000000..a92b022
--- /dev/null
+++ b/07_KubePrometheusStack/kube-stack-config-values.gomplate.yaml
@@ -0,0 +1,23 @@
+grafana:
+  enabled: true
+
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    hosts:
+      - {{ .Env.GRAFANA_HOST }}
+    tls:
+      - secretName: grafana-certificate-secret
+      - hosts:
+          - {{ .Env.GRAFANA_HOST }}
+    annotations:
+      traefik.ingress.kubernetes.io/router.tls: "true"
+      traefik.ingress.kubernetes.io/router.tls.certresolver: ""  # empty = use secretName, not its own resolver
+
+  grafana.ini:
+    server:
+      domain: {{ .Env.GRAFANA_HOST }}
+      root_url: https://{{ .Env.GRAFANA_HOST }}
+      serve_from_sub_path: false
\ No newline at end of file
diff --git a/07_KubePrometheusStack/kube-stack-config-values.yaml b/07_KubePrometheusStack/kube-stack-config-values.yaml
deleted file mode 100644
index 2b5bc3f..0000000
--- a/07_KubePrometheusStack/kube-stack-config-values.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-grafana:
-  enabled: true
\ No newline at end of file
diff --git a/prometheus-stack/README.md b/prometheus-stack/README.md
index b37524b..cad7100 100644
--- a/prometheus-stack/README.md
+++ b/prometheus-stack/README.md
@@ -19,7 +19,7 @@ helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \
 
 Accessing UIs via PortForwarding
 ```
-kubectl port-forward svc/prometheus-grafana 8080:80 -n monitoring
+kubectl port-forward svc/kube-prometheus-stack-grafana 8080:80 -n monitoring
 kubectl port-forward svc/prometheus-kube-prometheus-prometheus 9090 -n monitoring
 kubectl port-forward svc/prometheus-kube-prometheus-alertmanager 9093 -n monitoring
 ```