diff --git a/hack/scripts/generate-grafana-credentials-secret.sh b/hack/scripts/generate-grafana-credentials-secret.sh
new file mode 100755
index 0000000000000000000000000000000000000000..e877b080b1442d829c386e74a8c93c222a4138fe
--- /dev/null
+++ b/hack/scripts/generate-grafana-credentials-secret.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 user password"
+    exit 1
+fi
+
+user=$1
+password=$2
+
+cat <<-EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-credentials
+data:
+  user: $(echo -n ${user} | base64 --wrap=0)
+  password: $(echo -n ${password} | base64 --wrap=0)
+EOF
+
diff --git a/hack/scripts/generate-manifests.sh b/hack/scripts/generate-manifests.sh
index bf5f42fa6be1e7f86108f94cebe13faa654f5d25..280bc121e6666f35707a87364855fb6992d26af6 100755
--- a/hack/scripts/generate-manifests.sh
+++ b/hack/scripts/generate-manifests.sh
@@ -6,6 +6,9 @@ hack/scripts/generate-rules-configmap.sh > manifests/prometheus/prometheus-k8s-r
 # Generate Dashboard ConfigMap
 hack/scripts/generate-dashboards-configmap.sh > manifests/grafana/grafana-dashboards.yaml
 
+# Generate Grafana Credentials Secret
+hack/scripts/generate-grafana-credentials-secret.sh admin admin > manifests/grafana/grafana-credentials.yaml
+
 # Generate Secret for Alertmanager config
 hack/scripts/generate-alertmanager-config-secret.sh > manifests/alertmanager/alertmanager-config.yaml
 
diff --git a/manifests/grafana/grafana-credentials.yaml b/manifests/grafana/grafana-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c3da1b631131dee0940720aa1f85aa62c7fa0f18
--- /dev/null
+++ b/manifests/grafana/grafana-credentials.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-credentials
+data:
+  user: YWRtaW4=
+  password: YWRtaW4=
diff --git a/manifests/grafana/grafana-deployment.yaml b/manifests/grafana/grafana-deployment.yaml
index b727561c8f8c840bf6e7c21d0b6f08aa2306aa62..e83d265dfbedc47d66a1f2ae9ee7a83fabf7f5d2 100644
--- a/manifests/grafana/grafana-deployment.yaml
+++ b/manifests/grafana/grafana-deployment.yaml
@@ -17,6 +17,16 @@ spec:
           value: "true"
         - name: GF_AUTH_ANONYMOUS_ENABLED
           value: "true"
+        - name: GF_SECURITY_ADMIN_USER
+          valueFrom:
+            secretKeyRef:
+              name: grafana-credentials
+              key: user
+        - name: GF_SECURITY_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: grafana-credentials
+              key: password
         volumeMounts:
         - name: grafana-storage
           mountPath: /var/grafana-storage
@@ -28,13 +38,25 @@ spec:
             memory: 100Mi
             cpu: 100m
           limits:
-            memory: 300Mi
-            cpu: 300m
+            memory: 200Mi
+            cpu: 200m
       - name: grafana-watcher
-        image: quay.io/coreos/grafana-watcher:v0.0.2
+        image: quay.io/coreos/grafana-watcher:v0.0.3
+        imagePullPolicy: Never
         args:
           - '--watch-dir=/var/grafana-dashboards'
-          - '--grafana-url=http://admin:admin@localhost:3000'
+          - '--grafana-url=http://localhost:3000'
+        env:
+        - name: GRAFANA_USER
+          valueFrom:
+            secretKeyRef:
+              name: grafana-credentials
+              key: user
+        - name: GRAFANA_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: grafana-credentials
+              key: password
         volumeMounts:
         - name: grafana-dashboards
           mountPath: /var/grafana-dashboards