diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml
index 3f30d0e..24e0318 100644
--- a/k8s/apps/mtproxy/kustomization.yaml
+++ b/k8s/apps/mtproxy/kustomization.yaml
@@ -8,6 +8,8 @@ resources:
   - ./telemt-daemonset.yaml
   - ./external-secrets.yaml
   - ./telemt-external-secrets.yaml
+  - ./telemt-service.yaml
+  - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
 # - ./storage.yaml
diff --git a/k8s/apps/mtproxy/telemt-daemonset.yaml b/k8s/apps/mtproxy/telemt-daemonset.yaml
index 3b58e16..5d285f0 100644
--- a/k8s/apps/mtproxy/telemt-daemonset.yaml
+++ b/k8s/apps/mtproxy/telemt-daemonset.yaml
@@ -55,10 +55,9 @@ spec:
                 echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                 exit 1
               fi
-              # Build dd-prefixed secret for TLS mode: dd + secret + hex(tls_domain)
-              # "ya.ru" = 79612e7275
-              DD_SECRET="dd${SECRET}79612e7275"
-              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${DD_SECRET}"
+              # Build ee-prefixed secret for secure mode
+              EE_SECRET="ee${SECRET}"
+              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
               echo "Registering telemt: ${SERVER} -> ${LINK}"
               if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
                 kubectl patch secret telemt-links -n "${NAMESPACE}" \
diff --git a/k8s/apps/mtproxy/telemt-external-secrets.yaml b/k8s/apps/mtproxy/telemt-external-secrets.yaml
index 3109d04..4e6dc95 100644
--- a/k8s/apps/mtproxy/telemt-external-secrets.yaml
+++ b/k8s/apps/mtproxy/telemt-external-secrets.yaml
@@ -29,6 +29,7 @@ spec:
 
           [server]
           port = 30444
+          metrics_port = 9090
 
           [server.api]
           enabled = true