diff --git a/features/canary/prometheus/kustomization.yml b/features/canary/prometheus/kustomization.yml
new file mode 100644
index 0000000..f6005b8
--- /dev/null
+++ b/features/canary/prometheus/kustomization.yml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patchesStrategicMerge:
+  - spinnaker-config.yml
+
+transformers:
+  - tfr-namespace-roles.yml
diff --git a/accounts/canary/prometheus.yml b/features/canary/prometheus/spinnaker-config.yml
similarity index 73%
rename from accounts/canary/prometheus.yml
rename to features/canary/prometheus/spinnaker-config.yml
index 839e3dc..642e5ee 100644
--- a/accounts/canary/prometheus.yml
+++ b/features/canary/prometheus/spinnaker-config.yml
@@ -1,11 +1,15 @@
-#-----------------------------------------------------------------------------------------------------------------
+#-------------------------------------------------------------------------------
 # Example configuration for enabling canary through prometheus endpoints
-#-----------------------------------------------------------------------------------------------------------------
+#-------------------------------------------------------------------------------
 apiVersion: spinnaker.armory.io/v1alpha2
 kind: SpinnakerService
 metadata:
   name: spinnaker
 spec:
+  validation:
+    providers:
+      canary:
+        enabled: false
   spinnakerConfig:
     config:
       canary:
@@ -16,12 +20,23 @@ spec:
           accounts:
           - name: prometheus
             endpoint:
-              baseUrl: http://myprometheus       # (Required). The base URL to the Prometheus server.
+              baseUrl: http://prometheus:9090       # (Required). The base URL to the Prometheus server.
             supportedTypes:
             - METRICS_STORE
             #username: admin                      # (Optional). Username for Prometheus Basic Auth
             #password: encrypted:k8s!n:spin-secrets!k:prometheus-password  # (Optional). Password for Prometheus Basic Auth
 
+        - name: aws
+          enabled: true
+          accounts:
+            - name: aws
+              bucket: armory-kayenta-test-bucket
+              region: us-west-2
+              rootFolder: kayenta
+              supportedTypes:
+                - CONFIGURATION_STORE
+                - OBJECT_STORE
+          s3Enabled: true
         reduxLoggerEnabled: true                 # Whether or not to enable redux logging in the canary module in deck (Default: true).
         defaultJudge: NetflixACAJudge-v1.0       # Name of canary judge to use by default (Default: NetflixACAJudge-v1.0).
         stagesEnabled: true                      # Whether or not to enable canary stages in deck (Default: true).
diff --git a/features/canary/prometheus/tfr-namespace-roles.yml b/features/canary/prometheus/tfr-namespace-roles.yml
new file mode 100644
index 0000000..9374dc4
--- /dev/null
+++ b/features/canary/prometheus/tfr-namespace-roles.yml
@@ -0,0 +1,8 @@
+apiVersion: builtin
+kind: NamespaceTransformer
+metadata:
+  name: add-namespace-to-service-account-resources
+fieldSpecs:
+  - kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+    path: subjects/namespace
diff --git a/features/operations/observability/prometheus/kustomization.yml b/features/operations/observability/prometheus/kustomization.yml
new file mode 100644
index 0000000..e9ca298
--- /dev/null
+++ b/features/operations/observability/prometheus/kustomization.yml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patchesStrategicMerge:
+  - spinnaker-config.yml
+
+configMapGenerator:
+  - name: grafana-dashboard-spinnaker
+    files:
+      - spinnaker-dashboards.json
+    options:
+      disableNameSuffixHash: true
diff --git a/accounts/metric-stores/patch-prometheus.yml b/features/operations/observability/prometheus/spinnaker-config.yml
similarity index 60%
rename from accounts/metric-stores/patch-prometheus.yml
rename to features/operations/observability/prometheus/spinnaker-config.yml
index 0cffb1f..96232e8 100644
--- a/accounts/metric-stores/patch-prometheus.yml
+++ b/features/operations/observability/prometheus/spinnaker-config.yml
@@ -7,17 +7,17 @@ metadata:
   name: spinnaker
 spec:
   spinnakerConfig:
-    config:
-      metricStores:
-        prometheus:
-          enabled: true
-          add_source_metalabels: true
+    #config:
+      #metricStores:
+        #prometheus:
+          #enabled: true
+          #add_source_metalabels: true
 
 #    # Config used if prometheus server discover pods through annotations
-#    service-settings:
-#      spinnaker:
-#        kubernetes:
-#          podAnnotations:
-#            prometheus.io/scrape: true
-#            prometheus.io/path: /prometheus_metrics
-#            prometheus.io/port: 8008
+    service-settings:
+      spinnaker:
+        kubernetes:
+          podAnnotations:
+            prometheus.io/scrape: true
+            prometheus.io/path: /prometheus_metrics
+            prometheus.io/port: 8008
diff --git a/infrastructure/prometheus-grafana/spinnaker-dashboards.json b/features/operations/observability/prometheus/spinnaker-dashboards.json
similarity index 100%
rename from infrastructure/prometheus-grafana/spinnaker-dashboards.json
rename to features/operations/observability/prometheus/spinnaker-dashboards.json
diff --git a/infrastructure/prometheus-grafana/kustomization.yml b/infrastructure/prometheus-grafana/kustomization.yml
deleted file mode 100644
index 33e8f30..0000000
--- a/infrastructure/prometheus-grafana/kustomization.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - prometheus-grafana.yml
-
-configMapGenerator:
-  - name: grafana-dashboard-spinnaker
-    files:
-      - spinnaker-dashboards.json
-
-generatorOptions:
-  disableNameSuffixHash: true
diff --git a/third-party/README.md b/third-party/README.md
new file mode 100644
index 0000000..598d7a2
--- /dev/null
+++ b/third-party/README.md
@@ -0,0 +1,4 @@
+# third-party
+
+This directory contains components that build or configure third-party tools
+that interact with Spinnaker.
diff --git a/third-party/prometheus/kustomization.yml b/third-party/prometheus/kustomization.yml
new file mode 100644
index 0000000..415c3f5
--- /dev/null
+++ b/third-party/prometheus/kustomization.yml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - prometheus-grafana.yml
+
+secretGenerator:
+  - name: prometheus-secrets
+    literals:
+      - grafanaDefaultUser=DefaultUser1!
+      - grafanaDefaultPassword=DefaultPass1!
+    options:
+      disableNameSuffixHash: true
diff --git a/infrastructure/prometheus-grafana/prometheus-grafana.yml b/third-party/prometheus/prometheus-grafana.yml
similarity index 99%
rename from infrastructure/prometheus-grafana/prometheus-grafana.yml
rename to third-party/prometheus/prometheus-grafana.yml
index df57612..75736d2 100644
--- a/infrastructure/prometheus-grafana/prometheus-grafana.yml
+++ b/third-party/prometheus/prometheus-grafana.yml
@@ -1375,12 +1375,12 @@ spec:
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
-                  name: spin-secrets
+                  name: prometheus-secrets
                   key: grafanaDefaultUser
             - name: GF_SECURITY_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: spin-secrets
+                  name: prometheus-secrets
                   key: grafanaDefaultPassword
             - name: GF_AUTH_ANONYMOUS_ENABLED
               value: "false"