diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml
index f04595c7..c3950f12 100644
--- a/.github/workflows/helm-tests.yml
+++ b/.github/workflows/helm-tests.yml
@@ -83,7 +83,6 @@ jobs:
           helm dependency build eoapi
 
           helm install $RELEASE_NAME \
-            --namespace default \
             -f ./eoapi/values.yaml \
             -f ./eoapi/test-k3s-unittest-values.yaml \
             ./eoapi
@@ -100,7 +99,6 @@ jobs:
         timeout-minutes: 10
         continue-on-error: true
         run: |
-          kubectl config set-context --current --namespace=default
           while [[ -z "$(kubectl get pod  | grep "^raster-$RELEASE_NAME-.*$" | cut -d' ' -f1 | xargs -I{}  kubectl logs pod/{} | grep "GET /.*/healthz" | head -n 1)" ]]; do
             echo "still waiting for raster service to start..."
             sleep 1
@@ -136,7 +134,6 @@ jobs:
           kubectl get ingress --all-namespaces -o jsonpath='{range .items[0]}kubectl describe ingress {.metadata.name} -n {.metadata.namespace}{end}' | sh
           kubectl get middleware.traefik.io --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers | while read -r namespace name; do kubectl describe middleware.traefik.io "$name" -n "$namespace"; done
 
-          kubectl config set-context --current --namespace=default
           PUBLICIP='http://'$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
           export VECTOR_ENDPOINT=$PUBLICIP/vector$RELEASE_NAME
           export STAC_ENDPOINT=$PUBLICIP/stac$RELEASE_NAME
diff --git a/helm-chart/eoapi/initdb-data/pgstac-setup.py b/helm-chart/eoapi/initdb-data/pgstac-setup.py
index 6b6bcd95..e1d6cbba 100644
--- a/helm-chart/eoapi/initdb-data/pgstac-setup.py
+++ b/helm-chart/eoapi/initdb-data/pgstac-setup.py
@@ -1,3 +1,9 @@
+#! /usr/bin/env python3
+
+# This script is used to setup the pgstac database.
+# It is run as a job in the pgstacbootstrap pod.
+# It is important that this script and all of its steps are idempotent.
+
 import os
 import psycopg
 from psycopg import sql
diff --git a/helm-chart/eoapi/templates/pgstacboostrap/job.yaml b/helm-chart/eoapi/templates/pgstacboostrap/job.yaml
index ddc096e2..07827ce4 100644
--- a/helm-chart/eoapi/templates/pgstacboostrap/job.yaml
+++ b/helm-chart/eoapi/templates/pgstacboostrap/job.yaml
@@ -13,6 +13,15 @@ spec:
         app: pgstacbootstrap
     spec:
       restartPolicy: Never
+      initContainers:
+        - name: wait-for-db
+          image: busybox
+          command:
+            {{ if .Values.testing }}
+            ['sh', '-c', 'until nc -z {{ $.Release.Name }}-pgbouncer 5432; do echo waiting for db; sleep 10; done;']
+            {{ else }}
+            ['sh', '-c', 'until nc -z eoapi-pgbouncer 5432; do echo waiting for db; sleep 10; done;']
+            {{ end }}
       containers:
         - name: pgstacbootstrap
           image: {{ .Values.pgstacBootstrap.image.name }}:{{ .Values.pgstacBootstrap.image.tag }}
diff --git a/helm-chart/eoapi/templates/services/deployment.yaml b/helm-chart/eoapi/templates/services/deployment.yaml
index 67d33ea6..40454f31 100644
--- a/helm-chart/eoapi/templates/services/deployment.yaml
+++ b/helm-chart/eoapi/templates/services/deployment.yaml
@@ -29,6 +29,22 @@ spec:
       labels:
         app: {{ $serviceName }}-{{ $.Release.Name }}
     spec:
+      serviceAccountName: eoapi-sa-{{ $.Release.Name }}
+      {{- if eq $serviceName "stac" }}
+      initContainers:
+      - name: wait-for-pgstacbootstrap
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Waiting for pgstacbootstrap job to complete..."
+          while ! kubectl -n {{ $.Release.Namespace }} wait --for=condition=complete job/pgstacbootstrap --timeout=5s; do
+            echo "pgstacbootstrap job not completed yet. Checking again in 10 seconds..."
+            sleep 10
+          done
+          echo "pgstacbootstrap job completed successfully"
+      {{- end }}
       containers:
       - image: {{ index $v "image" "name" }}:{{ index $v "image" "tag" }}
         name: {{ $serviceName }}
diff --git a/helm-chart/eoapi/templates/services/rbac.yaml b/helm-chart/eoapi/templates/services/rbac.yaml
new file mode 100644
index 00000000..7b4e5f9e
--- /dev/null
+++ b/helm-chart/eoapi/templates/services/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.apiServices }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eoapi-sa-{{ $.Release.Name }}
+  labels:
+    app: eoapi-{{ $.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: eoapi-role-{{ $.Release.Name }}
+  labels:
+    app: eoapi-{{ $.Release.Name }}
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eoapi-rolebinding-{{ $.Release.Name }}
+  labels:
+    app: eoapi-{{ $.Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: eoapi-sa-{{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: Role
+  name: eoapi-role-{{ $.Release.Name }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}