diff --git a/helm/oncall/templates/_helpers.tpl b/helm/oncall/templates/_helpers.tpl
index bf137b40..18bcee42 100644
--- a/helm/oncall/templates/_helpers.tpl
+++ b/helm/oncall/templates/_helpers.tpl
@@ -85,6 +85,8 @@ Create the name of the service account to use
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
   imagePullPolicy: {{ .Values.image.pullPolicy }}
   command: ['sh', '-c', "until (python manage.py migrate --check); do echo Waiting for database migrations; sleep 2; done"]
+  securityContext:
+  {{ toYaml .Values.init.securityContext| nindent 4}}
   env:
     {{- include "snippet.oncall.env" . | nindent 12 }}
     {{- include "snippet.mysql.env" . | nindent 12 }}
@@ -93,4 +95,4 @@ Create the name of the service account to use
     {{- if .Values.env }}
       {{- toYaml .Values.env | nindent 12 }}
     {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/oncall/templates/cert-issuer.yaml b/helm/oncall/templates/cert-issuer.yaml
index 60c2b690..8b1716f3 100644
--- a/helm/oncall/templates/cert-issuer.yaml
+++ b/helm/oncall/templates/cert-issuer.yaml
@@ -1,4 +1,4 @@
-{{- if (index .Values "cert-manager") }}
+{{- if (index .Values "cert-manager").enabled }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
diff --git a/helm/oncall/templates/ingress-regular.yaml b/helm/oncall/templates/ingress-regular.yaml
index 31c4e367..dc2f82c7 100644
--- a/helm/oncall/templates/ingress-regular.yaml
+++ b/helm/oncall/templates/ingress-regular.yaml
@@ -38,6 +38,7 @@ spec:
             name: {{ include "oncall.engine.fullname" . }}
             port:
               number: 8080
+      {{ if .Values.grafana.enabled }}
       - path: /grafana
         pathType: Prefix
         backend:
@@ -45,4 +46,5 @@ spec:
             name: {{ include "oncall.grafana.fullname" . }}
             port:
               number: 80
+      {{- end }}
 {{- end }}
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index 4937b2f0..ce8af06c 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -164,3 +164,15 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+
+init:
+  securityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 1337
+    # runAsNonRoot: true
+    # runAsUser: 1337