diff --git a/helm/servicex/templates/x509-secrets/cronjob.yaml b/helm/servicex/templates/x509-secrets/cronjob.yaml
new file mode 100644
index 000000000..21111c29e
--- /dev/null
+++ b/helm/servicex/templates/x509-secrets/cronjob.yaml
@@ -0,0 +1,69 @@
+{{- if not .Values.noCerts }}
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: x509-secrets
+spec:
+  schedule: "0 */6 * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: x509-secrets
+        spec:
+          serviceAccountName: {{ template "servicex.fullname" . }}
+          restartPolicy: OnFailure
+          # Before launching the main container, copy the certs and set their permissions accordingly
+          initContainers:
+            - name: take-data-dir-ownership
+              image: {{ .Values.x509Secrets.initImage }}
+              command: ["/bin/sh","-c"]
+              args: ["cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; chmod 600 /etc/grid-certs/usercert.pem; cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; chmod 400 /etc/grid-certs/userkey.pem"]
+              env:
+                - name: INSTANCE_NAME
+                  value: {{ .Release.Name }}
+              volumeMounts:
+              - name: grid-certs-rw-copy
+                mountPath: /etc/grid-certs/
+              - name: grid-secret
+                mountPath: /etc/grid-certs-ro/
+          containers:
+          - name: x509-secrets
+            image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }}
+            command: ["bash","-c"]
+            args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"]
+            env:
+              - name: MY_POD_NAME
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.name
+              - name: MY_POD_NAMESPACE
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
+            tty: true
+            stdin: true
+            imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }}
+            volumeMounts:
+              - name: grid-certs-rw-copy
+                mountPath: /etc/grid-certs/
+              - name: grid-secret
+                mountPath: /etc/grid-certs-ro/
+
+          volumes:
+            # Mount the usercert, userkey, and passphrase file. These will have the
+            # wrong permissions to be used for generating the voms proxy
+            - name: grid-secret
+              secret:
+                secretName: grid-certs-secret  # Installed via servicex command line
+
+            # Create an empty dir to share between the init container and the main
+            # container. The init container will copy the certs from grid-secret
+            # to this dir and set the correct permissions
+            - name: grid-certs-rw-copy
+              emptyDir: {}
+
+{{- end }}
diff --git a/helm/servicex/templates/x509-secrets/deployment.yaml b/helm/servicex/templates/x509-secrets/deployment.yaml
deleted file mode 100644
index e73568984..000000000
--- a/helm/servicex/templates/x509-secrets/deployment.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-{{- if not .Values.noCerts }}
-
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: x509-secrets
-spec:
-  schedule: "0 */6 * * *"
-  template:
-    metadata:
-      labels:
-        app: x509-secrets
-    spec:
-      serviceAccountName: {{ template "servicex.fullname" . }}
-      # Before launching the main container, copy the certs and set their permissions accordingly
-      initContainers:
-        - name: take-data-dir-ownership
-          image: {{ .Values.x509Secrets.initImage }}
-          command: ["/bin/sh","-c"]
-          args: ["cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; chmod 600 /etc/grid-certs/usercert.pem; cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; chmod 400 /etc/grid-certs/userkey.pem"]
-          env:
-            - name: INSTANCE_NAME
-              value: {{ .Release.Name }}
-          volumeMounts:
-          - name: grid-certs-rw-copy
-            mountPath: /etc/grid-certs/
-          - name: grid-secret
-            mountPath: /etc/grid-certs-ro/
-      containers:
-      - name: x509-secrets
-        image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }}
-        command: ["bash","-c"]
-        args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"]
-        env:
-          - name: MY_POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: MY_POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        tty: true
-        stdin: true
-        imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }}
-        volumeMounts:
-          - name: grid-certs-rw-copy
-            mountPath: /etc/grid-certs/
-          - name: grid-secret
-            mountPath: /etc/grid-certs-ro/
-
-      volumes:
-        # Mount the usercert, userkey, and passphrase file. These will have the
-        # wrong permissions to be used for generating the voms proxy
-        - name: grid-secret
-          secret:
-            secretName: grid-certs-secret  # Installed via servicex command line
-
-        # Create an empty dir to share between the init container and the main
-        # container. The init container will copy the certs from grid-secret
-        # to this dir and set the correct permissions
-        - name: grid-certs-rw-copy
-          emptyDir: {}
-
-{{- end }}
diff --git a/helm/servicex/templates/x509-secrets/install-job.yaml b/helm/servicex/templates/x509-secrets/install-job.yaml
new file mode 100644
index 000000000..56af6905e
--- /dev/null
+++ b/helm/servicex/templates/x509-secrets/install-job.yaml
@@ -0,0 +1,74 @@
+{{- if not .Values.noCerts }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: x509-secrets-init
+  labels:
+    app: x509-secrets
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      labels:
+        app: x509-secrets
+    spec:
+      serviceAccountName: {{ template "servicex.fullname" . }}
+      restartPolicy: OnFailure
+
+      initContainers:
+        - name: take-data-dir-ownership
+          image: {{ .Values.x509Secrets.initImage }}
+          command: ["/bin/sh","-c"]
+          args:
+            - >
+              cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs;
+              chmod 600 /etc/grid-certs/usercert.pem;
+              cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs;
+              chmod 400 /etc/grid-certs/userkey.pem
+          env:
+            - name: INSTANCE_NAME
+              value: {{ .Release.Name }}
+          volumeMounts:
+            - name: grid-certs-rw-copy
+              mountPath: /etc/grid-certs/
+            - name: grid-secret
+              mountPath: /etc/grid-certs-ro/
+
+      containers:
+        - name: x509-secrets
+          image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }}
+          command: ["bash","-c"]
+          args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"]
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          tty: true
+          stdin: true
+          imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }}
+          volumeMounts:
+            - name: grid-certs-rw-copy
+              mountPath: /etc/grid-certs/
+            - name: grid-secret
+              mountPath: /etc/grid-certs-ro/
+
+      volumes:
+        - name: grid-secret
+          secret:
+            secretName: grid-certs-secret
+
+        - name: grid-certs-rw-copy
+          emptyDir: {}
+
+{{- end }}