diff --git a/helmchart/single-sign-on/requirements.yaml b/helmchart/single-sign-on/requirements.yaml
index f96d2123baaaad2af7ae9bfe6e6063ce09d72178..049f75d566ba9b0b91c6c0cf15089f862489a589 100644
--- a/helmchart/single-sign-on/requirements.yaml
+++ b/helmchart/single-sign-on/requirements.yaml
@@ -1,7 +1,7 @@
 # https://k8s.ory.sh/helm/hydra.html
 dependencies:
   - name: hydra
-    version: 0.19.5
+    version: 0.21.0
     repository: "https://k8s.ory.sh/helm/charts"
     tags:
       - single-sign-on
diff --git a/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml b/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml
index d52c50d9566ab3b3661d92c73d04d5c564a9cbbf..fc8c5e86099daf5d8912a9bacdb9e1bc0a3e26e8 100644
--- a/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml
+++ b/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml
@@ -1,4 +1,4 @@
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: {{ include "single-sign-on.fullname" . }}-recreate-oauth2-clients
diff --git a/helmchart/single-sign-on/templates/job-migration-hydra.yaml b/helmchart/single-sign-on/templates/job-migration-hydra.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9f92c057a5573168478fc0cda4177f5a93010145
--- /dev/null
+++ b/helmchart/single-sign-on/templates/job-migration-hydra.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "single-sign-on.fullname" . }}-hydra-automigrate
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+{{ include "single-sign-on.labels" . | indent 4 }}a
+    {{- with .Values.hydra.deployment.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.hydra.job.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    helm.sh/hook-weight: "1"
+    helm.sh/hook: "post-install, post-upgrade"
+    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+spec:
+  template:
+    {{- with .Values.hydra.job.annotations }}
+    metadata: 
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.hydra.automountServiceAccountToken }}
+      containers:
+      - name: {{ .Chart.Name }}-hydra-automigrate
+        image: "{{ .Values.hydra.image.repository }}:{{ .Values.hydra.image.tag }}"
+        imagePullPolicy: {{ .Values.hydra.image.pullPolicy }}
+        command: ["hydra"]
+        args: ["migrate", "sql", "-e", "--yes"]
+        env:
+          - name: DSN
+            valueFrom:
+              secretKeyRef:
+                name: "single-sign-on-hydra" 
+                key: dsn
+        securityContext:
+          {{- toYaml .Values.hydra.securityContext | nindent 10 }}
+        {{- if .Values.hydra.deployment.extraVolumeMounts }}
+        volumeMounts:
+{{ toYaml .Values.hydra.deployment.extraVolumeMounts | indent 10 }}
+         {{- end }}
+      restartPolicy: Never
+      {{- if .Values.hydra.deployment.extraInitContainers }}
+      initContainers:
+{{ tpl .Values.hydra.deployment.extraInitContainers . | indent 8 }}
+      {{- end }}
+      {{- if .Values.hydra.deployment.extraVolumes }}
+      volumes:
+{{ toYaml .Values.hydra.deployment.extraVolumes | indent 8 }}
+      {{- end }}
+  backoffLimit: 10
diff --git a/helmchart/single-sign-on/templates/job-migration.yaml b/helmchart/single-sign-on/templates/job-migration.yaml
index 0d2a03cafcc2b77e684aaa37495dbc48cfe6ccb9..3053ebe511696c02f8b831c72c71289607449464 100644
--- a/helmchart/single-sign-on/templates/job-migration.yaml
+++ b/helmchart/single-sign-on/templates/job-migration.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "single-sign-on.fullname" . }}-automigrate
+  name: {{ include "single-sign-on.fullname" . }}-kratos-automigrate
   {{- if .Release.Namespace }}
   namespace: {{ .Release.Namespace }}
   {{- end }}
@@ -25,7 +25,7 @@ spec:
     spec:
       automountServiceAccountToken: {{ .Values.kratos.automountServiceAccountToken }}
       containers:
-      - name: {{ .Chart.Name }}-automigrate
+      - name: {{ .Chart.Name }}-kratos-automigrate
         image: {{ include "kratos-migration-job.image" . }}
         imagePullPolicy: {{ include "kratos-migration-job.imagePullPolicy" . }}
         command: ["kratos"]
diff --git a/helmchart/single-sign-on/templates/pvc-kratos-database.yaml b/helmchart/single-sign-on/templates/pvc-kratos-database.yaml
index c710773bacc4006f8663fd7fc290a673217967d0..b3b1aa68e8e4b601d6033a58bb94294b8c0a05a0 100644
--- a/helmchart/single-sign-on/templates/pvc-kratos-database.yaml
+++ b/helmchart/single-sign-on/templates/pvc-kratos-database.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: single-sign-on-kratos-database
+  name: single-sign-on-database
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/helmchart/single-sign-on/values.yaml b/helmchart/single-sign-on/values.yaml
index 2c35294e3f3a6fb3dd9f26a5c487583754f626c6..3fbe458d6f1a9f1b39814a6f4e3535ef6c20459b 100644
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -72,14 +72,19 @@ userbackend:
 
 postgresql:
   persistence:
-    existingClaim: "single-sign-on-kratos-database"
+    existingClaim: "single-sign-on-database"
     enabled: true
     size: 1Gi
     storageClass: "-"
     annotations: {}
-  postgresqlDatabase: kratos
-  postgresqlUsername: kratos
-  postgresqlPassword: kratos
+  initdbScripts:
+    setup.sql: |
+      CREATE USER hydra WITH PASSWORD 'hydra';
+      CREATE USER kratos WITH PASSWORD 'kratos';
+      CREATE USER stackspin WITH PASSWORD 'stackspin';
+      CREATE DATABASE kratos WITH OWNER kratos;
+      CREATE DATABASE hydra WITH OWNER hydra;
+      CREATE DATABASE stackspin WITH OWNER stackspin;
 
 kratos:
   image:
@@ -185,8 +190,13 @@ hydra:
     # service can only be accessed via https from the outside by configuring your ingress
     # to redirect to https.
     dangerousForceHttp: true
+
+    # We included our own (forked) template to handle this job
+    autoMigrate: false
+
     config:
       dsn: memory
+      dsn: postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra
       urls:
         self:
           # hydra.hydra.config.urls.self is the base url of hydra. It needs to match the FQDN
@@ -202,7 +212,8 @@ hydra:
       secrets:
         # hydra.hydra.config.secret is used as a seed whenever cryptographic operations are
         # performed by hydra i.e. creation of a token.
-        system: "YouReallyNeedToChangeThis"
+        system:
+          - "YouReallyNeedToChangeThis"
   ingress:
     public:
       enabled: true
diff --git a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml b/helmchart/template-job-create-oauth-clients.yaml
similarity index 100%
rename from helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
rename to helmchart/template-job-create-oauth-clients.yaml