diff --git a/harbor-operator/application-extras.yml b/harbor-operator/application-extras.yml
index f32a45e..04415dd 100644
--- a/harbor-operator/application-extras.yml
+++ b/harbor-operator/application-extras.yml
@@ -80,22 +80,38 @@ spec:
         image: mirror.gcr.io/library/postgres:15
         imagePullPolicy: Always
         env:
+        - name: POSTGRES_APPUSER
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POSTGRES_APP_DB
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         - name: POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: postgres-secrets
+              name: postgres-password
               key: POSTGRES_PASSWORD
-        - name: POSTGRES_USER
+        - name: POSTGRES_APPUSER_PASSWORD
           valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POSTGRES_DB
+            secretKeyRef:
+              name: postgres-appuser-password
+              key: POSTGRES_APPUSER_PASSWORD
+        - name: EXPORTER_PASSWORD
           valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+            secretKeyRef:
+              name: postgres-expoter-password
+              key: EXPORTER_PASSWORD
         volumeMounts:
         - name: postgres-data
-          mountPath: /var/lib/postgresql/data
+          mountPath: /var/lib/postgresql
+        - name: postgres-init
+          mountPath: /docker-entrypoint-initdb.d
+      volumes:
+        - name: postgres-init
+          configMap:
+            name: postgres-init-config
   volumeClaimTemplates:
   - metadata:
       name: postgres-data
@@ -110,12 +126,30 @@ spec:
 apiVersion: codemowers.cloud/v1beta1
 kind: SecretClaim
 metadata:
-  name: postgres-secrets
+  name: postgres-password
 spec:
   size: 32
   mapping:
     - key: POSTGRES_PASSWORD
       value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: postgres-appuser-password
+spec:
+  size: 32
+  mapping:
+    - key: POSTGRES_APPUSER_PASSWORD
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: postgres-expoter-password
+spec:
+  size: 32
+  mapping:   
     - key: EXPORTER_PASSWORD
       value: "%(plaintext)s"
 ---
@@ -135,10 +169,19 @@ kind: ConfigMap
 metadata:
   name: postgres-init-config
 data:
-  initdb.sql: |
-    -- create a read-only monitoring user for exporters
-    CREATE USER exporter WITH PASSWORD 'exporter';
-    -- grant metrics/monitoring related permissions
-    GRANT pg_read_all_stats TO exporter;
-    GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter;
-    GRANT CONNECT ON DATABASE "${POSTGRES_DB:-postgres}" TO exporter;
+  initdb.sh: |
+    #!/usr/bin/env bash
+    set -e
+
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+      CREATE USER exporter WITH PASSWORD '$EXPORTER_PASSWORD';
+      GRANT pg_read_all_stats TO exporter;
+      GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter;
+      GRANT CONNECT ON DATABASE postgres TO exporter;
+
+      CREATE DATABASE $POSTGRES_APP_DB;
+      CREATE USER $POSTGRES_APPUSER WITH PASSWORD '$POSTGRES_APPUSER_PASSWORD';
+      GRANT ALL PRIVILEGES ON $POSTGRES_APP_DB TO '$POSTGRES_APPUSER';
+    EOSQL
+
+