diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 33abac8..a1e8f4f 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -347,6 +347,9 @@ jobs:
           kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io
           kubectl wait --for=condition=established --timeout=600s crd/externalsecrets.external-secrets.io
           kubectl -n external-secrets rollout status deployment/external-secrets --timeout=600s
+          wait_for_resource external-secrets service/external-secrets-external-secrets-webhook 600
+          wait_for_resource external-secrets endpoints/external-secrets-external-secrets-webhook 600
+          kubectl -n external-secrets wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/external-secrets-external-secrets-webhook --timeout=600s
           # Create Doppler ClusterSecretStore now that ESO CRDs are available
           kubectl apply -f - <<'EOF'
           apiVersion: external-secrets.io/v1
diff --git a/ansible/roles/doppler-bootstrap/tasks/main.yml b/ansible/roles/doppler-bootstrap/tasks/main.yml
index 6bccf2a..9cafdfd 100644
--- a/ansible/roles/doppler-bootstrap/tasks/main.yml
+++ b/ansible/roles/doppler-bootstrap/tasks/main.yml
@@ -16,35 +16,8 @@
     --dry-run=client -o yaml | kubectl apply -f -
   changed_when: true
 
-- name: Check for ClusterSecretStore CRD
-  command: kubectl get crd clustersecretstores.external-secrets.io
-  register: doppler_clustersecretstore_crd
-  changed_when: false
-  failed_when: false
-
-- name: Apply Doppler ClusterSecretStore
-  shell: |
-    cat <<'EOF' | kubectl apply -f -
-    apiVersion: external-secrets.io/v1
-    kind: ClusterSecretStore
-    metadata:
-      name: doppler-hetznerterra
-    spec:
-      provider:
-        doppler:
-          auth:
-            secretRef:
-              dopplerToken:
-                name: doppler-hetznerterra-service-token
-                key: dopplerToken
-                namespace: external-secrets
-    EOF
-  changed_when: true
-  when: doppler_clustersecretstore_crd.rc == 0
-
 - name: Note pending Doppler ClusterSecretStore bootstrap
   debug:
     msg: >-
-      Skipping Doppler ClusterSecretStore bootstrap because the External Secrets CRD
-      is not available yet. Re-run after External Secrets is installed.
-  when: doppler_clustersecretstore_crd.rc != 0
+      Doppler service token secret is bootstrapped. The deploy workflow creates the
+      ClusterSecretStore after External Secrets CRDs and webhook endpoints are ready.