diff --git a/tasks/main.yml b/tasks/main.yml
index a981e4c..094c034 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -57,15 +57,35 @@
         dest: tmp/cert-manager-webhook-ovh
 
     - name: Deploy OVH webhook chart from local path
+      run_once: true
       community.kubernetes.helm:
         state: present
         context: "{{ my_context }}"
         name: cert-manager-webhook-ovh
         chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
         release_namespace: "{{ cert_manager_namespace }}"
+        values:
+#          groupName: '{{ cert_manager_issuer | selectattr('provider', 'match', 'ovh') | first }}'
+          groupName: '{{ cert_manager_issuer | json_query(\"[?provider=='ovh']\") | first }}'
+#      with_items:
+#        - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
+#      when:
+#        - item.provider == "ovh"
+
+    - name: OVH WebHook dependency
+      k8s:
+        state: present
+        context: "{{ my_context }}"
+        apply: true
+        namespace: "{{ cert_manager_namespace }}"
+        resource_definition: "{{ lookup('template', item) | from_yaml }}"
+      with_items:
+        - cert-manager-webhook-ovh-Role.yml.j2
+        - cert-manager-webhook-ovh-RoleBinding.yml.j2
 
     when:
       - false
+      - cert_manager_issuer is defined
       - cert_manager_issuer.[].provider == "ovh"
 
   tags: cert-manager
diff --git a/templates/api-key-secret.yml.j2 b/templates/api-key-secret.yml.j2
index 12bf9c7..421aabd 100644
--- a/templates/api-key-secret.yml.j2
+++ b/templates/api-key-secret.yml.j2
@@ -10,5 +10,5 @@ data:
 {% elif item.provider == "route53" %}
   secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
 {% elif item.provider == "ovh" %}
-  applicationSecret='4YHU8g4zsg7Id'
+  applicationSecret='{{ cert_manager_issuer.applicationSecret | b64encode }}'
 {% endif %}
diff --git a/templates/cert-manager-webhook-ovh-Role.yml.j2 b/templates/cert-manager-webhook-ovh-Role.yml.j2
new file mode 100644
index 0000000..4c246be
--- /dev/null
+++ b/templates/cert-manager-webhook-ovh-Role.yml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["ovh-api-key"]
+  verbs: ["get", "watch"]
diff --git a/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 b/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2
new file mode 100644
index 0000000..5bc1c5a
--- /dev/null
+++ b/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-ovh:secret-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-ovh
diff --git a/templates/clusterissuer.yml.j2 b/templates/clusterissuer.yml.j2
index 54fa5e8..2fa24d1 100644
--- a/templates/clusterissuer.yml.j2
+++ b/templates/clusterissuer.yml.j2
@@ -1,3 +1,4 @@
+---
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
@@ -31,14 +32,14 @@ spec:
               key: secret-access-key
 {% elif i.provider == "ovh" %}
         webhook:
-          groupName: 'acme.example.io'
+          groupName: '{{ i.consumerKey }}'
           solverName: ovh
           config:
             endpoint: ovh-eu
-            applicationKey: 'qdhYTYsd546Ssg5'
+            applicationKey: '{{ i.applicationKey }}'
             applicationSecretRef:
               name: ovh-api-key
               key: applicationSecret
-            consumerKey: 'vjdshGFDGShjusqqee4543dsjfndsjgf'
+            consumerKey: '{{ i.consumerKey }}'
 {% endif %}
 {% endfor %}