From 1fec3a52c3bcc17bf892f07b8254fb42b0655002 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Tue, 28 Feb 2023 20:10:10 +0000
Subject: [PATCH 01/16] [wsman-mk2] Create token secret

---
 .../controllers/workspace_controller.go         |  5 +++++
 components/ws-manager-mk2/service/manager.go    | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/components/ws-manager-mk2/controllers/workspace_controller.go b/components/ws-manager-mk2/controllers/workspace_controller.go
index 1cf4afe3acbca3..4d358469b79083 100644
--- a/components/ws-manager-mk2/controllers/workspace_controller.go
+++ b/components/ws-manager-mk2/controllers/workspace_controller.go
@@ -358,6 +358,11 @@ func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *wo
 	if err != nil {
 		log.Error(err, "could not delete environment secret", "workspace", ws.Name)
 	}
+
+	err = r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "tokens"), r.Config.SecretsNamespace)
+	if err != nil {
+		log.Error(err, "could not delete token secret", "workspace", ws.Name)
+	}
 }
 
 func (r *WorkspaceReconciler) deleteSecret(ctx context.Context, name, namespace string) error {
diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go
index 1a47a5a6688fef..2a92915252facb 100644
--- a/components/ws-manager-mk2/service/manager.go
+++ b/components/ws-manager-mk2/service/manager.go
@@ -33,6 +33,7 @@ import (
 	"github.com/gitpod-io/gitpod/ws-manager/api/config"
 	workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1"
 
+	csapi "github.com/gitpod-io/gitpod/content-service/api"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -204,6 +205,8 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 	userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars)
 	sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars)
 
+	tokenData, _ := extractWorkspaceTokenData(req.Spec)
+
 	ws := workspacev1.Workspace{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: workspacev1.GroupVersion.String(),
@@ -256,6 +259,11 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 		return nil, fmt.Errorf("cannot create env secret for workspace %s: %w", req.Id, err)
 	}
 
+	err = wsm.createWorkspaceSecret(ctx, &ws, fmt.Sprintf("%s-%s", req.Id, "tokens"), wsm.Config.SecretsNamespace, tokenData)
+	if err != nil {
+		return nil, fmt.Errorf("cannot create token secret for workspace %s: %w", req.Id, err)
+	}
+
 	wsm.metrics.recordWorkspaceStart(&ws)
 	err = wsm.Client.Create(ctx, &ws)
 	if err != nil {
@@ -857,6 +865,15 @@ func extractWorkspaceSysEnv(sysEnvs []*wsmanapi.EnvironmentVariable) []corev1.En
 	return envs
 }
 
+func extractWorkspaceTokenData(spec *wsmanapi.StartWorkspaceSpec) (secrets map[string]string, secretsLen int) {
+	secrets = make(map[string]string)
+	for k, v := range csapi.GatherSecretsFromInitializer(spec.Initializer) {
+		secrets[k] = v
+		secretsLen += len(v)
+	}
+	return secrets, secretsLen
+}
+
 func extractWorkspaceStatus(ws *workspacev1.Workspace) *wsmanapi.WorkspaceStatus {
 	version, _ := strconv.ParseUint(ws.ResourceVersion, 10, 64)
 

From 45e7b116f8e3454f70aef471e6f9058e1dbd3700 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Fri, 3 Mar 2023 14:22:10 +0000
Subject: [PATCH 02/16] [installer] Fix casing for namespace type metadata

---
 install/installer/pkg/common/common.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/installer/pkg/common/common.go b/install/installer/pkg/common/common.go
index a8059e6b39e997..04243924f52369 100644
--- a/install/installer/pkg/common/common.go
+++ b/install/installer/pkg/common/common.go
@@ -664,7 +664,7 @@ var DeploymentStrategy = appsv1.DeploymentStrategy{
 var (
 	TypeMetaNamespace = metav1.TypeMeta{
 		APIVersion: "v1",
-		Kind:       "namespace",
+		Kind:       "Namespace",
 	}
 	TypeMetaStatefulSet = metav1.TypeMeta{
 		APIVersion: "apps/v1",

From 23415c1661e1d0d039970178f88065d649331bad Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Tue, 7 Mar 2023 14:36:38 +0000
Subject: [PATCH 03/16] [installer] Create secrets namespace

---
 components/ws-manager-api/go/config/config.go |  2 ++
 .../components/ws-manager-mk2/configmap.go    |  7 +++---
 .../components/ws-manager-mk2/constants.go    |  1 +
 .../components/ws-manager-mk2/namespace.go    | 23 +++++++++++++++++++
 .../pkg/components/ws-manager-mk2/objects.go  |  1 +
 5 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 install/installer/pkg/components/ws-manager-mk2/namespace.go

diff --git a/components/ws-manager-api/go/config/config.go b/components/ws-manager-api/go/config/config.go
index 00dff49ebeb683..506d9f8ada6da4 100644
--- a/components/ws-manager-api/go/config/config.go
+++ b/components/ws-manager-api/go/config/config.go
@@ -77,6 +77,8 @@ type ServiceConfiguration struct {
 type Configuration struct {
 	// Namespace is the kubernetes namespace the workspace manager operates in
 	Namespace string `json:"namespace"`
+	// SecretsNamespace is the kubernetes namespace which contains workspace secrets
+	SecretsNamespace string `json:"secretsNamespace"`
 	// SchedulerName is the name of the workspace scheduler all pods are created with
 	SchedulerName string `json:"schedulerName"`
 	// SeccompProfile names the seccomp profile workspaces will use
diff --git a/install/installer/pkg/components/ws-manager-mk2/configmap.go b/install/installer/pkg/components/ws-manager-mk2/configmap.go
index ffcf7a09cef672..9e74046ba3b847 100644
--- a/install/installer/pkg/components/ws-manager-mk2/configmap.go
+++ b/install/installer/pkg/components/ws-manager-mk2/configmap.go
@@ -184,9 +184,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	wsmcfg := config.ServiceConfiguration{
 		Manager: config.Configuration{
-			Namespace:      ctx.Namespace,
-			SchedulerName:  schedulerName,
-			SeccompProfile: fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version),
+			Namespace:        ctx.Namespace,
+			SecretsNamespace: WorkspaceSecretsNamespace,
+			SchedulerName:    schedulerName,
+			SeccompProfile:   fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version),
 			WorkspaceDaemon: config.WorkspaceDaemonConfiguration{
 				Port: 8080,
 				TLS: struct {
diff --git a/install/installer/pkg/components/ws-manager-mk2/constants.go b/install/installer/pkg/components/ws-manager-mk2/constants.go
index c7d35902abf630..20289cd61b4ef0 100644
--- a/install/installer/pkg/components/ws-manager-mk2/constants.go
+++ b/install/installer/pkg/components/ws-manager-mk2/constants.go
@@ -19,4 +19,5 @@ const (
 	WorkspaceTemplatePath      = "/workspace-templates"
 	WorkspaceTemplateConfigMap = "workspace-templates"
 	LabelMaintenanceConfig     = "gitpod.io/maintenanceConfig"
+	WorkspaceSecretsNamespace  = "workspace-secrets"
 )
diff --git a/install/installer/pkg/components/ws-manager-mk2/namespace.go b/install/installer/pkg/components/ws-manager-mk2/namespace.go
new file mode 100644
index 00000000000000..ec192763dbb0fd
--- /dev/null
+++ b/install/installer/pkg/components/ws-manager-mk2/namespace.go
@@ -0,0 +1,23 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package wsmanagermk2
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func namespace(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{
+		&v1.Namespace{
+			TypeMeta: common.TypeMetaNamespace,
+			ObjectMeta: metav1.ObjectMeta{
+				Name: WorkspaceSecretsNamespace,
+			},
+		},
+	}, nil
+}
diff --git a/install/installer/pkg/components/ws-manager-mk2/objects.go b/install/installer/pkg/components/ws-manager-mk2/objects.go
index 6f61a2d0fdaf5a..6ea4f430633468 100644
--- a/install/installer/pkg/components/ws-manager-mk2/objects.go
+++ b/install/installer/pkg/components/ws-manager-mk2/objects.go
@@ -23,6 +23,7 @@ var Objects common.RenderFunc = func(cfg *common.RenderContext) ([]runtime.Objec
 	}
 
 	return common.CompositeRenderFunc(
+		namespace,
 		crd,
 		configmap,
 		deployment,

From c92aa8c74b72028e546b286b4fc59460c07c6ff9 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Tue, 7 Mar 2023 14:53:55 +0000
Subject: [PATCH 04/16] [installer] Configure roles and bindings

---
 .../pkg/components/ws-manager-mk2/role.go     | 235 ++++++++++--------
 .../components/ws-manager-mk2/rolebinding.go  |  26 +-
 2 files changed, 149 insertions(+), 112 deletions(-)

diff --git a/install/installer/pkg/components/ws-manager-mk2/role.go b/install/installer/pkg/components/ws-manager-mk2/role.go
index 0f31ae5c69ad7d..59c47f97b4de33 100644
--- a/install/installer/pkg/components/ws-manager-mk2/role.go
+++ b/install/installer/pkg/components/ws-manager-mk2/role.go
@@ -12,6 +12,121 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+var controllerRules = []rbacv1.PolicyRule{
+	{
+		APIGroups: []string{""},
+		Resources: []string{"pods"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"patch",
+			"update",
+			"watch",
+		},
+	},
+	{
+		Verbs:     []string{"get"},
+		APIGroups: []string{""},
+		Resources: []string{"pod/status"},
+	},
+	{
+		APIGroups: []string{"workspace.gitpod.io"},
+		Resources: []string{"workspaces"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"patch",
+			"update",
+			"watch",
+		},
+	},
+	{
+		Verbs:     []string{"update"},
+		APIGroups: []string{"workspace.gitpod.io"},
+		Resources: []string{"workspaces/finalizers"},
+	},
+	{
+		APIGroups: []string{"workspace.gitpod.io"},
+		Resources: []string{"workspaces/status"},
+		Verbs: []string{
+			"get",
+			"patch",
+			"update",
+		},
+	},
+	{
+		APIGroups: []string{"workspace.gitpod.io"},
+		Resources: []string{"snapshots"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"watch",
+		},
+	},
+	{
+		APIGroups: []string{"workspace.gitpod.io"},
+		Resources: []string{"snapshots/status"},
+		Verbs: []string{
+			"get",
+		},
+	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"secrets"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"watch",
+		},
+	},
+}
+
+// ConfigMap, Leases, and Events access is required for leader-election.
+var leaderElectionRules = []rbacv1.PolicyRule{
+	{
+		APIGroups: []string{""},
+		Resources: []string{"configmaps"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"patch",
+			"update",
+			"watch",
+		},
+	},
+	{
+		APIGroups: []string{"coordination.k8s.io"},
+		Resources: []string{"leases"},
+		Verbs: []string{
+			"create",
+			"delete",
+			"get",
+			"list",
+			"patch",
+			"update",
+			"watch",
+		},
+	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"events"},
+		Verbs: []string{
+			"create",
+			"patch",
+		},
+	},
+}
+
 func role(ctx *common.RenderContext) ([]runtime.Object, error) {
 	labels := common.DefaultLabels(Component)
 
@@ -23,117 +138,17 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Namespace: ctx.Namespace,
 				Labels:    labels,
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"pods"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"patch",
-						"update",
-						"watch",
-					},
-				},
-				{
-					Verbs:     []string{"get"},
-					APIGroups: []string{""},
-					Resources: []string{"pod/status"},
-				},
-				{
-					APIGroups: []string{"workspace.gitpod.io"},
-					Resources: []string{"workspaces"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"patch",
-						"update",
-						"watch",
-					},
-				},
-				{
-					Verbs:     []string{"update"},
-					APIGroups: []string{"workspace.gitpod.io"},
-					Resources: []string{"workspaces/finalizers"},
-				},
-				{
-					APIGroups: []string{"workspace.gitpod.io"},
-					Resources: []string{"workspaces/status"},
-					Verbs: []string{
-						"get",
-						"patch",
-						"update",
-					},
-				},
-				{
-					APIGroups: []string{"workspace.gitpod.io"},
-					Resources: []string{"snapshots"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"watch",
-					},
-				},
-				{
-					APIGroups: []string{"workspace.gitpod.io"},
-					Resources: []string{"snapshots/status"},
-					Verbs: []string{
-						"get",
-					},
-				},
-				// ConfigMap, Leases, and Events access is required for leader-election.
-				{
-					APIGroups: []string{""},
-					Resources: []string{"configmaps"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"patch",
-						"update",
-						"watch",
-					},
-				},
-				{
-					APIGroups: []string{"coordination.k8s.io"},
-					Resources: []string{"leases"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"patch",
-						"update",
-						"watch",
-					},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"events"},
-					Verbs: []string{
-						"create",
-						"patch",
-					},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"secrets"},
-					Verbs: []string{
-						"create",
-						"delete",
-						"get",
-						"list",
-						"watch",
-					},
-				},
+			Rules: append(controllerRules, leaderElectionRules...),
+		},
+
+		&rbacv1.Role{
+			TypeMeta: common.TypeMetaRole,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: WorkspaceSecretsNamespace,
+				Labels:    labels,
 			},
+			Rules: controllerRules,
 		},
 	}, nil
 }
diff --git a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
index 467abf56a32b5c..bdb9141a921986 100644
--- a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
+++ b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
@@ -51,8 +51,30 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind: "ServiceAccount",
-					Name: Component,
+					Kind:      "ServiceAccount",
+					Name:      Component,
+					Namespace: ctx.Namespace,
+				},
+			},
+		},
+
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: WorkspaceSecretsNamespace,
+				Labels:    labels,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     Component,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      Component,
+					Namespace: ctx.Namespace,
 				},
 			},
 		},

From e0a758e238c3909b994f8974fada47fdc94a904f Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 11:19:42 +0000
Subject: [PATCH 05/16] [installer] Move namespace constant to common pkg

---
 install/installer/pkg/common/constants.go                      | 1 +
 install/installer/pkg/components/ws-manager-mk2/configmap.go   | 2 +-
 install/installer/pkg/components/ws-manager-mk2/constants.go   | 1 -
 install/installer/pkg/components/ws-manager-mk2/namespace.go   | 2 +-
 install/installer/pkg/components/ws-manager-mk2/role.go        | 2 +-
 install/installer/pkg/components/ws-manager-mk2/rolebinding.go | 2 +-
 6 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/install/installer/pkg/common/constants.go b/install/installer/pkg/common/constants.go
index 07c2d9aee21330..6b76f69273e899 100644
--- a/install/installer/pkg/common/constants.go
+++ b/install/installer/pkg/common/constants.go
@@ -59,6 +59,7 @@ const (
 	DBCaFileName                    = "ca.crt"
 	DBCaBasePath                    = "/db-ssl"
 	DBCaPath                        = DBCaBasePath + "/" + DBCaFileName
+	WorkspaceSecretsNamespace       = "workspace-secrets"
 
 	AnnotationConfigChecksum = "gitpod.io/checksum_config"
 
diff --git a/install/installer/pkg/components/ws-manager-mk2/configmap.go b/install/installer/pkg/components/ws-manager-mk2/configmap.go
index 9e74046ba3b847..7f6c451ad16c5f 100644
--- a/install/installer/pkg/components/ws-manager-mk2/configmap.go
+++ b/install/installer/pkg/components/ws-manager-mk2/configmap.go
@@ -185,7 +185,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	wsmcfg := config.ServiceConfiguration{
 		Manager: config.Configuration{
 			Namespace:        ctx.Namespace,
-			SecretsNamespace: WorkspaceSecretsNamespace,
+			SecretsNamespace: common.WorkspaceSecretsNamespace,
 			SchedulerName:    schedulerName,
 			SeccompProfile:   fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version),
 			WorkspaceDaemon: config.WorkspaceDaemonConfiguration{
diff --git a/install/installer/pkg/components/ws-manager-mk2/constants.go b/install/installer/pkg/components/ws-manager-mk2/constants.go
index 20289cd61b4ef0..c7d35902abf630 100644
--- a/install/installer/pkg/components/ws-manager-mk2/constants.go
+++ b/install/installer/pkg/components/ws-manager-mk2/constants.go
@@ -19,5 +19,4 @@ const (
 	WorkspaceTemplatePath      = "/workspace-templates"
 	WorkspaceTemplateConfigMap = "workspace-templates"
 	LabelMaintenanceConfig     = "gitpod.io/maintenanceConfig"
-	WorkspaceSecretsNamespace  = "workspace-secrets"
 )
diff --git a/install/installer/pkg/components/ws-manager-mk2/namespace.go b/install/installer/pkg/components/ws-manager-mk2/namespace.go
index ec192763dbb0fd..24fc01ff0326e6 100644
--- a/install/installer/pkg/components/ws-manager-mk2/namespace.go
+++ b/install/installer/pkg/components/ws-manager-mk2/namespace.go
@@ -16,7 +16,7 @@ func namespace(ctx *common.RenderContext) ([]runtime.Object, error) {
 		&v1.Namespace{
 			TypeMeta: common.TypeMetaNamespace,
 			ObjectMeta: metav1.ObjectMeta{
-				Name: WorkspaceSecretsNamespace,
+				Name: common.WorkspaceSecretsNamespace,
 			},
 		},
 	}, nil
diff --git a/install/installer/pkg/components/ws-manager-mk2/role.go b/install/installer/pkg/components/ws-manager-mk2/role.go
index 59c47f97b4de33..7eee43b25fee8d 100644
--- a/install/installer/pkg/components/ws-manager-mk2/role.go
+++ b/install/installer/pkg/components/ws-manager-mk2/role.go
@@ -145,7 +145,7 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) {
 			TypeMeta: common.TypeMetaRole,
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      Component,
-				Namespace: WorkspaceSecretsNamespace,
+				Namespace: common.WorkspaceSecretsNamespace,
 				Labels:    labels,
 			},
 			Rules: controllerRules,
diff --git a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
index bdb9141a921986..44408b6dfaf371 100644
--- a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
+++ b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go
@@ -62,7 +62,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			TypeMeta: common.TypeMetaRoleBinding,
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      Component,
-				Namespace: WorkspaceSecretsNamespace,
+				Namespace: common.WorkspaceSecretsNamespace,
 				Labels:    labels,
 			},
 			RoleRef: rbacv1.RoleRef{

From 4bb2360b66a925670b4a2925f14af20e1cef29da Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 11:20:15 +0000
Subject: [PATCH 06/16] [installer] Create permissions for ws-daemon

---
 .../testdata/render/agent-smith/output.golden | 56 ++++++++++++++++++-
 .../testdata/render/aws-setup/output.golden   | 56 ++++++++++++++++++-
 .../custom-pull-repository/output.golden      | 56 ++++++++++++++++++-
 .../render/customization/output.golden        | 56 ++++++++++++++++++-
 .../render/external-registry/output.golden    | 56 ++++++++++++++++++-
 .../testdata/render/gcp-setup/output.golden   | 56 ++++++++++++++++++-
 .../testdata/render/http-proxy/output.golden  | 56 ++++++++++++++++++-
 .../testdata/render/ide-config/output.golden  | 56 ++++++++++++++++++-
 .../render/kind-workspace/output.golden       | 56 ++++++++++++++++++-
 .../render/message-bus-password/output.golden | 56 ++++++++++++++++++-
 .../cmd/testdata/render/minimal/output.golden | 56 ++++++++++++++++++-
 .../render/overrides-inline/output.golden     | 56 ++++++++++++++++++-
 .../testdata/render/pod-config/output.golden  | 56 ++++++++++++++++++-
 .../testdata/render/shortname/output.golden   | 56 ++++++++++++++++++-
 .../statefulset-customization/output.golden   | 56 ++++++++++++++++++-
 .../testdata/render/telemetry/output.golden   | 56 ++++++++++++++++++-
 .../use-pod-security-policies/output.golden   | 56 ++++++++++++++++++-
 .../render/vsxproxy-pvc/output.golden         | 56 ++++++++++++++++++-
 .../workspace-requests-limits/output.golden   | 56 ++++++++++++++++++-
 .../pkg/components/ws-daemon/objects.go       |  1 +
 .../pkg/components/ws-daemon/role.go          | 37 ++++++++++++
 .../pkg/components/ws-daemon/rolebinding.go   | 20 +++++++
 22 files changed, 1103 insertions(+), 19 deletions(-)
 create mode 100644 install/installer/pkg/components/ws-daemon/role.go

diff --git a/install/installer/cmd/testdata/render/agent-smith/output.golden b/install/installer/cmd/testdata/render/agent-smith/output.golden
index 42f68e85d7c379..0b4cb2d21621f9 100644
--- a/install/installer/cmd/testdata/render/agent-smith/output.golden
+++ b/install/installer/cmd/testdata/render/agent-smith/output.golden
@@ -3146,6 +3146,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3202,6 +3212,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5809,6 +5826,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6756,6 +6774,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7226,6 +7264,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10983,7 +11037,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden
index 3d8e89ebb70478..f1391156053cfc 100644
--- a/install/installer/cmd/testdata/render/aws-setup/output.golden
+++ b/install/installer/cmd/testdata/render/aws-setup/output.golden
@@ -2759,6 +2759,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2815,6 +2825,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5154,6 +5171,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6067,6 +6085,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6519,6 +6557,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -9796,7 +9850,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: b7da41879471e13b5f45ca5d34265974ed68c3c77c93f8d9b6c0d188ac9724e5
+        gitpod.io/checksum_config: 9e4ebf60455939d2a4b5781c2c4e3b84c9029ee7f841dfcb5f3ccc8f7179599e
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
index 53fb91ec5fbb88..53496842de99e2 100644
--- a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
+++ b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
@@ -2963,6 +2963,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3019,6 +3029,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5626,6 +5643,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6573,6 +6591,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7043,6 +7081,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10800,7 +10854,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden
index c4ec44917ffd6c..5805c1347e0113 100644
--- a/install/installer/cmd/testdata/render/customization/output.golden
+++ b/install/installer/cmd/testdata/render/customization/output.golden
@@ -3427,6 +3427,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3498,6 +3508,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6248,6 +6265,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -7210,6 +7228,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7680,6 +7718,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -11685,7 +11739,7 @@ spec:
     metadata:
       annotations:
         gitpod.io: hello
-        gitpod.io/checksum_config: 6ea687679b10a3046a6840985edd56495c512b0d5bf4b5a9f85d46f41de49036
+        gitpod.io/checksum_config: 14b2091d899fef2d7a41550f7baf02deebc76d64734f5d9b812acd7f937eed88
         hello: world
       creationTimestamp: null
       labels:
diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden
index 3db0467025f40d..a6520eb2cdd801 100644
--- a/install/installer/cmd/testdata/render/external-registry/output.golden
+++ b/install/installer/cmd/testdata/render/external-registry/output.golden
@@ -2857,6 +2857,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2913,6 +2923,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5406,6 +5423,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6334,6 +6352,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6786,6 +6824,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10423,7 +10477,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden
index e670282ae24073..924b9b50419b57 100644
--- a/install/installer/cmd/testdata/render/gcp-setup/output.golden
+++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden
@@ -2796,6 +2796,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2852,6 +2862,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5176,6 +5193,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6084,6 +6102,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6554,6 +6592,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -9901,7 +9955,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: e2866e24a01f026d164c591d5c649a0a5589feea38a0d90d785d1167483cd02e
+        gitpod.io/checksum_config: eb8ba5a842ba7a2f4e7650963e3143422148261199e4d15fbbc03016e8c3acff
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden
index 4cb3c454237d16..a427d1a389626c 100644
--- a/install/installer/cmd/testdata/render/http-proxy/output.golden
+++ b/install/installer/cmd/testdata/render/http-proxy/output.golden
@@ -2966,6 +2966,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3022,6 +3032,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5629,6 +5646,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6576,6 +6594,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7046,6 +7084,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -12127,7 +12181,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/ide-config/output.golden b/install/installer/cmd/testdata/render/ide-config/output.golden
index 77c9d8383fc79b..38d5a79f269de1 100644
--- a/install/installer/cmd/testdata/render/ide-config/output.golden
+++ b/install/installer/cmd/testdata/render/ide-config/output.golden
@@ -2979,6 +2979,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3035,6 +3045,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5642,6 +5659,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6589,6 +6607,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7059,6 +7097,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10822,7 +10876,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden
index 4428800fb8155e..42ac7fb7d63c35 100644
--- a/install/installer/cmd/testdata/render/kind-workspace/output.golden
+++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden
@@ -1189,6 +1189,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -1245,6 +1255,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -2000,6 +2017,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -2625,6 +2643,26 @@ rules:
   - get
   - update
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -2805,6 +2843,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -3985,7 +4039,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 220f4f84d031d4a23cf0177b3e94a85a25707d132a8313a51602a3d8b9255414
+        gitpod.io/checksum_config: 04d0c84ff10675d023182a24beb2171cdf9b88568eb96032394819e8566b3c00
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden
index 4b17024f994619..658848f3333194 100644
--- a/install/installer/cmd/testdata/render/message-bus-password/output.golden
+++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden
@@ -2966,6 +2966,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3022,6 +3032,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5629,6 +5646,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6576,6 +6594,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7046,6 +7084,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10803,7 +10857,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden
index b6d1cebbf214aa..5faa71a89a7d46 100644
--- a/install/installer/cmd/testdata/render/minimal/output.golden
+++ b/install/installer/cmd/testdata/render/minimal/output.golden
@@ -2963,6 +2963,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3019,6 +3029,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5626,6 +5643,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6573,6 +6591,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7043,6 +7081,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10800,7 +10854,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/overrides-inline/output.golden b/install/installer/cmd/testdata/render/overrides-inline/output.golden
index 66f459c3479626..83db6323bd6132 100644
--- a/install/installer/cmd/testdata/render/overrides-inline/output.golden
+++ b/install/installer/cmd/testdata/render/overrides-inline/output.golden
@@ -2961,6 +2961,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3017,6 +3027,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5624,6 +5641,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6571,6 +6589,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7041,6 +7079,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10810,7 +10864,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/pod-config/output.golden b/install/installer/cmd/testdata/render/pod-config/output.golden
index 48925d29764c79..6159530be389d4 100644
--- a/install/installer/cmd/testdata/render/pod-config/output.golden
+++ b/install/installer/cmd/testdata/render/pod-config/output.golden
@@ -2970,6 +2970,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3026,6 +3036,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5633,6 +5650,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6580,6 +6598,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7050,6 +7088,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10807,7 +10861,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden
index be01d7b7d5da37..4d7fac58b4e183 100644
--- a/install/installer/cmd/testdata/render/shortname/output.golden
+++ b/install/installer/cmd/testdata/render/shortname/output.golden
@@ -2963,6 +2963,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3019,6 +3029,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5626,6 +5643,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6573,6 +6591,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7043,6 +7081,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10800,7 +10854,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: b86c15b7ccf53d8f812d381760022c16e8bf00aa5385b5cf2acd870f0bc901db
+        gitpod.io/checksum_config: 7a5265597622304d09dd82531a4f224e0f16d39da5899000916b146dd370cfde
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
index e11bfc5abb9c0d..3e53c26cb95b62 100644
--- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden
+++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
@@ -2975,6 +2975,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3031,6 +3041,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5638,6 +5655,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6585,6 +6603,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7055,6 +7093,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10812,7 +10866,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/telemetry/output.golden b/install/installer/cmd/testdata/render/telemetry/output.golden
index 7287bef4d0f524..f939b17bccddc3 100644
--- a/install/installer/cmd/testdata/render/telemetry/output.golden
+++ b/install/installer/cmd/testdata/render/telemetry/output.golden
@@ -2966,6 +2966,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3022,6 +3032,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5629,6 +5646,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6576,6 +6594,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7046,6 +7084,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10803,7 +10857,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
index 4b553ca4234ff0..7ef4f03618819c 100644
--- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
+++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
@@ -3287,6 +3287,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3343,6 +3353,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5959,6 +5976,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -7017,6 +7035,26 @@ rules:
   verbs:
   - use
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7487,6 +7525,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -11244,7 +11298,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
index 32b1fb904356ce..96eae10f37ec51 100644
--- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
+++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
@@ -2966,6 +2966,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3022,6 +3032,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5629,6 +5646,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6576,6 +6594,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7046,6 +7084,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10791,7 +10845,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b
+        gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
index 201382fca12637..3068134684a9de 100644
--- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
+++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
@@ -2966,6 +2966,16 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: gitpod
+        component: ws-daemon
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3022,6 +3032,13 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      creationTimestamp: null
+      name: ws-daemon
+      namespace: workspace-secrets
+    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -5629,6 +5646,7 @@ data:
     {
       "manager": {
         "namespace": "default",
+        "secretsNamespace": "",
         "schedulerName": "",
         "seccompProfile": "workspace_default_pd-ide-metrics.23.json",
         "timeouts": {
@@ -6576,6 +6594,26 @@ rules:
   - patch
   - watch
 ---
+# rbac.authorization.k8s.io/v1/Role ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: gitpod
+    component: ws-daemon
+  name: ws-daemon
+  namespace: workspace-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7046,6 +7084,22 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
+# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: ws-daemon
+  namespace: workspace-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ws-daemon
+subjects:
+- kind: ServiceAccount
+  name: ws-daemon
+  namespace: default
+---
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10803,7 +10857,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 903ddd6b5567f5831d07f643a85942f7c7891ec40745b0aeb508a7c115389511
+        gitpod.io/checksum_config: 8f78e0c49b70bc845b8c69ddc215fc3d1999be738c385173ffd48a84c8303fa5
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/pkg/components/ws-daemon/objects.go b/install/installer/pkg/components/ws-daemon/objects.go
index b2113e8acb3994..51fefd0e65e81b 100644
--- a/install/installer/pkg/components/ws-daemon/objects.go
+++ b/install/installer/pkg/components/ws-daemon/objects.go
@@ -9,6 +9,7 @@ import (
 )
 
 var Objects = common.CompositeRenderFunc(
+	role,
 	clusterrole,
 	configmap,
 	common.DefaultServiceAccount(Component),
diff --git a/install/installer/pkg/components/ws-daemon/role.go b/install/installer/pkg/components/ws-daemon/role.go
new file mode 100644
index 00000000000000..592a55db44cf06
--- /dev/null
+++ b/install/installer/pkg/components/ws-daemon/role.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package wsdaemon
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func role(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{
+		&rbacv1.Role{
+			TypeMeta: common.TypeMetaRole,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: common.WorkspaceSecretsNamespace,
+				Labels:    common.DefaultLabels(Component),
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+					Verbs: []string{
+						"get",
+						"list",
+						"watch",
+					},
+				},
+			},
+		},
+	}, nil
+}
diff --git a/install/installer/pkg/components/ws-daemon/rolebinding.go b/install/installer/pkg/components/ws-daemon/rolebinding.go
index 051ba5b26136c7..286cf85b5834b6 100644
--- a/install/installer/pkg/components/ws-daemon/rolebinding.go
+++ b/install/installer/pkg/components/ws-daemon/rolebinding.go
@@ -54,5 +54,25 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Namespace: ctx.Namespace,
 			}},
 		},
+
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: common.WorkspaceSecretsNamespace,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     Component,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      Component,
+					Namespace: ctx.Namespace,
+				},
+			},
+		},
 	}, nil
 }

From 7d76e43641757a384edca5dcf12cc7aa622df4bf Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 11:26:59 +0000
Subject: [PATCH 07/16] [wsman-mk2] Watch on multiple ns

---
 components/ws-manager-mk2/main.go | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/components/ws-manager-mk2/main.go b/components/ws-manager-mk2/main.go
index 302fc4951d8395..fe14dfe192cacf 100644
--- a/components/ws-manager-mk2/main.go
+++ b/components/ws-manager-mk2/main.go
@@ -109,16 +109,7 @@ func main() {
 		HealthProbeBindAddress: cfg.Health.Addr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "ws-manager-mk2-leader.gitpod.io",
-		Namespace:              cfg.Manager.Namespace,
-		NewCache: func(conf *rest.Config, opts cache.Options) (cache.Cache, error) {
-			// Only watch the maintenance mode ConfigMap.
-			opts.SelectorsByObject = cache.SelectorsByObject{
-				&corev1.ConfigMap{}: cache.ObjectSelector{
-					Label: labels.SelectorFromSet(labels.Set{controllers.LabelMaintenance: "true"}),
-				},
-			}
-			return cache.New(conf, opts)
-		},
+		NewCache:               cache.MultiNamespacedCacheBuilder([]string{cfg.Manager.Namespace, cfg.Manager.SecretsNamespace}),
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

From 3dc68c651d1aae0b20b4cb96fae654feb5d10265 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 13:55:37 +0000
Subject: [PATCH 08/16] [ws-daemon] Use token secret

---
 .../pkg/controller/workspace_controller.go    | 33 ++++++++++++++++---
 components/ws-daemon/pkg/daemon/config.go     |  1 +
 components/ws-daemon/pkg/daemon/daemon.go     |  5 ++-
 .../pkg/components/ws-daemon/configmap.go     |  1 +
 4 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/components/ws-daemon/pkg/controller/workspace_controller.go b/components/ws-daemon/pkg/controller/workspace_controller.go
index 8fd0826fc984b7..e2d676217b6292 100644
--- a/components/ws-daemon/pkg/controller/workspace_controller.go
+++ b/components/ws-daemon/pkg/controller/workspace_controller.go
@@ -22,7 +22,9 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 
 	"google.golang.org/protobuf/proto"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -55,9 +57,10 @@ type WorkspaceController struct {
 	maxConcurrentReconciles int
 	operations              *WorkspaceOperations
 	metrics                 *workspaceMetrics
+	secretNamespace         string
 }
 
-func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) {
+func NewWorkspaceController(c client.Client, nodeName, secretNamespace string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) {
 	metrics := newWorkspaceMetrics()
 	reg.Register(metrics)
 
@@ -67,6 +70,7 @@ func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentRecon
 		maxConcurrentReconciles: maxConcurrentReconciles,
 		operations:              ops,
 		metrics:                 metrics,
+		secretNamespace:         secretNamespace,
 	}, nil
 }
 
@@ -139,10 +143,8 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor
 	defer tracing.FinishSpan(span, &err)
 
 	if c := wsk8s.GetCondition(ws.Status.Conditions, string(workspacev1.WorkspaceConditionContentReady)); c == nil {
-		var init csapi.WorkspaceInitializer
-		err = proto.Unmarshal(ws.Spec.Initializer, &init)
+		init, err := wsc.prepareInitializer(ctx, ws)
 		if err != nil {
-			err = fmt.Errorf("cannot unmarshal initializer config: %w", err)
 			return ctrl.Result{}, err
 		}
 
@@ -153,7 +155,7 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor
 				WorkspaceId: ws.Spec.Ownership.WorkspaceID,
 				InstanceId:  ws.Name,
 			},
-			Initializer: &init,
+			Initializer: init,
 			Headless:    ws.IsHeadless(),
 		})
 
@@ -300,6 +302,27 @@ func (wsc *WorkspaceController) handleWorkspaceStop(ctx context.Context, ws *wor
 	return ctrl.Result{}, err
 }
 
+func (wsc *WorkspaceController) prepareInitializer(ctx context.Context, ws *workspacev1.Workspace) (*csapi.WorkspaceInitializer, error) {
+	var init csapi.WorkspaceInitializer
+	err := proto.Unmarshal(ws.Spec.Initializer, &init)
+	if err != nil {
+		err = fmt.Errorf("cannot unmarshal initializer config: %w", err)
+		return nil, err
+	}
+
+	var tokenSecret corev1.Secret
+	err = wsc.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("%s-tokens", ws.Name), Namespace: wsc.secretNamespace}, &tokenSecret)
+	if err != nil {
+		return nil, fmt.Errorf("could not get token secret for workspace: %w", err)
+	}
+
+	if err = csapi.InjectSecretsToInitializer(&init, tokenSecret.Data); err != nil {
+		return nil, fmt.Errorf("failed to inject secrets into initializer: %w", err)
+	}
+
+	return &init, nil
+}
+
 func toWorkspaceGitStatus(status *csapi.GitStatus) *workspacev1.GitStatus {
 	if status == nil {
 		return nil
diff --git a/components/ws-daemon/pkg/daemon/config.go b/components/ws-daemon/pkg/daemon/config.go
index 43e0bbcd31d4a0..ac072c476919c2 100644
--- a/components/ws-daemon/pkg/daemon/config.go
+++ b/components/ws-daemon/pkg/daemon/config.go
@@ -42,6 +42,7 @@ type RuntimeConfig struct {
 	Container           *container.Config `json:"containerRuntime"`
 	Kubeconfig          string            `json:"kubeconfig"`
 	KubernetesNamespace string            `json:"namespace"`
+	SecretsNamespace    string            `json:"secretsNamespace"`
 }
 
 type IOLimitConfig struct {
diff --git a/components/ws-daemon/pkg/daemon/daemon.go b/components/ws-daemon/pkg/daemon/daemon.go
index b582efda900e0a..736cd1756bec6f 100644
--- a/components/ws-daemon/pkg/daemon/daemon.go
+++ b/components/ws-daemon/pkg/daemon/daemon.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 
@@ -175,6 +176,7 @@ func NewDaemon(config Config) (*Daemon, error) {
 			Namespace:              config.Runtime.KubernetesNamespace,
 			HealthProbeBindAddress: "0",
 			MetricsBindAddress:     "0", // Metrics are exposed through baseserver.
+			NewCache:               cache.MultiNamespacedCacheBuilder([]string{config.Runtime.KubernetesNamespace, config.Runtime.SecretsNamespace}),
 		})
 		if err != nil {
 			return nil, err
@@ -207,7 +209,8 @@ func NewDaemon(config Config) (*Daemon, error) {
 			return nil, err
 		}
 
-		wsctrl, err := controller.NewWorkspaceController(mgr.GetClient(), nodename, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg)
+		wsctrl, err := controller.NewWorkspaceController(
+			mgr.GetClient(), nodename, config.Runtime.SecretsNamespace, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg)
 		if err != nil {
 			return nil, err
 		}
diff --git a/install/installer/pkg/components/ws-daemon/configmap.go b/install/installer/pkg/components/ws-daemon/configmap.go
index adaaef995d52a4..1b08aa15e6e940 100644
--- a/install/installer/pkg/components/ws-daemon/configmap.go
+++ b/install/installer/pkg/components/ws-daemon/configmap.go
@@ -112,6 +112,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		Daemon: daemon.Config{
 			Runtime: daemon.RuntimeConfig{
 				KubernetesNamespace: ctx.Namespace,
+				SecretsNamespace:    common.WorkspaceSecretsNamespace,
 				Container: &container.Config{
 					Runtime: container.RuntimeContainerd,
 					Mapping: runtimeMapping,

From 1c2bcf60fc363090d54d581bb98872fbf5ab2b2e Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 15:14:22 +0000
Subject: [PATCH 09/16] [wsman-mk2] Remove secret from initializer

---
 components/ws-manager-mk2/service/manager.go | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go
index 2a92915252facb..026017ec512aac 100644
--- a/components/ws-manager-mk2/service/manager.go
+++ b/components/ws-manager-mk2/service/manager.go
@@ -117,11 +117,6 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 		return nil, status.Errorf(codes.InvalidArgument, "unsupported workspace type: %v", req.Type)
 	}
 
-	initializer, err := proto.Marshal(req.Spec.Initializer)
-	if err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err)
-	}
-
 	var git *workspacev1.GitSpec
 	if req.Spec.Git != nil {
 		git = &workspacev1.GitSpec{
@@ -205,7 +200,11 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 	userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars)
 	sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars)
 
-	tokenData, _ := extractWorkspaceTokenData(req.Spec)
+	tokenData := extractWorkspaceTokenData(req.Spec)
+	initializer, err := proto.Marshal(req.Spec.Initializer)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err)
+	}
 
 	ws := workspacev1.Workspace{
 		TypeMeta: metav1.TypeMeta{
@@ -865,13 +864,12 @@ func extractWorkspaceSysEnv(sysEnvs []*wsmanapi.EnvironmentVariable) []corev1.En
 	return envs
 }
 
-func extractWorkspaceTokenData(spec *wsmanapi.StartWorkspaceSpec) (secrets map[string]string, secretsLen int) {
-	secrets = make(map[string]string)
-	for k, v := range csapi.GatherSecretsFromInitializer(spec.Initializer) {
+func extractWorkspaceTokenData(spec *wsmanapi.StartWorkspaceSpec) map[string]string {
+	secrets := make(map[string]string)
+	for k, v := range csapi.ExtractAndReplaceSecretsFromInitializer(spec.Initializer) {
 		secrets[k] = v
-		secretsLen += len(v)
 	}
-	return secrets, secretsLen
+	return secrets
 }
 
 func extractWorkspaceStatus(ws *workspacev1.Workspace) *wsmanapi.WorkspaceStatus {

From 4037d8176a5792579b5d71952ef4b4e8b3a99ee6 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Thu, 9 Mar 2023 16:23:18 +0000
Subject: [PATCH 10/16] [wsman-mk2] Test token secret

---
 .../ws-manager-mk2/controllers/suite_test.go  | 24 ++++++++++++++++---
 .../controllers/workspace_controller_test.go  | 16 +++++++++----
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/components/ws-manager-mk2/controllers/suite_test.go b/components/ws-manager-mk2/controllers/suite_test.go
index 1e41ce4e84e7d5..808a248b474274 100644
--- a/components/ws-manager-mk2/controllers/suite_test.go
+++ b/components/ws-manager-mk2/controllers/suite_test.go
@@ -24,6 +24,8 @@ import (
 	"github.com/gitpod-io/gitpod/ws-manager-mk2/pkg/activity"
 	"github.com/gitpod-io/gitpod/ws-manager/api/config"
 	workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -31,9 +33,10 @@ import (
 // http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
 
 const (
-	timeout  = time.Second * 20
-	duration = time.Second * 2
-	interval = time.Millisecond * 250
+	timeout          = time.Second * 20
+	duration         = time.Second * 2
+	interval         = time.Millisecond * 250
+	secretsNamespace = "workspace-secrets"
 )
 
 // var cfg *rest.Config
@@ -113,6 +116,7 @@ var _ = BeforeSuite(func() {
 	Expect(timeoutReconciler.SetupWithManager(k8sManager)).To(Succeed())
 
 	ctx, cancel = context.WithCancel(context.Background())
+	_ = createNamespace(secretsNamespace)
 
 	go func() {
 		defer GinkgoRecover()
@@ -127,6 +131,7 @@ func newTestConfig() config.Configuration {
 		GitpodHostURL:     "gitpod.io",
 		HeartbeatInterval: util.Duration(30 * time.Second),
 		Namespace:         "default",
+		SecretsNamespace:  secretsNamespace,
 		SeccompProfile:    "default.json",
 		Timeouts: config.WorkspaceTimeoutConfiguration{
 			AfterClose:          util.Duration(1 * time.Minute),
@@ -156,6 +161,19 @@ func (f *fakeMaintenance) IsEnabled() bool {
 	return f.enabled
 }
 
+func createNamespace(name string) *corev1.Namespace {
+	GinkgoHelper()
+
+	namespace := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+	}
+
+	Expect(k8sClient.Create(ctx, namespace)).To(Succeed())
+	return namespace
+}
+
 var _ = AfterSuite(func() {
 	cancel()
 	By("tearing down the test environment")
diff --git a/components/ws-manager-mk2/controllers/workspace_controller_test.go b/components/ws-manager-mk2/controllers/workspace_controller_test.go
index d688dd61ec2fe0..7ab3db7f210dd3 100644
--- a/components/ws-manager-mk2/controllers/workspace_controller_test.go
+++ b/components/ws-manager-mk2/controllers/workspace_controller_test.go
@@ -33,8 +33,11 @@ var _ = Describe("WorkspaceController", func() {
 	Context("with regular workspaces", func() {
 		It("should handle successful workspace creation and stop request", func() {
 			name := uuid.NewString()
+
+			envSecret := createSecret(fmt.Sprintf("%s-env", name), "default")
+			tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace)
+
 			ws := newWorkspace(name, "default")
-			secret := createSecret(fmt.Sprintf("%s-env", name), "default")
 			m := collectMetricCounts(wsMetrics, ws)
 			pod := createWorkspaceExpectPod(ws)
 
@@ -73,7 +76,8 @@ var _ = Describe("WorkspaceController", func() {
 			})
 
 			expectPhaseEventually(ws, workspacev1.WorkspacePhaseRunning)
-			expectSecretCleanup(secret)
+			expectSecretCleanup(envSecret)
+			expectSecretCleanup(tokenSecret)
 
 			markContentReady(ws)
 
@@ -255,7 +259,10 @@ var _ = Describe("WorkspaceController", func() {
 		It("deleting workspace resource should gracefully clean up", func() {
 			name := uuid.NewString()
 			ws := newWorkspace(name, "default")
-			secret := createSecret(fmt.Sprintf("%s-env", name), "default")
+
+			envSecret := createSecret(fmt.Sprintf("%s-env", name), "default")
+			tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace)
+
 			m := collectMetricCounts(wsMetrics, ws)
 			pod := createWorkspaceExpectPod(ws)
 
@@ -269,7 +276,8 @@ var _ = Describe("WorkspaceController", func() {
 
 			expectWorkspaceCleanup(ws, pod)
 
-			expectSecretCleanup(secret)
+			expectSecretCleanup(envSecret)
+			expectSecretCleanup(tokenSecret)
 
 			expectMetricsDelta(m, collectMetricCounts(wsMetrics, ws), metricCounts{
 				restores: 1,

From dd74b791f101dbc3a69ab7d15aed63f64aa46776 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Fri, 10 Mar 2023 11:22:03 +0000
Subject: [PATCH 11/16] [werft] Fix document index

---
 .werft/jobs/build/installer/post-process.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.werft/jobs/build/installer/post-process.sh b/.werft/jobs/build/installer/post-process.sh
index 9ec9125aaf87f4..345b1e034c6349 100755
--- a/.werft/jobs/build/installer/post-process.sh
+++ b/.werft/jobs/build/installer/post-process.sh
@@ -52,7 +52,7 @@ MATCHES="$(grep -c -- --- k8s.yaml)"
 # get the read number of K8s manifest docs
 # K8s object names and kinds are duplicated in a config map to faciliate deletion
 # subtract one (the config map) and then divide by 2 to get the actual # of docs we'll loop through
-DOCS="$((((MATCHES - 1) / 2) + 1))"
+DOCS="$(((MATCHES - 1) / 2))"
 documentIndex=0
 
 while [ "$documentIndex" -le "$DOCS" ]; do

From 8389e323b72c0c53f7bb40a0f487f7ec6a3372fc Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Fri, 10 Mar 2023 11:54:03 +0000
Subject: [PATCH 12/16] [installer] Update render tests

---
 .../installer/cmd/testdata/render/agent-smith/output.golden  | 5 +++--
 .../installer/cmd/testdata/render/aws-setup/output.golden    | 5 +++--
 .../cmd/testdata/render/custom-pull-repository/output.golden | 5 +++--
 .../cmd/testdata/render/customization/output.golden          | 5 +++--
 .../cmd/testdata/render/external-registry/output.golden      | 5 +++--
 .../installer/cmd/testdata/render/gcp-setup/output.golden    | 5 +++--
 .../installer/cmd/testdata/render/http-proxy/output.golden   | 5 +++--
 .../installer/cmd/testdata/render/ide-config/output.golden   | 5 +++--
 .../cmd/testdata/render/kind-workspace/output.golden         | 5 +++--
 .../cmd/testdata/render/message-bus-password/output.golden   | 5 +++--
 install/installer/cmd/testdata/render/minimal/output.golden  | 5 +++--
 .../cmd/testdata/render/overrides-inline/output.golden       | 5 +++--
 .../installer/cmd/testdata/render/pod-config/output.golden   | 5 +++--
 .../installer/cmd/testdata/render/shortname/output.golden    | 5 +++--
 .../testdata/render/statefulset-customization/output.golden  | 5 +++--
 .../installer/cmd/testdata/render/telemetry/output.golden    | 5 +++--
 .../testdata/render/use-pod-security-policies/output.golden  | 5 +++--
 .../installer/cmd/testdata/render/vsxproxy-pvc/output.golden | 5 +++--
 .../testdata/render/workspace-requests-limits/output.golden  | 5 +++--
 19 files changed, 57 insertions(+), 38 deletions(-)

diff --git a/install/installer/cmd/testdata/render/agent-smith/output.golden b/install/installer/cmd/testdata/render/agent-smith/output.golden
index 0b4cb2d21621f9..0f2e1fd16c1619 100644
--- a/install/installer/cmd/testdata/render/agent-smith/output.golden
+++ b/install/installer/cmd/testdata/render/agent-smith/output.golden
@@ -5709,7 +5709,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8370,7 +8371,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden
index f1391156053cfc..973b712ae23deb 100644
--- a/install/installer/cmd/testdata/render/aws-setup/output.golden
+++ b/install/installer/cmd/testdata/render/aws-setup/output.golden
@@ -5050,7 +5050,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -7538,7 +7539,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 573f5fc567df7be7fba63ecdc681e3aa5f059daa207992586a41bba4106d2545
+        gitpod.io/checksum_config: a23a04a77f794df58d7dffe59383242db628f6da2c0e4bac7620b1d968996243
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
index 53496842de99e2..c72480df822dd8 100644
--- a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
+++ b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
@@ -5526,7 +5526,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8187,7 +8188,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden
index 5805c1347e0113..1d831a72d6f9f4 100644
--- a/install/installer/cmd/testdata/render/customization/output.golden
+++ b/install/installer/cmd/testdata/render/customization/output.golden
@@ -6143,7 +6143,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8940,7 +8941,7 @@ spec:
     metadata:
       annotations:
         gitpod.io: hello
-        gitpod.io/checksum_config: e72f036b19d3287feece7409ecc0991d1c4f58ad96da7b901ce565b0f5208039
+        gitpod.io/checksum_config: 0f892bd4e952cbaa5d71eaaea340ba2838a5763f0caca3f2e6f1b1591c104000
         hello: world
       creationTimestamp: null
       labels:
diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden
index a6520eb2cdd801..5a10a9703ac342 100644
--- a/install/installer/cmd/testdata/render/external-registry/output.golden
+++ b/install/installer/cmd/testdata/render/external-registry/output.golden
@@ -5306,7 +5306,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -7907,7 +7908,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden
index 924b9b50419b57..1d2b707828c6e0 100644
--- a/install/installer/cmd/testdata/render/gcp-setup/output.golden
+++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden
@@ -5077,7 +5077,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -7597,7 +7598,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: eb4dd48f0756c6343cc7b91acd5ec6e881b6d1f97547b217b5ce52d5e6669e91
+        gitpod.io/checksum_config: c9e4e386dff69815d3f4617c1255e1fc80fdf92a2406c6511ca690df3d54e12d
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden
index a427d1a389626c..8fcc29b25d8400 100644
--- a/install/installer/cmd/testdata/render/http-proxy/output.golden
+++ b/install/installer/cmd/testdata/render/http-proxy/output.golden
@@ -5529,7 +5529,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8391,7 +8392,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/ide-config/output.golden b/install/installer/cmd/testdata/render/ide-config/output.golden
index 38d5a79f269de1..6861e1f4478967 100644
--- a/install/installer/cmd/testdata/render/ide-config/output.golden
+++ b/install/installer/cmd/testdata/render/ide-config/output.golden
@@ -5542,7 +5542,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8207,7 +8208,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden
index 42ac7fb7d63c35..ac07abbb6370de 100644
--- a/install/installer/cmd/testdata/render/kind-workspace/output.golden
+++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden
@@ -1900,7 +1900,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -3443,7 +3444,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden
index 658848f3333194..59781ef5e5a9dc 100644
--- a/install/installer/cmd/testdata/render/message-bus-password/output.golden
+++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden
@@ -5529,7 +5529,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8190,7 +8191,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden
index 5faa71a89a7d46..af9a92e3702676 100644
--- a/install/installer/cmd/testdata/render/minimal/output.golden
+++ b/install/installer/cmd/testdata/render/minimal/output.golden
@@ -5526,7 +5526,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8187,7 +8188,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/overrides-inline/output.golden b/install/installer/cmd/testdata/render/overrides-inline/output.golden
index 83db6323bd6132..f56c9722195d43 100644
--- a/install/installer/cmd/testdata/render/overrides-inline/output.golden
+++ b/install/installer/cmd/testdata/render/overrides-inline/output.golden
@@ -5524,7 +5524,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8197,7 +8198,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/pod-config/output.golden b/install/installer/cmd/testdata/render/pod-config/output.golden
index 6159530be389d4..793276f90399a0 100644
--- a/install/installer/cmd/testdata/render/pod-config/output.golden
+++ b/install/installer/cmd/testdata/render/pod-config/output.golden
@@ -5533,7 +5533,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8194,7 +8195,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden
index 4d7fac58b4e183..ae2db633e1f242 100644
--- a/install/installer/cmd/testdata/render/shortname/output.golden
+++ b/install/installer/cmd/testdata/render/shortname/output.golden
@@ -5526,7 +5526,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8187,7 +8188,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
index 3e53c26cb95b62..06180fa4226b22 100644
--- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden
+++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
@@ -5538,7 +5538,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8199,7 +8200,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/telemetry/output.golden b/install/installer/cmd/testdata/render/telemetry/output.golden
index f939b17bccddc3..477bfe33c35480 100644
--- a/install/installer/cmd/testdata/render/telemetry/output.golden
+++ b/install/installer/cmd/testdata/render/telemetry/output.golden
@@ -5529,7 +5529,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8190,7 +8191,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
index 7ef4f03618819c..42dc9238663efe 100644
--- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
+++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
@@ -5859,7 +5859,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8631,7 +8632,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
index 96eae10f37ec51..5dd2fe753e654d 100644
--- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
+++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
@@ -5529,7 +5529,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8190,7 +8191,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
index 3068134684a9de..42e6d58789e9f4 100644
--- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
+++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
@@ -5529,7 +5529,8 @@ data:
             }
           },
           "kubeconfig": "",
-          "namespace": "default"
+          "namespace": "default",
+          "secretsNamespace": "workspace-secrets"
         },
         "content": {
           "workingArea": "/mnt/workingarea",
@@ -8190,7 +8191,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8
+        gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093
       creationTimestamp: null
       labels:
         app: gitpod

From c736745cfbbe468ceeb4b33807034a0a94cec6c5 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Fri, 10 Mar 2023 12:41:23 +0000
Subject: [PATCH 13/16] [wsman-mk2] Fix imports

---
 components/ws-manager-mk2/main.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/components/ws-manager-mk2/main.go b/components/ws-manager-mk2/main.go
index fe14dfe192cacf..f802614895fe52 100644
--- a/components/ws-manager-mk2/main.go
+++ b/components/ws-manager-mk2/main.go
@@ -18,12 +18,9 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
-	"k8s.io/client-go/rest"
 
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"github.com/prometheus/client_golang/prometheus"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"

From ce48eea98f5aaf6fa01aa28a6b8f52d9d24e14b7 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Fri, 10 Mar 2023 14:31:11 +0000
Subject: [PATCH 14/16] [wsman-mk2] Ensure maintenance controller required
 permissions

---
 .../ws-manager-mk2/controllers/maintenance_controller.go  | 1 -
 install/installer/pkg/components/ws-manager-mk2/role.go   | 8 ++++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/components/ws-manager-mk2/controllers/maintenance_controller.go b/components/ws-manager-mk2/controllers/maintenance_controller.go
index d2f2f14fb93fd5..a8422e6767d0b9 100644
--- a/components/ws-manager-mk2/controllers/maintenance_controller.go
+++ b/components/ws-manager-mk2/controllers/maintenance_controller.go
@@ -50,7 +50,6 @@ func (r *MaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	log := log.FromContext(ctx).WithValues("configMap", req.NamespacedName)
 
 	if req.Name != configMapName {
-		log.Info("ignoring unexpected ConfigMap")
 		return ctrl.Result{}, nil
 	}
 
diff --git a/install/installer/pkg/components/ws-manager-mk2/role.go b/install/installer/pkg/components/ws-manager-mk2/role.go
index 7eee43b25fee8d..47ef51c07ffa78 100644
--- a/install/installer/pkg/components/ws-manager-mk2/role.go
+++ b/install/installer/pkg/components/ws-manager-mk2/role.go
@@ -87,10 +87,6 @@ var controllerRules = []rbacv1.PolicyRule{
 			"watch",
 		},
 	},
-}
-
-// ConfigMap, Leases, and Events access is required for leader-election.
-var leaderElectionRules = []rbacv1.PolicyRule{
 	{
 		APIGroups: []string{""},
 		Resources: []string{"configmaps"},
@@ -104,6 +100,10 @@ var leaderElectionRules = []rbacv1.PolicyRule{
 			"watch",
 		},
 	},
+}
+
+// ConfigMap, Leases, and Events access is required for leader-election.
+var leaderElectionRules = []rbacv1.PolicyRule{
 	{
 		APIGroups: []string{"coordination.k8s.io"},
 		Resources: []string{"leases"},

From ef697aad0883d949cb33908be726f65c5cce39a7 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Tue, 14 Mar 2023 13:00:58 +0000
Subject: [PATCH 15/16] [wsman-mk2] Retry deleting secret

---
 .../controllers/workspace_controller.go       | 63 ++++++++++++++-----
 1 file changed, 46 insertions(+), 17 deletions(-)

diff --git a/components/ws-manager-mk2/controllers/workspace_controller.go b/components/ws-manager-mk2/controllers/workspace_controller.go
index 4d358469b79083..9605149343bd1c 100644
--- a/components/ws-manager-mk2/controllers/workspace_controller.go
+++ b/components/ws-manager-mk2/controllers/workspace_controller.go
@@ -7,6 +7,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -14,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -195,7 +197,9 @@ func (r *WorkspaceReconciler) actOnStatus(ctx context.Context, workspace *worksp
 				}
 			}
 
-			r.deleteWorkspaceSecrets(ctx, workspace)
+			if err := r.deleteWorkspaceSecrets(ctx, workspace); err != nil {
+				return ctrl.Result{RequeueAfter: 10 * time.Second}, err
+			}
 
 			// Workspace might have already been in a deleting state,
 			// but not guaranteed, so try deleting anyway.
@@ -257,7 +261,10 @@ func (r *WorkspaceReconciler) actOnStatus(ctx context.Context, workspace *worksp
 		}
 
 	case workspace.Status.Phase == workspacev1.WorkspacePhaseRunning:
-		r.deleteWorkspaceSecrets(ctx, workspace)
+		err := r.deleteWorkspaceSecrets(ctx, workspace)
+		if err != nil {
+			log.Error(err, "could not delete workspace secrets")
+		}
 
 	// we've disposed already - try to remove the finalizer and call it a day
 	case workspace.Status.Phase == workspacev1.WorkspacePhaseStopped:
@@ -349,40 +356,62 @@ func (r *WorkspaceReconciler) deleteWorkspacePod(ctx context.Context, pod *corev
 	return ctrl.Result{}, nil
 }
 
-func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *workspacev1.Workspace) {
+func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *workspacev1.Workspace) error {
 	log := log.FromContext(ctx)
 
 	// if a secret cannot be deleted we do not return early because we want to attempt
 	// the deletion of the remaining secrets
+	var errs []string
 	err := r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "env"), r.Config.Namespace)
 	if err != nil {
+		errs = append(errs, err.Error())
 		log.Error(err, "could not delete environment secret", "workspace", ws.Name)
 	}
 
 	err = r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "tokens"), r.Config.SecretsNamespace)
 	if err != nil {
+		errs = append(errs, err.Error())
 		log.Error(err, "could not delete token secret", "workspace", ws.Name)
 	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf(strings.Join(errs, ":"))
+	}
+
+	return nil
 }
 
 func (r *WorkspaceReconciler) deleteSecret(ctx context.Context, name, namespace string) error {
-	var secret corev1.Secret
-	err := r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &secret)
-	if errors.IsNotFound(err) {
-		// nothing to delete
-		return nil
-	}
+	log := log.FromContext(ctx)
 
-	if err != nil {
-		return fmt.Errorf("could not retrieve secret %s: %w", name, err)
-	}
+	err := wait.ExponentialBackoffWithContext(ctx, wait.Backoff{
+		Duration: 100 * time.Millisecond,
+		Factor:   1.5,
+		Jitter:   0.2,
+		Steps:    3,
+	}, func() (bool, error) {
+		var secret corev1.Secret
+		err := r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &secret)
+		if errors.IsNotFound(err) {
+			// nothing to delete
+			return true, nil
+		}
 
-	err = r.Client.Delete(ctx, &secret)
-	if err != nil && !errors.IsNotFound(err) {
-		return fmt.Errorf("could not delete secret %s: %w", name, err)
-	}
+		if err != nil {
+			log.Error(err, "cannot retrieve secret scheduled for deletion", "secret", name)
+			return false, nil
+		}
 
-	return nil
+		err = r.Client.Delete(ctx, &secret)
+		if err != nil && !errors.IsNotFound(err) {
+			log.Error(err, "cannot delete secret", "secret", name)
+			return false, nil
+		}
+
+		return true, nil
+	})
+
+	return err
 }
 
 var (

From 8a5d7252e8e668645aa44fb5b23b2111eeee8993 Mon Sep 17 00:00:00 2001
From: Thomas Schubart <thomas@gitpod.io>
Date: Wed, 15 Mar 2023 10:51:46 +0000
Subject: [PATCH 16/16] [installer] Ensure objects in secrets namespace are
 only created with mk2 option

---
 .../testdata/render/agent-smith/output.golden | 53 -------------------
 .../testdata/render/aws-setup/output.golden   | 53 -------------------
 .../custom-pull-repository/output.golden      | 53 -------------------
 .../render/customization/output.golden        | 53 -------------------
 .../render/external-registry/output.golden    | 53 -------------------
 .../testdata/render/gcp-setup/output.golden   | 53 -------------------
 .../testdata/render/http-proxy/output.golden  | 53 -------------------
 .../testdata/render/ide-config/output.golden  | 53 -------------------
 .../render/kind-workspace/output.golden       | 53 -------------------
 .../render/message-bus-password/output.golden | 53 -------------------
 .../cmd/testdata/render/minimal/output.golden | 53 -------------------
 .../render/overrides-inline/output.golden     | 53 -------------------
 .../testdata/render/pod-config/output.golden  | 53 -------------------
 .../testdata/render/shortname/output.golden   | 53 -------------------
 .../statefulset-customization/output.golden   | 53 -------------------
 .../testdata/render/telemetry/output.golden   | 53 -------------------
 .../use-pod-security-policies/output.golden   | 53 -------------------
 .../render/vsxproxy-pvc/output.golden         | 53 -------------------
 .../workspace-requests-limits/output.golden   | 53 -------------------
 .../pkg/components/ws-daemon/role.go          | 12 +++++
 .../pkg/components/ws-daemon/rolebinding.go   | 47 +++++++++-------
 21 files changed, 40 insertions(+), 1026 deletions(-)

diff --git a/install/installer/cmd/testdata/render/agent-smith/output.golden b/install/installer/cmd/testdata/render/agent-smith/output.golden
index 0f2e1fd16c1619..a7748f25c21f25 100644
--- a/install/installer/cmd/testdata/render/agent-smith/output.golden
+++ b/install/installer/cmd/testdata/render/agent-smith/output.golden
@@ -3146,16 +3146,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3212,13 +3202,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6775,26 +6758,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7265,22 +7228,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden
index 973b712ae23deb..3c5356ce7b640d 100644
--- a/install/installer/cmd/testdata/render/aws-setup/output.golden
+++ b/install/installer/cmd/testdata/render/aws-setup/output.golden
@@ -2759,16 +2759,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2825,13 +2815,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6086,26 +6069,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6558,22 +6521,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
index c72480df822dd8..a45fb814416d2d 100644
--- a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
+++ b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden
@@ -2963,16 +2963,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3029,13 +3019,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6592,26 +6575,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7082,22 +7045,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden
index 1d831a72d6f9f4..bed9636dbecc54 100644
--- a/install/installer/cmd/testdata/render/customization/output.golden
+++ b/install/installer/cmd/testdata/render/customization/output.golden
@@ -3427,16 +3427,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3508,13 +3498,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -7229,26 +7212,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7719,22 +7682,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden
index 5a10a9703ac342..de57fef9bbde50 100644
--- a/install/installer/cmd/testdata/render/external-registry/output.golden
+++ b/install/installer/cmd/testdata/render/external-registry/output.golden
@@ -2857,16 +2857,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2923,13 +2913,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6353,26 +6336,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6825,22 +6788,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden
index 1d2b707828c6e0..572aee8a0ce9a3 100644
--- a/install/installer/cmd/testdata/render/gcp-setup/output.golden
+++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden
@@ -2796,16 +2796,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -2862,13 +2852,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6103,26 +6086,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -6593,22 +6556,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden
index 8fcc29b25d8400..491ffc4b326b85 100644
--- a/install/installer/cmd/testdata/render/http-proxy/output.golden
+++ b/install/installer/cmd/testdata/render/http-proxy/output.golden
@@ -2966,16 +2966,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3032,13 +3022,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6595,26 +6578,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7085,22 +7048,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/ide-config/output.golden b/install/installer/cmd/testdata/render/ide-config/output.golden
index 6861e1f4478967..ce75d0e8ea51a9 100644
--- a/install/installer/cmd/testdata/render/ide-config/output.golden
+++ b/install/installer/cmd/testdata/render/ide-config/output.golden
@@ -2979,16 +2979,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3045,13 +3035,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6608,26 +6591,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7098,22 +7061,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden
index ac07abbb6370de..51c8ab80a29c04 100644
--- a/install/installer/cmd/testdata/render/kind-workspace/output.golden
+++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden
@@ -1189,16 +1189,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -1255,13 +1245,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -2644,26 +2627,6 @@ rules:
   - get
   - update
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -2844,22 +2807,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden
index 59781ef5e5a9dc..fe87d673c91e27 100644
--- a/install/installer/cmd/testdata/render/message-bus-password/output.golden
+++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden
@@ -2966,16 +2966,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3032,13 +3022,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6595,26 +6578,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7085,22 +7048,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden
index af9a92e3702676..1b559ce7936a3d 100644
--- a/install/installer/cmd/testdata/render/minimal/output.golden
+++ b/install/installer/cmd/testdata/render/minimal/output.golden
@@ -2963,16 +2963,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3029,13 +3019,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6592,26 +6575,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7082,22 +7045,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/overrides-inline/output.golden b/install/installer/cmd/testdata/render/overrides-inline/output.golden
index f56c9722195d43..3cd0b421b95a2f 100644
--- a/install/installer/cmd/testdata/render/overrides-inline/output.golden
+++ b/install/installer/cmd/testdata/render/overrides-inline/output.golden
@@ -2961,16 +2961,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3027,13 +3017,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6590,26 +6573,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7080,22 +7043,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/pod-config/output.golden b/install/installer/cmd/testdata/render/pod-config/output.golden
index 793276f90399a0..59659d480312d3 100644
--- a/install/installer/cmd/testdata/render/pod-config/output.golden
+++ b/install/installer/cmd/testdata/render/pod-config/output.golden
@@ -2970,16 +2970,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3036,13 +3026,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6599,26 +6582,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7089,22 +7052,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden
index ae2db633e1f242..74dfde92fb21a6 100644
--- a/install/installer/cmd/testdata/render/shortname/output.golden
+++ b/install/installer/cmd/testdata/render/shortname/output.golden
@@ -2963,16 +2963,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3029,13 +3019,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6592,26 +6575,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7082,22 +7045,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
index 06180fa4226b22..18bf799ccd8b1d 100644
--- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden
+++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden
@@ -2975,16 +2975,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3041,13 +3031,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6604,26 +6587,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7094,22 +7057,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/telemetry/output.golden b/install/installer/cmd/testdata/render/telemetry/output.golden
index 477bfe33c35480..60322313503308 100644
--- a/install/installer/cmd/testdata/render/telemetry/output.golden
+++ b/install/installer/cmd/testdata/render/telemetry/output.golden
@@ -2966,16 +2966,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3032,13 +3022,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6595,26 +6578,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7085,22 +7048,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
index 42dc9238663efe..0269f2300947b4 100644
--- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
+++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden
@@ -3287,16 +3287,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3353,13 +3343,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -7036,26 +7019,6 @@ rules:
   verbs:
   - use
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7526,22 +7489,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
index 5dd2fe753e654d..f28888954ece1d 100644
--- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
+++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden
@@ -2966,16 +2966,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3032,13 +3022,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6595,26 +6578,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7085,22 +7048,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
index 42e6d58789e9f4..c7899e809e623e 100644
--- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
+++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden
@@ -2966,16 +2966,6 @@ data:
       namespace: default
     ---
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: gitpod
-        component: ws-daemon
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       creationTimestamp: null
@@ -3032,13 +3022,6 @@ data:
         component: ws-daemon
       name: default-ws-daemon-rb
     ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      creationTimestamp: null
-      name: ws-daemon
-      namespace: workspace-secrets
-    ---
     apiVersion: v1
     kind: Service
     metadata:
@@ -6595,26 +6578,6 @@ rules:
   - patch
   - watch
 ---
-# rbac.authorization.k8s.io/v1/Role ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  labels:
-    app: gitpod
-    component: ws-daemon
-  name: ws-daemon
-  namespace: workspace-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
----
 # rbac.authorization.k8s.io/v1/Role ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -7085,22 +7048,6 @@ subjects:
 - kind: ServiceAccount
   name: workspace
 ---
-# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  creationTimestamp: null
-  name: ws-daemon
-  namespace: workspace-secrets
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ws-daemon
-subjects:
-- kind: ServiceAccount
-  name: ws-daemon
-  namespace: default
----
 # rbac.authorization.k8s.io/v1/RoleBinding ws-manager
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/install/installer/pkg/components/ws-daemon/role.go b/install/installer/pkg/components/ws-daemon/role.go
index 592a55db44cf06..9069222dc54e54 100644
--- a/install/installer/pkg/components/ws-daemon/role.go
+++ b/install/installer/pkg/components/ws-daemon/role.go
@@ -6,6 +6,7 @@ package wsdaemon
 
 import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -13,6 +14,17 @@ import (
 )
 
 func role(ctx *common.RenderContext) ([]runtime.Object, error) {
+	var useMk2 bool
+	_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
+		if ucfg.Workspace != nil {
+			useMk2 = ucfg.Workspace.UseWsmanagerMk2
+		}
+		return nil
+	})
+	if !useMk2 {
+		return nil, nil
+	}
+
 	return []runtime.Object{
 		&rbacv1.Role{
 			TypeMeta: common.TypeMetaRole,
diff --git a/install/installer/pkg/components/ws-daemon/rolebinding.go b/install/installer/pkg/components/ws-daemon/rolebinding.go
index 286cf85b5834b6..1d244ef8eea23e 100644
--- a/install/installer/pkg/components/ws-daemon/rolebinding.go
+++ b/install/installer/pkg/components/ws-daemon/rolebinding.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,7 +18,7 @@ import (
 func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 	labels := common.DefaultLabels(Component)
 
-	return []runtime.Object{
+	bindings := []runtime.Object{
 		&rbacv1.ClusterRoleBinding{
 			TypeMeta: common.TypeMetaClusterRoleBinding,
 			ObjectMeta: metav1.ObjectMeta{
@@ -54,25 +55,33 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Namespace: ctx.Namespace,
 			}},
 		},
+	}
 
-		&rbacv1.RoleBinding{
-			TypeMeta: common.TypeMetaRoleBinding,
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      Component,
-				Namespace: common.WorkspaceSecretsNamespace,
-			},
-			RoleRef: rbacv1.RoleRef{
-				APIGroup: "rbac.authorization.k8s.io",
-				Kind:     "Role",
-				Name:     Component,
-			},
-			Subjects: []rbacv1.Subject{
-				{
-					Kind:      "ServiceAccount",
+	_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
+		if ucfg.Workspace != nil && ucfg.Workspace.UseWsmanagerMk2 {
+			bindings = append(bindings, &rbacv1.RoleBinding{
+				TypeMeta: common.TypeMetaRoleBinding,
+				ObjectMeta: metav1.ObjectMeta{
 					Name:      Component,
-					Namespace: ctx.Namespace,
+					Namespace: common.WorkspaceSecretsNamespace,
 				},
-			},
-		},
-	}, nil
+				RoleRef: rbacv1.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "Role",
+					Name:     Component,
+				},
+				Subjects: []rbacv1.Subject{
+					{
+						Kind:      "ServiceAccount",
+						Name:      Component,
+						Namespace: ctx.Namespace,
+					},
+				},
+			})
+		}
+
+		return nil
+	})
+
+	return bindings, nil
 }