diff --git a/config/acceptance/kustomization.yaml b/config/acceptance/kustomization.yaml
index 992c6231..b2dad973 100644
--- a/config/acceptance/kustomization.yaml
+++ b/config/acceptance/kustomization.yaml
@@ -12,3 +12,26 @@ patchesStrategicMerge:
   - overlays/rbac-manager.yaml
   - overlays/vault-manager.yaml
   - overlays/workloads-manager.yaml
+
+# Sadly we must repeat the replacement as in our root Kustomization, because we've
+# overriden the image field, and there's no way to get Kustomize to run the (merged) replacements
+# after (merged) patches.
+replacements:
+  - source:
+      fieldPath: spec.template.spec.containers.[name=manager].image
+      group: apps
+      version: v1
+      kind: StatefulSet
+      name: theatre-vault-manager
+      namespace: theatre-system
+    targets:
+      - select:
+          group: apps
+          kind: StatefulSet
+          name: vault-manager
+          version: v1
+        fieldPaths:
+          - spec.template.spec.containers.0.args.0
+        options:
+          delimiter: =
+          index: 1
diff --git a/config/acceptance/overlays/vault-manager.yaml b/config/acceptance/overlays/vault-manager.yaml
index a3ae2ef0..573dc83c 100644
--- a/config/acceptance/overlays/vault-manager.yaml
+++ b/config/acceptance/overlays/vault-manager.yaml
@@ -11,9 +11,6 @@ spec:
         - name: manager
           image: theatre:latest
           imagePullPolicy: Never
-          args:
-            - --theatre-image=$(THEATRE_IMAGE)
-            - --metrics-address=0.0.0.0
           resources:
             requests:
               cpu: "100m"
diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml
index ecd73b01..b6ce5cc0 100644
--- a/config/base/kustomization.yaml
+++ b/config/base/kustomization.yaml
@@ -5,8 +5,10 @@ kind: Kustomization
 namespace: theatre-system
 namePrefix: theatre-
 
-commonLabels:
-  app: theatre
+labels:
+- includeSelectors: true
+  pairs:
+    app: theatre
 
 resources:
   - crds/rbac.crd.gocardless.com_directoryrolebindings.yaml
@@ -22,16 +24,27 @@ resources:
   - rbac/leader-election.yaml
   - cert-manager/certificate.yaml
 
-vars:
+replacements:
   # We want our mutating webhook to ensure it only ever configures pods to use
   # the same image as it is running itself. If we ensure this, we don't need to
   # worry about maintaining compatibility between versions of the webhook and
   # theatre-secrets, as both will use the same version and be deployed
   # atomically.
-  - name: THEATRE_IMAGE
-    objref:
-      apiVersion: apps/v1
+  - source:
+      fieldPath: spec.template.spec.containers.[name=manager].image
+      group: apps
+      version: v1
       kind: StatefulSet
-      name: vault-manager
-    fieldref:
-      fieldpath: spec.template.spec.containers[0].image
+      name: theatre-vault-manager
+      namespace: theatre-system
+    targets:
+      - select:
+          group: apps
+          kind: StatefulSet
+          name: vault-manager
+          version: v1
+        fieldPaths:
+          - spec.template.spec.containers.0.args.0
+        options:
+          delimiter: =
+          index: 1
diff --git a/config/base/managers/vault.yaml b/config/base/managers/vault.yaml
index db042daf..18bde064 100644
--- a/config/base/managers/vault.yaml
+++ b/config/base/managers/vault.yaml
@@ -113,7 +113,7 @@ spec:
         - command:
             - /usr/local/bin/vault-manager
           args:
-            - --theatre-image=$(THEATRE_IMAGE)
+            - --theatre-image=THEATRE_IMAGE_PLACEHOLDER
             - --metrics-address=0.0.0.0
           image: eu.gcr.io/gc-containers/gocardless/theatre:latest
           imagePullPolicy: Always