chore(external-secrets): upgrade and set pod security standards

external-secrets/justfile

@@ -1,7 +1,7 @@
 set fallback := true
 
 export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
-export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "0.19.2")
+export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "1.1.0")
 export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800")
 export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
 export VAULT_HOST := env("VAULT_HOST", "")
@@ -28,6 +28,10 @@ install:
         --version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \
         --create-namespace --wait \
         -f external-secrets-values.yaml
+
+    kubectl label namespace ${EXTERNAL_SECRETS_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
     just create-external-secrets-role
     just create-vault-secret-store
 
@@ -56,5 +60,6 @@ create-external-secrets-role root_token='':
     vault write auth/kubernetes/role/external-secrets \
         bound_service_account_names=external-secrets \
         bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \
+        audience=vault \
         policies=admin \
         ttl=1h