The rancher token secrets engine is registered ('imported') into the catalog by
terraform-vault (sys/plugins/catalog, sudo-protected) and configured via the
ranchervaultsecret provider, so the deployer needs catalog access plus write on
the engine's config/service-accounts/roles paths. Without this, apply 403s on
plugin registration and on rancher/* writes.
- Add policies/rancher/admin.yaml granting the tf_vault approle and the
woodpecker_terraform_vault k8s role: catalog sudo on the plugin, and manage on
rancher/{config,service-accounts,roles}.