Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.
The rancher token secrets engine is registered ('imported') into the catalog by
terraform-vault (sys/plugins/catalog, sudo-protected) and configured via the
ranchervaultsecret provider, so the deployer needs catalog access plus write on
the engine's config/service-accounts/roles paths. Without this, apply 403s on
plugin registration and on rancher/* writes.
- Add policies/rancher/admin.yaml granting the tf_vault approle and the
woodpecker_terraform_vault k8s role: catalog sudo on the plugin, and manage on
rancher/{config,service-accounts,roles}.