found kubernetes vaultauth resources never picking up new policies, because they would infinitely renew their token. - set default max token length for roles to 1 day - changed all existing role token_max_ttl to match their token_ttl
- annotations as alias metadata does not work with openbao (idempotency issue) - set token_ttl to be 600 for all auth roles for kubernetes (min)
- update bound service account names to be `rancher` - update namespace to cattle-system (do not run rancher in another namespace)
- add kubernetes role for rancher - add policy to enable access to bootstrap-password
