The terraform-authentik module now reads OAuth2 client secrets from Vault
(data.vault_kv_secret_v2) instead of committing them, but the
terraform_authentik approle / woodpecker_terraform_authentik k8s role only
had the consul creds policy, so plan failed with permission denied.
Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so
the runner can read the client secret for any namespace's OIDC provider
(e.g. grafana).