a400e5dc7e
ci/woodpecker/push/apply Pipeline was successful
## Why Applying the newly-merged litellm mount (#83) failed at apply time with: ``` Error: failed to write litellm config URL: PUT https://vault.service.consul:8200/v1/litellm/config Code: 403. * permission denied ``` The deployer identity (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) can enable the mount via `sys/mounts/admin`, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied. ## Changes - Add `policies/litellm/admin.yaml` granting `create`/`read`/`update`/`delete` on `litellm/config` and `litellm/roles/*` (plus `read`/`list` on `litellm/roles`), assigned to the same auth roles as the other secret-engine admin policies (`tf_vault`, `woodpecker_terraform_vault`). ## Note The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write `litellm/config` and the roles. Reviewed-on: #84 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>