e01deb13d6
The terraform-authentik module now reads OAuth2 client secrets from Vault (data.vault_kv_secret_v2) instead of committing them, but the terraform_authentik approle / woodpecker_terraform_authentik k8s role only had the consul creds policy, so plan failed with permission denied. Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so the runner can read the client secret for any namespace's OIDC provider (e.g. grafana).