fix(privacyidea): create pi-admin-all-rights policy in bootstrap-admin.sh

Once any admin policy exists, PI enforces it for all admins. Without an
explicit policy, pi-admin is locked out of the REST API after trigger-admin-rights
is created. Add pi-admin-all-rights (scope=admin, action=*) via pi-manage
(in-pod) as step 5, before the REST-based trigger-admin-rights step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sso-mfa/k8s/privacyidea/bootstrap-admin.sh

@@ -86,7 +86,23 @@ kubectl create secret generic privacyidea-trigger-admin \
 
 echo "  Done."
 
-# ── 5. Create trigger-admin policy via REST API ───────────────────────────────
+# ── 5. Create pi-admin-all-rights policy via pi-manage ───────────────────────
+# Once ANY admin policy exists, privacyIDEA enforces it for all admins.
+# The trigger-admin-rights policy (step 6) restricts trigger-admin to
+# triggerchallenge only — but that restriction also locks out pi-admin from
+# the REST API unless pi-admin has its own explicit policy granting full rights.
+# This policy must be created via pi-manage (in-pod) because there is no REST
+# access before it exists.
+echo ""
+echo "Creating pi-admin-all-rights policy via pi-manage ..."
+if kubectl exec -n "$NAMESPACE" "$PI_POD" -- \
+    pi-manage config policy create pi-admin-all-rights admin "*" 2>&1 | grep -qi "already exist\|exists"; then
+    echo "  pi-admin-all-rights already exists — skipping."
+else
+    echo "  pi-admin-all-rights created."
+fi
+
+# ── 6. Create trigger-admin policy via REST API ───────────────────────────────
 # This restricts trigger-admin to the triggerchallenge action only.
 # Requires pink.coulomb.social to be reachable.
 echo ""
@@ -132,7 +148,7 @@ else
     fi
 fi
 
-# ── 6. Summary ────────────────────────────────────────────────────────────────
+# ── 7. Summary ────────────────────────────────────────────────────────────────
 echo ""
 echo "════════════════════════════════════════════════════════════"
 echo "  Admin bootstrap complete."