refactor!: standardize secret path layout

[Matthiator]

📝 Summary

Scopes the built-in secret-manager path contract by cluster and stage so one secret backend can hold multiple clusters and stages without path collisions.

Namespace-specific secrets now use:

<cluster-name>/<stage>/<namespace>/<secret>

Cluster-wide secrets now use:

<cluster-name>/<stage>/cluster_secrets/<secret>

The shared Helm consumers and STACKIT Terraform producers now use the same paths, including:

• <cluster-name>/<stage>/cluster_secrets/docker_config
• <cluster-name>/<stage>/cluster_secrets/vault_instance
• <cluster-name>/<stage>/oauth2-proxy/oauth2_credentials
• <cluster-name>/<stage>/argocd/argo_oauth2_credentials
• <cluster-name>/<stage>/kube-prometheus-stack/grafana_credentials
• <cluster-name>/<stage>/kube-prometheus-stack/grafana_oauth2_credentials
• <cluster-name>/<stage>/external-dns/dns_zone_admin
• <cluster-name>/<stage>/velero/velero_s3_credentials

The local OpenBao setup writes Grafana credentials and optional Docker pull credentials to the same scoped paths. Documentation was updated to describe the new layout.

🧩 Type of change

• 🔧 CLI / Go code
• 📦 Helm chart
• 🧱 Terraform module
• 📝 Documentation
• 🧪 Test or CI change
• ♻️ Refactor / cleanup

⚠️ Is this a breaking change?

• Yes, this change breaks existing functionality (explain in summary)

Existing installations using the previous flat or namespace-only secret paths must move secrets to the new cluster/stage-scoped paths before deploying regenerated Helm values.

Terraform-managed STACKIT secrets are replaced at the new paths when the regenerated Terraform is applied. Copied Terraform files such as OAuth secret definitions must be updated to the new names before applying. Secrets created outside Terraform or OpenTofu must be recreated manually at the corresponding new path.

Apply the Terraform or OpenTofu changes before deploying the new Helm values so External Secrets can resolve the new remote keys.

🧪 Testing

• CI passed
• Manually tested (local/dev cluster)
• Unit tested
• Not tested (explain why below)

Ran locally:

• go test ./internal/render ./internal/cmd/bootstrap
• UV_PYTHON=3.14.5 make docs-validate
• git diff --check

🔗 Related Issues / Tickets

• Preparatory split from feat: add T Cloud Public CCE provider support #370
• Related to refactor: make external-dns values provider-aware #391
• Related to [Security]: Define External Secrets namespace isolation best practices #414

✅ Checklist

• Code compiles and passes relevant tests
• Linting and style checks pass
• Comments added for complex logic
• Documentation updated (if applicable)

📎 Additional Context (optional)

This PR is intentionally limited to the shared secret-path contract and local OpenBao parity. Namespace-scoped authorization and provider-specific SecretStore behavior remain separate concerns.

It can proceed in parallel with #391. The expected overlap is limited to the shared ExternalDNS values during the eventual rebase.

[tuunit]

If we already work on this. Shouldn't we already take the opportunity to fully clean this up. Meaning introducing a path like:

<cluster>/<namespace>/<namespace-service-specific-keys>

Otherwise we will have to introduce a second breaking change for the same reason in the future

[Matthiator]

Good point. I updated the layout to <cluster>/<stage>/<namespace>/<secret>, with cluster-wide secrets at <cluster>/<stage>/cluster_secrets/<secret>. Terraform, Helm, local OpenBao, and the docs now use the same structure.