refactor: update Vault secret paths to new categorized structure

- authelia: postgresql → storage/postgresql, authelia → security/authelia
- external-secrets: zot → storage/zot (ClusterExternalSecret)
- vault: secret/data/vault/config → security/vault, authelia → security/authelia

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

authelia/manifests/secret.yaml

@@ -15,45 +15,45 @@ spec:
     # Storage password (PostgreSQL)
     - secretKey: storage.postgres.password.txt
       remoteRef:
-        key: postgresql
+        key: storage/postgresql
         property: PASSWORD
     # Session encryption key
     - secretKey: session.encryption.key
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: SESSION_SECRET
     # Storage encryption key
     - secretKey: storage.encryption.key
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: STORAGE_ENCRYPTION_KEY
     # JWT HMAC key for identity validation (password reset)
     - secretKey: identity_validation.reset_password.jwt.hmac.key
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: JWT_HMAC_KEY
     # OIDC HMAC key
     - secretKey: identity_providers.oidc.hmac.key
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: OIDC_HMAC_SECRET
     # OIDC JWKS private key
     - secretKey: identity_providers.oidc.jwks.key
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: OIDC_JWKS_PRIVATE_KEY
     # Headlamp OIDC client secret
     - secretKey: HEADLAMP_CLIENT_SECRET
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: HEADLAMP_CLIENT_SECRET
     # Vault OIDC client secret
     - secretKey: VAULT_CLIENT_SECRET
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: VAULT_CLIENT_SECRET
     # Zot OIDC client secret
     - secretKey: ZOT_CLIENT_SECRET
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: ZOT_CLIENT_SECRET

external-secrets/manifests/zot-cluster-secret.yaml

@@ -23,9 +23,9 @@ spec:
     data:
       - secretKey: USERNAME
         remoteRef:
-          key: zot
+          key: storage/zot
           property: USERNAME
       - secretKey: PASSWORD
         remoteRef:
-          key: zot
+          key: storage/zot
           property: PASSWORD

vault/manifests/external-secret.yaml

@@ -14,5 +14,5 @@ spec:
   data:
     - secretKey: extraconfig-from-values.hcl
       remoteRef:
-        key: secret/data/vault/config
+        key: security/vault
         property: extraconfig-from-values.hcl

vault/manifests/oidc-secret.yaml

@@ -14,5 +14,5 @@ spec:
   data:
     - secretKey: VAULT_CLIENT_SECRET
       remoteRef:
-        key: authelia
+        key: security/authelia
         property: VAULT_CLIENT_SECRET