feat: add Secret Manager

[rmnbrd]

Summary

PR implementing the Secret Manager feature.

Screenshots / Recordings

Branch Diff Summary

This branch introduces External Secrets / Secret Manager integration as a major feature, along with several supporting improvements.

---

🔑 Core Feature: External Secrets & Secret Manager Integration

New @qovery/shared/util-clusters library — Pure utility functions for cluster/secret manager logic (AWS/GCP detection, integration constraint checks, readable labels, etc.).

Secret Manager modals (libs/domains/clusters/feature):

• SecretManagerIntegrationModal — Full form for configuring AWS/GCP secret managers with automatic vs. manual tabs, STS assume role, static credentials, GCP JSON credentials, and constraint logic (e.g., automatic + assume role are mutually exclusive).
• SecretManagerAssociatedExternalSecretsModal — Tree-view modal showing which services use a given secret manager.
• SecretManagerList / AddonToggleCard — Reusable components for managing the list of configured secret managers.

New API queries in clusters data-access:

• listSecretManagerSecretsFromProvider — autocomplete/search for secret names.
• listSecretManagerAssociatedServices — shows what's using a secret manager.

---

🧩 Cluster Add-ons Page (new route)

Two new routes at /cluster/$clusterId/settings/addons (settings) and /cluster/create/$slug/addons (creation flow):

• Cluster settings Add-ons page — Manage KEDA autoscaler and Secret Manager integrations on an existing cluster.
• Creation flow Add-ons step — New step injected between "Features" and "Summary" for AWS/GCP clusters. The StepSummary now includes add-on data in the cluster creation payload.
• Cluster creation flow gains addonsData context state and the step count increases by 1 for AWS/GCP managed clusters.

---

📋 Variables Page Refactor (tabs)

Both the environment and service Variables pages were converted from single-page to a tabbed layout:

Tab	Route suffix
Custom	/variables/
External secrets	/variables/external-secrets
Built-in	/variables/built-in

• Old flat variables.tsx files deleted; replaced by variables/route.tsx (layout) + index.tsx / built-in.tsx / external-secrets.tsx sub-routes.
• ExternalSecretsTab — Full TanStack Table with search, filter, sort, bulk delete, and add/edit modals wired to useCreateVariable / useEditVariable.
• The External secrets tab is gated behind the secret-manager PostHog feature flag.

---

🛠️ VariableList Refactor

• New props: showOnly ('custom' | 'built-in'), hideSectionLabel, headerActions.
• Redesigned action column: edit button always visible + overflow menu for alias/override/delete.
• Removed "Service link" column when in service scope tab layout.
• File path displayed inline under variable name in service-scoped custom tab.
• Empty state for custom tab has "Add variable" / "Import from Doppler" CTAs.

---

🆕 Service Creation Flow — Variables Step

The application/container creation step-variables was rewritten:

• Replaced FlowCreateVariable with a custom inline table UI.
• Added an External Secrets section (shown only when secret-manager flag is on and a secret manager is linked to the cluster).
• StepSummary now creates external secret variables via useCreateVariable after service creation (errors are non-blocking via Promise.allSettled).

---

🗂️ AssociatedItemsModal Refactoring

LabelAnnotationItemsListModal was generalized into AssociatedItemsModal with generic AssociatedItem type, customizable title/placeholder/item label — now reused by both the labels/annotations feature and the secret manager feature.

---

🔧 Other Changes

• CreateUpdateVariableModal split: API-backed wrapper kept, new VariableFormModal extracted for use in creation flows (before a service exists).
• VariablesActionToolbar gains showDopplerButton and hasClusterSecretManagerConfigured props.
• StickyActionFormToaster gains fixed mode (used in tab layouts).
• TableFilterSearch gains configurable placeholder and consistent sizing.
• TableFilter dropdown truncates long option labels.
• Navbar.Item now has cursor-pointer by default.
• InputSelect supports disabledTooltip on individual options.
• New Tailwind tokens: negativeInvert, surface.negativeInvert, background-invert-1.
• qovery-typescript-axios bumped 1.1.891 → 1.1.893.
• Old cluster.router.ts constants file deleted (inline paths used instead).

Testing

• Changes tested locally in the relevant Console's pages and Storybooks
• yarn test or yarn test -u (if you need to regenerate snapshots)
• yarn format
• yarn lint

PR Checklist

• I followed naming, styling, and TypeScript rules (see .cursor/rules)
• I performed a self-review (diff inspected, dead code removed)
• I titled the PR using Conventional Commits with a scope when possible (e.g. feat(service): add new Terraform service) - required for semantic-release
• I only kept necessary comments, written in English (watch for useless AI comments)
• I involved a designer to validate UI changes if I am not a designer
• I covered new business logic with tests (unit)
• I confirmed CI is green (Codecov red can be accepted)
• I reviewed and executed locally any AI-assisted code

[codecov]

Codecov Report

❌ Patch coverage is 46.66667% with 544 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.93%. Comparing base (e9c7761) to head (87a065f).
⚠️ Report is 1 commits behind head on staging.

Files with missing lines	Patch %	Lines
...rnal-secrets/add-secret-modal/add-secret-modal.tsx	4.61%	61 Missing and 1 partial ⚠️
...tainer-variables/step-variables/step-variables.tsx	28.20%	41 Missing and 15 partials ⚠️
...es/feature/src/lib/variable-list/variable-list.tsx	49.51%	36 Missing and 16 partials ⚠️
.../src/lib/external-secrets/external-secrets-tab.tsx	61.06%	38 Missing and 13 partials ⚠️
...anager-modals/secret-manager-integration-modal.tsx	64.74%	38 Missing and 11 partials ⚠️
.../cluster-creation-flow/step-addons/step-addons.tsx	0.00%	40 Missing ⚠️
...te-variable-modal/create-update-variable-modal.tsx	25.00%	34 Missing and 2 partials ⚠️
...cret-manager-associated-external-secrets-modal.tsx	78.57%	13 Missing and 5 partials ⚠️
...ce-variables-tabs/service-variables-custom-tab.tsx	40.74%	15 Missing and 1 partial ⚠️
libs/shared/util-clusters/src/index.ts	0.00%	12 Missing ⚠️
... and 36 more

Additional details and impacted files

@@             Coverage Diff             @@
##           staging    #2678      +/-   ##
===========================================
+ Coverage    45.86%   45.93%   +0.06%     
===========================================
  Files         1164     1197      +33     
  Lines        24497    25430     +933     
  Branches      7196     7520     +324     
===========================================
+ Hits         11236    11681     +445     
- Misses       11299    11700     +401     
- Partials      1962     2049      +87     

Flag	Coverage Δ
unittests	45.93% <46.66%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.