From 65edbd9ed97499f9dc7d9d1eeca4161d29594d86 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 19 Apr 2026 16:34:27 -0300
Subject: [PATCH] quality(sonarqube): inject exporter token from vault

---
 services/quality/sonarqube-exporter-deployment.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/services/quality/sonarqube-exporter-deployment.yaml b/services/quality/sonarqube-exporter-deployment.yaml
index f794211c..5d33ad28 100644
--- a/services/quality/sonarqube-exporter-deployment.yaml
+++ b/services/quality/sonarqube-exporter-deployment.yaml
@@ -16,10 +16,18 @@ spec:
       labels:
         app: sonarqube-exporter
       annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "quality"
+        vault.hashicorp.com/agent-inject-secret-sonarqube-exporter-env.sh: "kv/data/atlas/quality/sonarqube-exporter"
+        vault.hashicorp.com/agent-inject-template-sonarqube-exporter-env.sh: |
+          {{- with secret "kv/data/atlas/quality/sonarqube-exporter" -}}
+          export SONARQUBE_TOKEN="{{ .Data.data.token }}"
+          {{- end -}}
         prometheus.io/scrape: "true"
         prometheus.io/port: "9798"
         prometheus.io/path: /metrics
     spec:
+      serviceAccountName: quality-vault-sync
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
       affinity:
@@ -49,6 +57,9 @@ spec:
             - -ec
           args:
             - |
+              if [ -f /vault/secrets/sonarqube-exporter-env.sh ]; then
+                . /vault/secrets/sonarqube-exporter-env.sh
+              fi
               cp /config/exporter.py /app/exporter.py
               python /app/exporter.py
           env: