ci(jenkins): inject sonarqube token from vault

services/jenkins/configmap-jcasc.yaml

@@ -51,6 +51,11 @@ data:
               username: "${HARBOR_STREAMING_ROBOT_USERNAME}"
               password: "${HARBOR_STREAMING_ROBOT_PASSWORD}"
               description: "Harbor robot for streaming pushes"
+          - string:
+              scope: GLOBAL
+              id: sonarqube-token
+              secret: "${SONARQUBE_TOKEN}"
+              description: "SonarQube token for quality-gate evidence collection"
   jobs.yaml: |
     jobs:
       - script: |

services/jenkins/deployment.yaml

@@ -50,6 +50,9 @@ spec:
           GITEA_PAT_USERNAME={{ .Data.data.username }}
           GITEA_PAT_TOKEN={{ .Data.data.token }}
           {{ end }}
+          {{ with secret "kv/data/atlas/quality/sonarqube-oidc" }}
+          SONARQUBE_TOKEN={{ .Data.data.sonarqube_exporter_token }}
+          {{ end }}
           {{ with secret "kv/data/atlas/jenkins/webhook-tokens" }}
           TITAN_IAC_WEBHOOK_TOKEN={{ .Data.data.titan_iac_quality_gate }}
           GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME={{ .Data.data.git_notify_bstein_dev_home }}

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -219,7 +219,7 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
   "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" ""
 write_policy_and_role "jenkins" "jenkins" "jenkins,jenkins-vault-sync" \
-  "jenkins/* shared/harbor-pull" ""
+  "jenkins/* shared/harbor-pull quality/sonarqube-oidc" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
   "monitoring/* shared/postmark-relay shared/harbor-pull" ""
 write_policy_and_role "logging" "logging" "logging-vault-sync" \