From 788359316681db4fc24e142db083ecb2a9e691bd Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 21 Apr 2026 19:42:43 -0300
Subject: [PATCH] ci(jenkins): inject sonarqube token from vault

---
 services/jenkins/configmap-jcasc.yaml              | 5 +++++
 services/jenkins/deployment.yaml                   | 3 +++
 services/vault/scripts/vault_k8s_auth_configure.sh | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/jenkins/configmap-jcasc.yaml b/services/jenkins/configmap-jcasc.yaml
index 2ba1f06d..16304c68 100644
--- a/services/jenkins/configmap-jcasc.yaml
+++ b/services/jenkins/configmap-jcasc.yaml
@@ -51,6 +51,11 @@ data:
               username: "${HARBOR_STREAMING_ROBOT_USERNAME}"
               password: "${HARBOR_STREAMING_ROBOT_PASSWORD}"
               description: "Harbor robot for streaming pushes"
+          - string:
+              scope: GLOBAL
+              id: sonarqube-token
+              secret: "${SONARQUBE_TOKEN}"
+              description: "SonarQube token for quality-gate evidence collection"
   jobs.yaml: |
     jobs:
       - script: |
diff --git a/services/jenkins/deployment.yaml b/services/jenkins/deployment.yaml
index 0608fc01..c7d80f1d 100644
--- a/services/jenkins/deployment.yaml
+++ b/services/jenkins/deployment.yaml
@@ -50,6 +50,9 @@ spec:
           GITEA_PAT_USERNAME={{ .Data.data.username }}
           GITEA_PAT_TOKEN={{ .Data.data.token }}
           {{ end }}
+          {{ with secret "kv/data/atlas/quality/sonarqube-oidc" }}
+          SONARQUBE_TOKEN={{ .Data.data.sonarqube_exporter_token }}
+          {{ end }}
           {{ with secret "kv/data/atlas/jenkins/webhook-tokens" }}
           TITAN_IAC_WEBHOOK_TOKEN={{ .Data.data.titan_iac_quality_gate }}
           GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME={{ .Data.data.git_notify_bstein_dev_home }}
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 5920542c..02356475 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -219,7 +219,7 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
   "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" ""
 write_policy_and_role "jenkins" "jenkins" "jenkins,jenkins-vault-sync" \
-  "jenkins/* shared/harbor-pull" ""
+  "jenkins/* shared/harbor-pull quality/sonarqube-oidc" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
   "monitoring/* shared/postmark-relay shared/harbor-pull" ""
 write_policy_and_role "logging" "logging" "logging-vault-sync" \