feat: add sonarqube-token ExternalSecret and Jenkins credential

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manifest/jenkins/values.yaml

@@ -82,6 +82,26 @@ extraObjects:
         remoteRef:
           key: jenkins/gitea-credentials
           property: password
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: sonarqube-token
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: sonarqube-token
+        creationPolicy: Owner
+      data:
+      - secretKey: token
+        remoteRef:
+          key: jenkins/sonarqube-token
+          property: token
 
 controller:
   # -- Used for label app.kubernetes.io/component
@@ -554,6 +574,8 @@ controller:
       keyName: username
     - name: gitea-credentials
       keyName: password
+    - name: sonarqube-token
+      keyName: token
   # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
 
   # -- List of additional secrets to create and mount
@@ -628,6 +650,11 @@ controller:
                   username: "${gitea-credentials-username}"
                   password: "${gitea-credentials-password}"
                   scope: GLOBAL
+              - string:
+                  description: "SonarQube token"
+                  id: "sonarqube-token"
+                  secret: "${sonarqube-token-token}"
+                  scope: GLOBAL
 
     # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations
     # -- Jenkins Config as Code security-section