From 4ff2f3e8892b001a38879da126b8b60534c11d13 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 14 Jan 2026 17:53:09 -0300
Subject: [PATCH] jenkins: escape vault env values

---
 services/jenkins/deployment.yaml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/services/jenkins/deployment.yaml b/services/jenkins/deployment.yaml
index 9ff7683..3c87349 100644
--- a/services/jenkins/deployment.yaml
+++ b/services/jenkins/deployment.yaml
@@ -23,20 +23,20 @@ spec:
         vault.hashicorp.com/agent-inject-secret-jenkins-env: "kv/data/atlas/jenkins/jenkins-oidc"
         vault.hashicorp.com/agent-inject-template-jenkins-env: |
           {{- with secret "kv/data/atlas/jenkins/jenkins-oidc" -}}
-          export OIDC_CLIENT_ID="{{ .Data.data.clientId }}"
-          export OIDC_CLIENT_SECRET="{{ .Data.data.clientSecret }}"
-          export OIDC_AUTH_URL="{{ .Data.data.authorizationUrl }}"
-          export OIDC_TOKEN_URL="{{ .Data.data.tokenUrl }}"
-          export OIDC_USERINFO_URL="{{ .Data.data.userInfoUrl }}"
-          export OIDC_LOGOUT_URL="{{ .Data.data.logoutUrl }}"
+          export OIDC_CLIENT_ID='{{ .Data.data.clientId | replace "'" "'\"'\"'" }}'
+          export OIDC_CLIENT_SECRET='{{ .Data.data.clientSecret | replace "'" "'\"'\"'" }}'
+          export OIDC_AUTH_URL='{{ .Data.data.authorizationUrl | replace "'" "'\"'\"'" }}'
+          export OIDC_TOKEN_URL='{{ .Data.data.tokenUrl | replace "'" "'\"'\"'" }}'
+          export OIDC_USERINFO_URL='{{ .Data.data.userInfoUrl | replace "'" "'\"'\"'" }}'
+          export OIDC_LOGOUT_URL='{{ .Data.data.logoutUrl | replace "'" "'\"'\"'" }}'
           {{- end }}
           {{- with secret "kv/data/atlas/jenkins/harbor-robot-creds" -}}
-          export HARBOR_ROBOT_USERNAME="{{ .Data.data.username }}"
-          export HARBOR_ROBOT_PASSWORD="{{ .Data.data.password }}"
+          export HARBOR_ROBOT_USERNAME='{{ .Data.data.username | replace "'" "'\"'\"'" }}'
+          export HARBOR_ROBOT_PASSWORD='{{ .Data.data.password | replace "'" "'\"'\"'" }}'
           {{- end }}
           {{- with secret "kv/data/atlas/jenkins/gitea-pat" -}}
-          export GITEA_PAT_USERNAME="{{ .Data.data.username }}"
-          export GITEA_PAT_TOKEN="{{ .Data.data.token }}"
+          export GITEA_PAT_USERNAME='{{ .Data.data.username | replace "'" "'\"'\"'" }}'
+          export GITEA_PAT_TOKEN='{{ .Data.data.token | replace "'" "'\"'\"'" }}'
           {{- end -}}
     spec:
       serviceAccountName: jenkins