From d0435565f65f1d804797a31f08ccee9f3b3352cc Mon Sep 17 00:00:00 2001
From: jatin <jatin@retool.com>
Date: Thu, 11 Jun 2026 13:52:55 -0400
Subject: [PATCH] [agent-sandbox] fix jwtPublicKey breaking job-template JSON
 (use toJson)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The sandbox job-template ConfigMap embedded jwtPublicKey into a JSON
string literal as `"value": "{{ $as.jwtPublicKey }}"`. ES256 keys are
normally multi-line PEM (BEGIN/END headers + newlines); a real newline
inside a JSON string literal is invalid JSON, so the controller failed
to read the job-template and could not spawn sandbox Jobs. (A compact
JWK would break it too — embedded double-quotes.)

Fix: `"value": {{ $as.jwtPublicKey | toJson }}` — toJson emits the
quoted, fully-escaped JSON string (newlines -> \n, quotes -> \"). This
also makes the JSON path consistent with the env-var paths, which
already use `| quote`.

Until now this only worked if the operator pre-flattened the key to a
single `\n`-escaped line (the workaround the inline-secrets CI fixture
relied on). Updated that fixture to a genuine multi-line PEM block
scalar so it exercises the escaping, and corrected its comment.

Verified: rendered the inline-secrets fixture and parsed the embedded
job-template.json — VALID with the fix, JSONDecodeError without it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 ...t-agent-sandbox-inline-secrets-option.yaml | 19 ++++++++++++++++---
 .../templates/deployment_agent_sandbox.yaml   |  2 +-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml b/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
index 2ac11c6..35c172a 100644
--- a/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
+++ b/charts/retool/ci/test-agent-sandbox-inline-secrets-option.yaml
@@ -6,7 +6,9 @@ rr:
   # proxy ingress). Here we exercise the *other* halves of those branches:
   #   - Secrets inline (no externalSecret.name) → the chart renders its own Secret
   #     (jwt-public-key / jwt-private-key / encryption-key / api-secret). jwtPublicKey
-  #     MUST be single-line: it is injected raw into the sandbox job-template JSON.
+  #     is injected into the sandbox job-template JSON via `toJson`, so a genuine
+  #     multi-line PEM (real newlines, as below) is escaped correctly — no need to
+  #     pre-flatten it to a single `\n`-escaped line.
   #   - Postgres sourcing OPTION 1: plaintext DSN via postgres.url.
   #   - Same-origin proxy: no dedicated proxy domain and no proxy ingress — the
   #     backend reverse-proxies /sandbox/* (frontendWsProxyDomain left empty).
@@ -21,8 +23,19 @@ rr:
       tag: 3.123.4
       pullPolicy: IfNotPresent
 
-    jwtPublicKey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AI\nY+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END PUBLIC KEY-----'
-    jwtPrivateKey: '-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMFXLiN/YsJv89D2YkEZ6/Dj5fujghENmYTOilwdChU3oAoGCCqGSM49\nAwEHoUQDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AIY+QUCicYtfv9wLGcEGPQuXoB\nQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END EC PRIVATE KEY-----'
+    # Real multi-line PEM (block scalar) — exercises the toJson newline escaping in
+    # the job-template JSON. A raw "{{ . }}" would produce invalid JSON here.
+    jwtPublicKey: |-
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AI
+      Y+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==
+      -----END PUBLIC KEY-----
+    jwtPrivateKey: |-
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIMFXLiN/YsJv89D2YkEZ6/Dj5fujghENmYTOilwdChU3oAoGCCqGSM49
+      AwEHoUQDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AIY+QUCicYtfv9wLGcEGPQuXoB
+      QtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==
+      -----END EC PRIVATE KEY-----
     encryptionKey: a12b01429fe0fe69a80da94e9e837ab2f1e9bda378ed8a25905a238f6fea6b7a
     apiSecret: test-agent-sandbox-api-secret
 
diff --git a/charts/retool/templates/deployment_agent_sandbox.yaml b/charts/retool/templates/deployment_agent_sandbox.yaml
index 0e9ac57..2dd1039 100644
--- a/charts/retool/templates/deployment_agent_sandbox.yaml
+++ b/charts/retool/templates/deployment_agent_sandbox.yaml
@@ -178,7 +178,7 @@ data:
                   ,{"name": "SANDBOX_GLOBAL_LIFETIME_MS", "value": "{{ $as.sandbox.sandboxGlobalLifetimeMs }}"}
                   ,{"name": "SANDBOX_READY_TIMEOUT_MS", "value": "{{ $as.sandbox.sandboxReadyTimeoutMs }}"}
                   {{- if $as.jwtPublicKey }}
-                  ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "value": "{{ $as.jwtPublicKey }}"}
+                  ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "value": {{ $as.jwtPublicKey | toJson }}}
                   {{- else if $as.externalSecret.name }}
                   ,{"name": "AGENT_SANDBOX_JWT_PUBLIC_KEY", "valueFrom": {"secretKeyRef": {"name": "{{ $defaultSecretName }}", "key": "jwt-public-key"}}}
                   {{- end }}