diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
index 9c3002a..391ede6 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
@@ -34,6 +34,7 @@
   vars:
     manifest: "{{ item.0 }}"
     src: "{{ item.1.src }}"
+    _newline: "\n"
     _template: "{{ item.1._template }}"
   loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
   loop_control:
diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml
index 6d5ba60..2a71d47 100644
--- a/ansible/vars/workloadcluster.yml
+++ b/ansible/vars/workloadcluster.yml
@@ -36,7 +36,7 @@ downstream:
                 issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
                 audience: "{{ vapp['workloadcluster.name'] | lower }}"
                 tls:
-                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
+                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
 
     sealed-secrets:
       version: 2.8.1  # (= Sealed Secrets v0.20.2)