diff --git a/website/content/docs/agent-and-proxy/agent/template.mdx b/website/content/docs/agent-and-proxy/agent/template.mdx index eb91b8782f..0a4a9cf133 100644 --- a/website/content/docs/agent-and-proxy/agent/template.mdx +++ b/website/content/docs/agent-and-proxy/agent/template.mdx @@ -112,8 +112,11 @@ failures. includes connections in the dialing, active, and idle states. - `lease_renewal_threshold` `(float: 0.9)` - How long Vault Agent's template - engine should wait for to refresh dynamic, non-renewable leases, measured as - a fraction of the lease duration. + engine should wait to refresh dynamic, non-renewable leases, measured as + a fraction of the lease duration. For certificates rendered using the `pkiCert` + template function without leases, the `Not After` attribute is treated as the + lease end time, and the certificate will rotate at the configured percentage + of the difference between the `Not Before` and `Not After` attributes. ### `template_config` stanza example @@ -343,7 +346,6 @@ template { And the following demonstrates how the templates look when using `env_template` with [Process Supervisor Mode](/vault/docs/agent-and-proxy/agent/process-supervisor) - ```hcl # Other Vault Agent configuration blocks # ... @@ -365,3 +367,48 @@ env_template "ENV_VAR_FROM_FILE" { [consul-templating-language]: https://github.com/hashicorp/consul-template/blob/v0.28.1/docs/templating-language.md [process-supervisor]: /vault/docs/agent-and-proxy/agent/process-supervisor + +## PKI cert Agent Injector example + +The following example demonstrates how to use the [`pkiCert` function][pkiCert] and +[`writeToFile` function][writeToFile] from consul-template to create two files +from a template: one for the certificate and CA (`cert.pem`) and one for the key +(`cert.key`) generated by [Vault's PKI Secrets Engine](/vault/docs/secrets/pki). + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web-deployment + labels: + app: web +spec: + replicas: 1 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + annotations: + vault.hashicorp.com/agent-inject: 'true' + vault.hashicorp.com/role: 'web' + vault.hashicorp.com/agent-inject-secret-certs: 'pki/issue/cert' + vault.hashicorp.com/agent-inject-template-certs: | + {{- with pkiCert "pki/issue/cert" "common_name=test.example.com" "ttl=2h" -}} + {{ .Cert }}{{ .CA }}{{ .Key }} + {{ .Key | writeToFile "/vault/secrets/cert.key" "vault" "vault" "0644" }} + {{ .CA | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" }} + {{ .Cert | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" "append" }} + {{- end -}} + spec: + serviceAccountName: web + containers: + - name: web + image: nginx +``` + +[pkiCert]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#pkicert +[writeToFile]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#writeToFile