Update Documentation to include lease_threshold_renewal clarity (#28943)

* Update Documentation to include lease_threshold_renewal clarity

Also updated to include PKICert documentation that shows using "writetoFile" such that practitioners can reference it while using it for the Vault Agent

* Update template.mdx

* Update website/content/docs/agent-and-proxy/agent/template.mdx

Co-authored-by: Violet Hynes <a.xenasis@gmail.com>

---------

Co-authored-by: Violet Hynes <a.xenasis@gmail.com>

website/content/docs/agent-and-proxy/agent/template.mdx

@@ -112,8 +112,11 @@ failures.
   includes connections in the dialing, active, and idle states.
 
 - `lease_renewal_threshold` `(float: 0.9)` - How long Vault Agent's template
-  engine should wait for to refresh dynamic, non-renewable leases, measured as
+  engine should wait to refresh dynamic, non-renewable leases, measured as
-  a fraction of the lease duration.
+  a fraction of the lease duration. For certificates rendered using the `pkiCert`
+  template function without leases, the `Not After` attribute is treated as the
+  lease end time, and the certificate will rotate at the configured percentage
+  of the difference between the `Not Before` and `Not After` attributes.
 
 ### `template_config` stanza example
 
@@ -343,7 +346,6 @@ template {
 And the following demonstrates how the templates look when using `env_template` with
 [Process Supervisor Mode](/vault/docs/agent-and-proxy/agent/process-supervisor)
 
-
 ```hcl
 # Other Vault Agent configuration blocks
 # ...
@@ -365,3 +367,48 @@ env_template "ENV_VAR_FROM_FILE" {
 
 [consul-templating-language]: https://github.com/hashicorp/consul-template/blob/v0.28.1/docs/templating-language.md
 [process-supervisor]: /vault/docs/agent-and-proxy/agent/process-supervisor
+
+## PKI cert Agent Injector example
+
+The following example demonstrates how to use the [`pkiCert` function][pkiCert] and
+[`writeToFile` function][writeToFile] from consul-template to create two files
+from a template: one for the certificate and CA (`cert.pem`) and one for the key
+(`cert.key`) generated by [Vault's PKI Secrets Engine](/vault/docs/secrets/pki).
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-deployment
+  labels:
+    app: web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+      annotations:
+        vault.hashicorp.com/agent-inject: 'true'
+        vault.hashicorp.com/role: 'web'
+        vault.hashicorp.com/agent-inject-secret-certs: 'pki/issue/cert'
+        vault.hashicorp.com/agent-inject-template-certs: |
+          {{- with pkiCert "pki/issue/cert" "common_name=test.example.com" "ttl=2h" -}}
+          {{ .Cert }}{{ .CA }}{{ .Key }}
+          {{ .Key | writeToFile "/vault/secrets/cert.key" "vault" "vault" "0644" }}
+          {{ .CA | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" }}
+          {{ .Cert | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" "append" }}
+          {{- end -}}
+    spec:
+      serviceAccountName: web
+      containers:
+        - name: web
+          image: nginx
+```
+
+[pkiCert]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#pkicert
+[writeToFile]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#writeToFile