DocumentationTutorials

template

Learn about configuring the vHSM Agent to fetch secrets and render them into files.

Template blocks configure the vHSM Agent to fetch secrets and render them into files. Each template uses Consul Template syntax to define what content is written. Multiple template stanzas can be specified to manage different files.

Example

template {
  source      = "/etc/vhsm/templates/vhsm-token.ctmpl"
  destination = "/run/enclaive/vhsm-token.json"
}

Parameters

  • source (string, required if contents is not used) Path to a .ctmpl template file that defines how the secret should be rendered. Either source or contents must be specified.

  • destination (string, required) The file path where the rendered output will be written. This is mandatory for every template block.

  • contents (string, optional) An inline template definition written directly in the configuration file. Useful for small templates or when you don’t want to manage a separate .ctmpl file. Cannot be used at the same time as source.

  • create_dest_dirs (boolean, optional, default: true) Controls whether missing parent directories for the destination file are automatically created. If set to false, rendering fails if directories are missing.

  • command (string, optional) A command to execute after the template has been successfully rendered. This is often used to reload or restart an application so it can use the new secret.

  • perms (string, optional) File permission mode to apply to the rendered file, expressed in standard UNIX notation (e.g., "0640").

  • err_missing_key (boolean, optional, default: false) Determines behavior when the template references a missing key. If true, rendering fails with an error. If false, the missing key renders as empty.

  • left_delimiter / right_delimiter (string, optional) Defines custom delimiters for template markers. Defaults are {{ and }}. These are useful if the template content conflicts with another templating system that also uses curly braces.

Template File Example (vhsm-token.ctmpl)

{{ with secret "auth/token/lookup-self" -}}
{
  "client_token": "{{ .Data.id }}",
  "ttl": "{{ .Data.ttl }}"
}
{{ end }}

This template queries the secret at auth/token/lookup-self and renders selected metadata fields into JSON. When combined with the template block above, the vHSM Agent writes the following output to /run/enclaive/vhsm-token.json:

{
  "client_token": "hvs.XXXXXXXX",
  "ttl": "768h"
}

Last updated

Was this helpful?