template_config

The template_config stanza sets the global defaults for the templating engine. It can only appear once in the configuration and applies to all templates managed by the vHSM Agent. While the template stanza controls how and where a particular secret is rendered, template_config defines how the templating engine itself behaves and integrates with the rest of the agent. These settings cover aspects such as exit behavior on failures and system-wide rendering policies. Over time, additional parameters may be introduced that affect the engine’s global operation.

The template stanza defines how the vHSM Agent renders a specific secret to a file, using Consul Template syntax. Unlike template_config, multiple template stanzas can be declared, allowing you to render different secrets into different files as needed.

When the vHSM Agent is started with templating enabled, it will attempt to acquire a vHSM token using the configured auto-auth method. On failure, it will back off for a short while including some randomness to help prevent thundering herd scenarios and retry. On success, secrets defined in the templates will be retrieved from vHSM and rendered locally.

Example template_config

template_config {
  exit_on_retry_failure         = true
  static_secret_render_interval = "10m"
  max_connections_per_host      = 20
  lease_renewal_threshold       = 0.9
}

Parameters

• exit_on_retry_failure (Boolean, Optional, default: false) If set to true, the agent will exit when template rendering fails permanently after retries. When false, the agent continues retrying. Use this to enforce strict template availability.

• static_secret_render_interval (Duration string, Optional) Specifies how often static secrets (non-leased, non-renewable ones such as KV v2 secrets) are re-rendered. For example, "10m" means every 10 minutes. If this is not set, static secrets are not automatically re-rendered unless other triggers occur.

• max_connections_per_host (Integer, Optional, default: 10) Limits how many simultaneous HTTP connections the templating engine uses when talking to the vHSM server for each host. Helps avoid overloading the server or running into connection limits.

• lease_renewal_threshold (Float, Optional, default: 0.9) For dynamic or leased secrets (including tokens), specifies the fraction of the lease duration after which renewal is attempted. For example, 0.9 means: renew when 90% of the lease time has elapsed.