address review comments

command/agent/config/config.go

@@ -82,16 +82,16 @@ type Retry struct {
 
 // Vault contains configuration for connecting to Vault servers
 type Vault struct {
-	Address               string      `hcl:"address"`
-	CACert                string      `hcl:"ca_cert"`
-	CAPath                string      `hcl:"ca_path"`
-	TLSSkipVerify         bool        `hcl:"-"`
-	TLSSkipVerifyRaw      interface{} `hcl:"tls_skip_verify"`
-	ClientCert            string      `hcl:"client_cert"`
-	ClientKey             string      `hcl:"client_key"`
-	TLSServerName         string      `hcl:"tls_server_name"`
-	Retry                 *Retry      `hcl:"retry"`
-	LeaseRenewalThreshold *float64     `hcl:"lease_renewal_threshold"`
+	Address          string      `hcl:"address"`
+	CACert           string      `hcl:"ca_cert"`
+	CAPath           string      `hcl:"ca_path"`
+	TLSSkipVerify    bool        `hcl:"-"`
+	TLSSkipVerifyRaw interface{} `hcl:"tls_skip_verify"`
+	ClientCert       string      `hcl:"client_cert"`
+	ClientKey        string      `hcl:"client_key"`
+	TLSServerName    string      `hcl:"tls_server_name"`
+	Namespace        string      `hcl:"namespace"`
+	Retry            *Retry      `hcl:"retry"`
 }
 
 // transportDialer is an interface that allows passing a custom dialer function
@@ -169,6 +169,7 @@ type TemplateConfig struct {
 	StaticSecretRenderInt    time.Duration `hcl:"-"`
 	MaxConnectionsPerHostRaw interface{}   `hcl:"max_connections_per_host"`
 	MaxConnectionsPerHost    int           `hcl:"-"`
+	LeaseRenewalThreshold    *float64      `hcl:"lease_renewal_threshold"`
 }
 
 type ExecConfig struct {

command/agent/config/config_test.go

@@ -17,6 +17,10 @@ import (
 	"golang.org/x/exp/slices"
 )
 
+func FloatPtr(t float64) *float64 {
+	return &t
+}
+
 func TestLoadConfigFile_AgentCache(t *testing.T) {
 	config, err := LoadConfigFile("./test-fixtures/config-cache.hcl")
 	if err != nil {
@@ -1046,6 +1050,7 @@ func TestLoadConfigFile_TemplateConfig(t *testing.T) {
 				ExitOnRetryFailure:    true,
 				StaticSecretRenderInt: 1 * time.Minute,
 				MaxConnectionsPerHost: 100,
+				LeaseRenewalThreshold: FloatPtr(0.8),
 			},
 		},
 		"empty": {

command/agent/config/test-fixtures/config-template_config.hcl

@@ -12,6 +12,7 @@ template_config {
   exit_on_retry_failure = true
   static_secret_render_interval = 60
   max_connections_per_host = 100
+  lease_renewal_threshold = 0.8
 }
 
 template {

command/agent/internal/ctmanager/runner_config.go

@@ -34,16 +34,16 @@ func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.
 	conf.Vault.Token = pointerutil.StringPtr("")
 	conf.Vault.Address = &mc.AgentConfig.Vault.Address
 
-	if mc.AgentConfig.Vault != nil {
-		conf.Vault.LeaseRenewalThreshold = mc.AgentConfig.Vault.LeaseRenewalThreshold
-	}
-
 	if mc.Namespace != "" {
 		conf.Vault.Namespace = &mc.Namespace
 	}
 
-	if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
-		conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
+	if mc.AgentConfig.TemplateConfig != nil {
+		conf.Vault.LeaseRenewalThreshold = mc.AgentConfig.TemplateConfig.LeaseRenewalThreshold
+
+		if mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
+			conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
+		}
 	}
 
 	if mc.AgentConfig.DisableIdleConnsTemplating {

website/content/docs/agent-and-proxy/agent/template.mdx

@@ -111,6 +111,10 @@ failures.
   that the Vault Agent templating engine can use for a particular Vault host. This limit
   includes connections in the dialing, active, and idle states.
 
+- `lease_renewal_threshold` `(float: 0.9)` - How long Vault Agent's template
+  engine should wait for to refresh dynamic, non-renewable leases, measured as
+  a fraction of the lease duration.
+
 ### `template_config` stanza example
 
 ```hcl