From f88e683dd10e13228b4d5532318277505d6bf984 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Mon, 3 Apr 2023 20:04:47 -0400
Subject: [PATCH] backport of commit 2145f959e1c28e6d5ce19f5eeecf2a0601478b7d
 (#19972)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 .../docs/platform/k8s/injector/examples.mdx   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/website/content/docs/platform/k8s/injector/examples.mdx b/website/content/docs/platform/k8s/injector/examples.mdx
index fdf729ded212..810f444406ed 100644
--- a/website/content/docs/platform/k8s/injector/examples.mdx
+++ b/website/content/docs/platform/k8s/injector/examples.mdx
@@ -340,3 +340,48 @@ spec:
           ports:
             - containerPort: 9090
 ```
+
+## PKI Cert Example
+
+The following example demonstrates how to use the [`pkiCert` function][pkiCert] and
+[`writeToFile` function][writeToFile] from consul-template to create two files
+from a template: one for the certificate and CA (`cert.pem`) and one for the key
+(`cert.key`) generated by [Vault's PKI Secrets Engine](/vault/docs/secrets/pki).
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-deployment
+  labels:
+    app: web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+      annotations:
+        vault.hashicorp.com/agent-inject: 'true'
+        vault.hashicorp.com/role: 'web'
+        vault.hashicorp.com/agent-inject-secret-certs: 'pki/issue/cert'
+        vault.hashicorp.com/agent-inject-template-certs: |
+          {{- with pkiCert "pki/issue/cert" "common_name=test.example.com" "ttl=2h" -}}
+          {{ .Cert }}{{ .CA }}{{ .Key }}
+          {{ .Key | writeToFile "/vault/secrets/cert.key" "vault" "vault" "0644" }}
+          {{ .CA | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" }}
+          {{ .Cert | writeToFile "/vault/secrets/cert.pem" "vault" "vault" "0644" "append" }}
+          {{- end -}}
+    spec:
+      serviceAccountName: web
+      containers:
+        - name: web
+          image: nginx
+```
+
+[pkiCert]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#pkicert
+[writeToFile]: https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#writeToFile