Vault agent - Deploy TLS certificate and key and restart service only once

Is it possible to deploy TLS certificate and key file via vault agent templates and run a systemctl restart service only once after both files were deployed?

The command order doesn’t seem to depend on the template order in the config file. So I see no other way then restarting the service twice (both for certificate and key) for now.

Best regards,

The file will be loaded onto the main file system. Depending on how your service works it can load in these files. What issue are you walking into?

The webserver needs to be restartet after both the key and cert file where changed by vault agent.

In vault agent this two files are two templates. Both of them can trigger a command as systemctl restart webserver

I don’t want vault-agent to restart the webserver twice, when key and cert are both changing.
Only once after both did.

Is it not possible for your system to load in both cert and key file once both files are loaded in? Executing the command at the last template stanza. You could also use the wait option for this.

Template order in the vault-agent config doesn’t reflect in the ordering of execution of the commands, so direct ordering is not possible.

I didn’t really understand from documentation, if the wait
parameter is somehow ordering the templates, or just blocking and continuing with other templates afterwards.
But I will check, if the wait parameter helps to order the templates.
Thanks for pushing me into that direction.