I'm trying to download a server specific certificate and key from vault to each of my consul servers using the template function of vault-agent.
The recommended approach is to set a common name and SAN as HOSTNAME.DATACENTER.DOMAIN. I am using a template variable to build the CN specific to the node within the template but I am failing to get the correct syntax to use that variable correctly within the "with secret" call
The template looks like this at the moment
{{ with node }}
{{ $CN := {{ .Node.Node }}.{{ .Node.Datacenter }}.paradigm }}
{{ with secret "pki/issue/certs" "common_name=$CN" "alt_names=localhost $CN" "ip_sans=127.0.0.1" "ttl=72h" }}
{{- .Data.certificate -}}
{{ end }}
{{ end }}
When I manually type the required CN into the with secret call it works fine and a certificate is written out so my Vault access is working correctly. However when using the variable approach this fails with "$CN is not an allowed common name for this role". This seems to suggest the template is reading the "$CN" as literal text rather than resolving it to the set value.
This looks like a syntax error to me but having tried multiple options over the last 2 days I'm hoping that someone can give me a pointer as to the correct syntax (or put me out of my misery and tell me that I'm trying an impossible task)
Thanks in advance for your help