[Unit]
Description=Fetch HTTPS certificate from Kubernetes Secret API
Wants=network-online.target
After=network-online.target

[Container]
Image=git.pyrocufflink.net/containerimages/fetchcert
Exec={{ fetchcert.namespace }} {{ fetchcert.secret }} /etc/fetchcert/certs/{{ fetchcert.key }} /etc/fetchcert/certs/{{ fetchcert.cert }}
ReadOnly=yes
ReadOnlyTmpfs=yes
Volume=/etc/fetchcert:/etc/fetchcert:ro
Volume=/etc/fetchcert/certs:/etc/fetchcert/certs:rw,z
Environment=KUBERNETES_URL={{ fetchcert.kubernetes_url }}
AddCapability=CAP_CHOWN
DropCapability=all
NoNewPrivileges=yes

[Service]
Type=oneshot
SuccessExitStatus=20
ExecStartPre=/bin/mkdir -p /etc/fetchcert/certs
ExecStopPost=-/etc/fetchcert/postupdate.sh