This is a version of a post I originally wrote for my blog. You can find the original here.
Since I wrote my guide to deploying a Ghost blog on Civo Kubernetes, things have changed with Ghost now being available as a marketplace application. This quick guide covers how to deploy Ghost from the Civo application marketplace and, more importantly, securely! I will be using cert-manager to create and maintain the SSL certificate, meaning you no longer have to worry about remembering to renew it!
If you already have Ghost installed but are running it without SSL (which you really shouldn't!) then you can skip past this first part to the "Applying the certificate" section.
Deploying Ghost to our cluster
We are going to deploy everything we need from the Civo marketplace and get your shiny new blog up and running in minutes. Cool, right?
If you don't yet have a Civo account, you can head over to here to join the #KUBE100 Beta program and get a generous $70 a month to play with all things Kubernetes! You also get something priceless, access to Civo Slack community, getting to talk to some of the best minds on the internet (I'll be there too).
From here on I'm assuming you've got a Civo account, and the following:
OK, let's go...
First let's create our cluster with the apps we need from the CLI:
civo kubernetes create ghost_demo -a cert-manager,ghost:5GB --wait
This will create a cluster with the cert-manager, ghost and Longhorn all setup.
Go grab a cup of tea and before it's finished brewing, your new cluster will be ready to go! All being well you should get something like this:
The cluster ghost_demo (0dc6d3a9-9046-47e3-9678-3f18ce138140) has been created in 2 min 49 sec
OK, now let's check the site is up and running. As per the notes on the marketplace, you will see that you have been provisioned a URL which is in the format:
The cluster ID is shown above so for my example my address is:
All being well you should now be able to open this page on a browser and see the Ghost front page:
Let's quickly setup Ghost so it's protected by a username and password.
The following URL will start the setup process - you'll need to use your cluster ID in the address:
Follow the steps and you should be taken to the admin page.
Now let's switch to our new cluster by merging the context into your
civo kubernetes config ghost_demo -s --merge kubectx ghost_demo
Always good to check you are the right place! So, let's make sure that we can access our Ghost deployment. Running the following command should show you the Ghost blog pods running on your cluster:
kubectl get pods -n ghost
Right, now let's make this guy secure!
Applying the certificate
First we need to create an issuer, so copy and paste the below (remember to change the email address) into a new file called
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt-prod-ghost spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: firstname.lastname@example.org # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod-ghost # Enable the HTTP-01 challenge provider solvers: - http01: ingress: class: traefik
Now apply this file to our cluster:
kubectl apply -f issuer.yml
You should now see from the output that this has been created:
Next we need to make some changes to the ingress to handle SSL traffic. Create a new file called
patch.yml and paste in the following:
Remember to change the host URL to your own.
metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod-ghost ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - ghost.52482683-9e6d-48b1-b048-eab11f33f33f.k8s.civo.com secretName: letsencrypt-prod-ghost
Next, apply the patch:
kubectl -n ghost patch ingress ghost-blog --patch "$(cat patch.yml)"
All being well you should get a confirmation of the patch from the cluster.
It will take a few minutes for the certificate to be issued, you can check on the status:
kubectl get cert -n ghost
When ready you will see:
NAME READY SECRET AGE
letsencrypt-prod-ghost True letsencrypt-prod-ghost 2m57s
Next you can hit that URL and should get the satisfying padlock in your web browser!
Depending on your browser you may see an insecure message, this is because the default ghost template uses images on an insecure location. This should go away once you set up your own pages and upload your own images.