Welcome along to this quick guide on how to deploy Ghost from the Civo marketplace and more importantly securely! I will be using cert-manager to create and maintain the cert so no more "I forgot to nenew the cert" for you!
If you already have ghost installed but are running it without ssl (shame on you) then you can skip past this first bit to the "Applying the certificate" section.
We are going to deploy everything we need from the Civo marketplace and get your shiny new blog up and running in minutes, cool right?
So let's start with the big question, you have a Civo account right? No? Where have you been? You can head over to here to join the KUBE100 BETA program and get a generous $70 a month to play with all things Kubernetes! You also get something priceless, access to the private slack channel, getting to talk to some of the best minds on the internet (i'll be there too).
OK from here i'm assuming you've got a Civo account, you will need to have the following:
OK let's go...
First let's create our cluster with the apps we need from the cli:
civo kubernetes create ghost_demo -a cert-manager,ghost:5GB --wait
This will create a cluster with the cert-manager, ghost and Longhorn all setup.
Go grab a cup of tea and before it's finsished brewing your new cluster will be ready to go! All being well you should get something like this:
The cluster ghost_demo (0dc6d3a9-9046-47e3-9678-3f18ce138140) has been created in 2 min 49 sec
OK now let's check the site is up and running, as per the notes on the marketplace you will see that you have been provisioned a URL which is in the format:
The cluster ID is shown above so for my example my address is:
All being well you should now be able to open this page on a browser and see the Ghost front page:
Let's quickly setup Ghost so it's protected by a username and password.
The following URL will start the setup process:
Follow the steps and you should be taken to the admin page.
Now let's switch to our new cluster by merging the context into you kube config:
civo kubernetes config ghost_demo -s --merge kubectx ghost_demo
Always good to check you are the right place!
kubectl get pods -n ghost
Right, now let's make this guy secure!
Applying the certificate
First we need to create an issuer, so copy and paste the below (remember to change the email address) into a new file called issuer.yml
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt-prod-ghost spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: firstname.lastname@example.org # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod-ghost # Enable the HTTP-01 challenge provider solvers: - http01: ingress: class: traefik
Now apply this:
kubectl apply -f issuer.yml
You should now see this has been created:
Next we need to make some changes to the ingress, create a new file called patch.yml and paste in the following:
Remember to change the host URL to your own.
metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod-ghost ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - ghost.52482683-9e6d-48b1-b048-eab11f33f33f.k8s.civo.com secretName: letsencrypt-prod-ghost
Next apply the patch:
kubectl -n ghost patch ingress ghost-blog --patch "$(cat patch.yml)"
All being well you should get a confirmation of the patch.
It will take a few minutes for the certificate to be issued, you can check on the status:
kubectl get cert -n ghost
When ready you will see:
NAME READY SECRET AGE letsencrypt-prod-ghost True letsencrypt-prod-ghost 2m57s
Next you can hit that URL and should get the satisfying padlock in your web browser!
Depending on your browser you may see an insecure message, this is because the default ghost template is using images on an insecure location. This should go away once you setup your own pages and upload your own images.
I hope this guide was useful, any comments or questions please give me a shout on twitter.