Deploying Ghost With SSL From The Civo Marketplace

Keith Hubner

Oct 30, 2020 • 3 min read

Welcome along to this quick guide on how to deploy Ghost from the Civo marketplace and more importantly securely! I will be using cert-manager to create and maintain the cert so no more "I forgot to nenew the cert" for you!

If you already have ghost installed but are running it without ssl (shame on you) then you can skip past this first bit to the "Applying the certificate" section.

We are going to deploy everything we need from the Civo marketplace and get your shiny new blog up and running in minutes, cool right?

So let's start with the big question, you have a Civo account right? No? Where have you been? You can head over to here to join the KUBE100 BETA program and get a generous $70 a month to play with all things Kubernetes! You also get something priceless, access to the private slack channel, getting to talk to some of the best minds on the internet (i'll be there too).

OK from here i'm assuming you've got a Civo account, you will need to have the following:

Civo cli setup
Kubectl setup
Kubectx setup
10 minutes of spare time...

OK let's go...

First let's create our cluster with the apps we need from the cli:

civo kubernetes create ghost_demo -a cert-manager,ghost:5GB --wait

This will create a cluster with the cert-manager, ghost and Longhorn all setup.

Go grab a cup of tea and before it's finsished brewing your new cluster will be ready to go! All being well you should get something like this:

The cluster ghost_demo (0dc6d3a9-9046-47e3-9678-3f18ce138140) has been created in 2 min 49 sec

OK now let's check the site is up and running, as per the notes on the marketplace you will see that you have been provisioned a URL which is in the format:

http://ghost.your_cluster_id.k8s.civo.com/

The cluster ID is shown above so for my example my address is:

http://ghost.0dc6d3a9-9046-47e3-9678-3f18ce138140.k8s.civo.com/

All being well you should now be able to open this page on a browser and see the Ghost front page:

welcome-to-ghost-2

Let's quickly setup Ghost so it's protected by a username and password.

The following URL will start the setup process:

http://ghost.0dc6d3a9-9046-47e3-9678-3f18ce138140.k8s.civo.com/ghost/

Follow the steps and you should be taken to the admin page.

Now let's switch to our new cluster by merging the context into you kube config:

civo kubernetes config ghost_demo -s --merge
kubectx ghost_demo

Always good to check you are the right place!

kubectl get pods -n ghost

Right, now let's make this guy secure!

Applying the certificate

First we need to create an issuer, so copy and paste the below (remember to change the email address) into a new file called issuer.yml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-ghost
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: change@me.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod-ghost
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: traefik

Now apply this:

kubectl apply -f issuer.yml

You should now see this has been created:

clusterissuer.cert-manager.io/letsencrypt-prod-ghost created

Next we need to make some changes to the ingress, create a new file called patch.yml and paste in the following:

Remember to change the host URL to your own.

metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod-ghost
    ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
    - hosts:
      - ghost.52482683-9e6d-48b1-b048-eab11f33f33f.k8s.civo.com
      secretName: letsencrypt-prod-ghost

Next apply the patch:

kubectl -n ghost patch ingress ghost-blog --patch "$(cat patch.yml)"

All being well you should get a confirmation of the patch.

It will take a few minutes for the certificate to be issued, you can check on the status:

kubectl get cert -n ghost

When ready you will see:

NAME                     READY   SECRET                   AGE
letsencrypt-prod-ghost   True    letsencrypt-prod-ghost   2m57s

Next you can hit that URL and should get the satisfying padlock in your web browser!

Depending on your browser you may see an insecure message, this is because the default ghost template is using images on an insecure location. This should go away once you setup your own pages and upload your own images.

I hope this guide was useful, any comments or questions please give me a shout on twitter.

Applying the certificate

Sign up for more like this.