Community for SRE, DevOps, Cloud Native, GNU/Linux, and more. 🌎
This repository implements Ghost CMS v5.xx.x from @TryGhost (upstream) on Kubernetes, with our custom image, which has significant improvements to be used on Kubernetes. See this whole README for more information.
We've made some significant updates to improve the security and efficiency of our Ghost implementation on Kubernetes:
- Multi-arch support: The images are now multi-arch, with support for amd64 and arm64.
- Distroless Image: We use @GoogleContainerTools's Distroless NodeJS as the execution environment for the final image. Distroless images are minimal images that contain only the necessary components to run the application, making them more secure and efficient than traditional images.
- MySQL StatefulSet: We've changed the MySQL implementation to a StatefulSet. This provides stable network identifiers and persistent storage, which is important for databases like MySQL that need to maintain state.
- Init Container: We've added an init container to the Ghost deployment. This container is responsible for setting up the necessary configuration files and directories before the main Ghost container starts, ensuring the right directories are created, correct ownership for user node inside distroless container UID/GID to 1000:1000. Check deploy/06-ghost-deployment.yaml for details on these changes.
- Entrypoint Script: We've introduced a new entrypoint script that runs as the non-privileged user inside the distroless container. This script is responsible for updating the default themes then starts the Ghost application. This script is executed by the Node user without privileges within the Distroless container, which updates default themes and starts the Ghost application, operation which is performed into the distroless container itself. entrypoint.js
- ARM64 Support!
- We use the official Node 20 Iron Bookworm image as our build environment. Dockerfile
- We introduce a multi-stage build, which reduces the final image size, and improves security by removing unnecessary components from the final image.
- Distroless Node 20 Debian 12 as our runtime environment for the final stage of the image.
- Removed gosu, now everything runs as the default Node user (UID 1000:GID 1000) inside the Distroless container. This change itself reduces 2 critical vulnerabilities and 33 high vulnerabilities reported by Docker Scout in the original Ghost image (References: Ghost Official Image and Ghost on Kubernetes Image on Docker Hub at the time of writing).
- New Entrypoint flow, using a Node.js script executed by the Node user without privileges within the Distroless container, which updates default themes and starts the Ghost application, operation which is performed into the distroless container itself.
- We use the latest version of Ghost 5 (when the image is built).
- Images are now multi-arch, with support for amd64 and arm64 (link to discussion)
# Clone the repository
git clone https://github.com/sredevopsorg/ghost-on-kubernetes.git --depth 1 --branch main --single-branch --no-tags
# Change directory
cd ghost-on-kubernetes
# Create a new branch for your changes (optional but recommended).
git checkout -b my-branch --no-track --detach
- There are some example configuration files in the examples directory. We use the stored configuration as a
kind: Secret
in theghost-on-kubernetes
namespace for Ghost and MySQL configuration. There are two example configuration files:config.development.sample.yaml
: This configuration file is for the Ghost development environment. It uses SQLite as the database. It can be useful if you want to test the Ghost configuration before implementing it in a production environment.config.production.sample.yaml
: This configuration file is for the Ghost production environment. It uses MySQL 8, and is the recommended configuration for production environments. It requires a valid top-level domain (TLD) and configuration for Ingress to access Ghost from the Internet.
- If you need more information on the configuration, check the official Ghost documentation.
deploy/00-namespace.yaml
# Change the namespace according to your needsdeploy/01-secrets.yaml
# deploy/01-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysql-ghost-on-kubernetes
namespace: ghost-on-kubernetes
type: Opaque
stringData:
MYSQL_DATABASE: mysql-db-name # Same as in deploy/04-config.production.yaml
MYSQL_USER: mysql-db-user # Same as in deploy/04-config.production.yaml
MYSQL_PASSWORD: mysql-db-password # Same as in deploy/04-config.production.yaml
MYSQL_ROOT_PASSWORD: mysql-db-root-password # Same as in deploy/04-config.production.yaml
deploy/02-pvc.yaml
# Change the storageClassName according to your needsdeploy/03-services.yaml
# Change the hosts according to your needsdeploy/04-config.production.yaml
# Change the values according to the secrets and servicesdeploy/05-mysql.yaml
# Change the values according to the secrets and servicesdeploy/06-ghost-deployment.yaml
# Change the values according to the secrets and servicesdeploy/07-ingress.yaml
# Optional
# Before applying the manifests, make sure you are in the root directory of the repository
# 🚨 Be sure to not change the filenames, also be sure to modify the files according to your needs before applying them.
# Why? Just because we need to deploy them in order. If you change the filenames, you will need to apply them one by one in the correct order.
kubectl apply -f ./deploy
# Get the ingress IP, if you have configured the Ingress
kubectl get ingress -n ghost-on-kubernetes -o wide
# Alternatively, create a port-forwarding rule to access the Ghost CMS
kubectl port-forward -n ghost-on-kubernetes service/service-ghost-on-kubernetes 2368:2368
- http://localhost:2368 (if you used the port-forwarding method)
- http://your-ghost-domain.com (if you used the Ingress method)
- http://localhost:2368/ghost (if you used the port-forwarding method)
- http://your-ghost-domain.com/ghost (if you used the Ingress method)
We welcome contributions from the community! Please check the CONTRIBUTING.md file for more information on how to contribute to this project.
- This project is licensed under the GNU General Public License v3.0. Please check the LICENSE file for more information.
- The Ghost CMS is licensed under the MIT License.
- The node:20 image and the Distroless image are licensed by their respective owners.