From 3af99b7a8b2669b47e98c974fe34efe8b5f2004a Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 28 Sep 2025 11:29:54 +0200
Subject: [PATCH] add precommit, add db root pw, add broken user creation
 script, explain more stuff in readme

---
 .pre-commit-config.yaml                    | 16 +++++++++++
 README.md                                  |  6 +++-
 charts/ghost/README.md                     | 32 +++++++++++++++++++++-
 charts/ghost/setup_scripts/create_users.sh | 18 ++++++++++++
 charts/ghost/templates/deployment.yaml     |  5 ++++
 charts/ghost/templates/secret-db.yaml      |  1 +
 charts/ghost/values.yaml                   |  4 +++
 7 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 charts/ghost/setup_scripts/create_users.sh

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..59f4f26
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,16 @@
+repos:
+  # update the chart README.md with the comments from values.yaml
+  - repo: https://github.com/norwoodj/helm-docs
+    rev: v1.2.0
+    hooks:
+      - id: helm-docs
+  # helm lint and markdown link verifier
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.22 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
+    hooks:
+      - id: helmlint
+  # detect any secrets that may be committed before they're committed
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.17.0
+    hooks:
+      - id: gitleaks
diff --git a/README.md b/README.md
index 21b7f14..c516887 100644
--- a/README.md
+++ b/README.md
@@ -2,4 +2,8 @@ Yet another [ghost](https://ghost.org/) helm chart. This one is licensed AGPL 3
 
 We deploy:
 
-- deployment for ghost docker container
+- Deployment for [ghost](https://hub.docker.com/_/ghost) docker image
+- Secrets:
+  - database credentials
+  - smtp credentials
+  - admin credentials (these don't do anything yet, but you can set them for your own automation)
diff --git a/charts/ghost/README.md b/charts/ghost/README.md
index bd986e1..64a681c 100644
--- a/charts/ghost/README.md
+++ b/charts/ghost/README.md
@@ -10,12 +10,42 @@ A Helm chart for deploying Ghost on Kubernetes
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
 | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ |
+| externalDatabase.database | string | `""` | database name. ignored if existingSecret not "" |
+| externalDatabase.existingSecret | string | `""` | existing kubernetes secret for your external Database |
+| externalDatabase.host | string | `""` | database hostname. ignored if existingSecret not "" |
+| externalDatabase.password | string | `""` | database password. ignored if existingSecret not "" |
+| externalDatabase.port | string | `""` | database port. ignored if existingSecret not "" |
+| externalDatabase.root_password | string | `""` | database root password. ignored if existingSecret not "" |
+| externalDatabase.secretKeys.database | string | `""` | secret key in your existing k8s secret for the database name |
 | externalDatabase.secretKeys.hostname | string | `""` | secret key in your existing k8s secret for the database hostname |
 | externalDatabase.secretKeys.password | string | `""` | secret key in your existing k8s secret for the database password |
 | externalDatabase.secretKeys.port | string | `""` | secret key in your existing k8s secret for the database port |
+| externalDatabase.secretKeys.root_password | string | `""` | secret key in your existing k8s secret for the database root password |
 | externalDatabase.secretKeys.username | string | `""` | secret key in your existing k8s secret for the database username |
-| externalDatabase.secretName | string | `""` | existing kubernetes secret for your external Database |
+| externalDatabase.username | string | `""` | database username. ignored if existingSecret not "" |
 | fullnameOverride | string | `""` | fullname Override |
+| ghost.admin.email | string | `""` | admin email. ignored if existingSecret not "" |
+| ghost.admin.existingSecret | string | `""` | existing kubernetes secret with ghost admin credentials |
+| ghost.admin.password | string | `""` | admin password. ignored if existingSecret not "" |
+| ghost.admin.secretKeys.email | string | `""` | Key in existing Kubernetes Secret with the admin email. |
+| ghost.admin.secretKeys.password | string | `""` | Key in existing Kubernetes Secret with the admin password. |
+| ghost.admin.secretKeys.username | string | `""` | Key in existing Kubernetes Secret with the admin username. |
+| ghost.admin.username | string | `""` | admin username. ignored if existingSecret not "" |
+| ghost.blog_title | string | `""` | title of your ghost blog |
+| ghost.enable_https | string | `""` | enable HTTPS for the ghost blog |
+| ghost.host | string | `""` | hostname of the ghost blog |
+| ghost.skip_bootstrap | string | `""` | skip install of ghost at pod restart |
+| ghost.smtp.existingSecret | string | `""` | existing kubernetes secret with ghost smtp credentials |
+| ghost.smtp.host | string | `""` | smtp hostname. ignored if existingSecret not "" |
+| ghost.smtp.password | string | `""` | smtp password. ignored if existingSecret not "" |
+| ghost.smtp.port | string | `""` | smtp port. ignored if existingSecret not "" |
+| ghost.smtp.protocol | string | `""` | smtp protocol. ignored if existingSecret not "" |
+| ghost.smtp.secretKeys.host | string | `""` | Key in existing Kubernetes Secret with the smtp host. |
+| ghost.smtp.secretKeys.password | string | `""` | Key in existing Kubernetes Secret with the smtp password. |
+| ghost.smtp.secretKeys.port | string | `""` | Key in existing Kubernetes Secret with the smtp port. |
+| ghost.smtp.secretKeys.protocol | string | `""` | Key in existing Kubernetes Secret with the smtp protocol. |
+| ghost.smtp.secretKeys.username | string | `""` | Key in existing Kubernetes Secret with the smtp username. |
+| ghost.smtp.username | string | `""` | smtp username. ignored if existingSecret not "" |
 | image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. |
 | image.repository | string | `"ghost"` | image repo |
 | image.tag | string | `""` |  |
diff --git a/charts/ghost/setup_scripts/create_users.sh b/charts/ghost/setup_scripts/create_users.sh
new file mode 100644
index 0000000..361a000
--- /dev/null
+++ b/charts/ghost/setup_scripts/create_users.sh
@@ -0,0 +1,18 @@
+# Ghost API documentation: https://ghost.org/docs/admin-api/
+
+# url to initialize setup
+SETUP_URL="http://127.0.0.1:${port}/ghost/api/v3/admin/authentication/setup/"
+
+# required for api calls to ghost
+curl_opts=(
+        "--silent"
+        "-H" "Content-Type: application/json"
+        "-H" "Cache-Control: no-cache"
+    )
+
+"setup": [{
+    "name": "${GHOST_USERNAME}",
+    "email": "${GHOST_EMAIL}",
+    "password": "${GHOST_PASSWORD}",
+    "blogTitle": "${GHOST_BLOG_TITLE}"
+  }]
diff --git a/charts/ghost/templates/deployment.yaml b/charts/ghost/templates/deployment.yaml
index 7f64a04..3e50773 100644
--- a/charts/ghost/templates/deployment.yaml
+++ b/charts/ghost/templates/deployment.yaml
@@ -79,6 +79,11 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.externalDatabase.existingSecret }}
                   key: {{ .Values.externalDatabase.secretKeys.password }}
+            - name: DATABASE_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalDatabase.existingSecret }}
+                  key: {{ .Values.externalDatabase.secretKeys.root_password }}
             {{ end }}
             {{ if .Values.ghost.smtp.existingSecret }}
             - name: mail__options__host
diff --git a/charts/ghost/templates/secret-db.yaml b/charts/ghost/templates/secret-db.yaml
index 16ab292..45f9237 100644
--- a/charts/ghost/templates/secret-db.yaml
+++ b/charts/ghost/templates/secret-db.yaml
@@ -12,4 +12,5 @@ data:
   database__connection__database: {{ .Values.externalDatabase.database | b64enc }}
   database__connection__user: {{ .Values.externalDatabase.username | b64enc }}
   database__connection__password: {{ .Values.externalDatabase.password | b64enc }}
+  DATABASE_ROOT_PASSWORD: {{ .Values.externalDatabase.root_password | b64enc }}
 {{- end }}
diff --git a/charts/ghost/values.yaml b/charts/ghost/values.yaml
index f6cbf29..65f6544 100644
--- a/charts/ghost/values.yaml
+++ b/charts/ghost/values.yaml
@@ -137,6 +137,8 @@ externalDatabase:
   username: ""
   # -- database password. ignored if existingSecret not ""
   password: ""
+  # -- database root password. ignored if existingSecret not ""
+  root_password: ""
   # -- existing kubernetes secret for your external Database
   existingSecret: ""
   secretKeys:
@@ -148,6 +150,8 @@ externalDatabase:
     username: ""
     # -- secret key in your existing k8s secret for the database password
     password: ""
+    # -- secret key in your existing k8s secret for the database root password
+    root_password: ""
     # -- secret key in your existing k8s secret for the database name
     database: ""