You could use helm or just a simple yaml since this is small. Setting up ssl is a exercise left to the reader (use cert-manager). I use a cname for the ingress rule that points to the worker node(s)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: blog
  labels:
    app: blog
spec:
  replicas: 1
  selector:
    matchLabels:
      app: blog
  template:
    metadata:
      labels:
        app: blog
    spec:
      containers:
      - name: blog
        image: ghost:3.2-alpine
        volumeMounts:
        - mountPath: /var/lib/ghost/content
          name: content
        ports:
        - containerPort: 2368
        env:
        - name: url
          value: http://hello.teada.net
      volumes:
      - name: content
        persistentVolumeClaim:
          claimName: blog-content
---
apiVersion: v1
kind: Service
metadata:
  name: blog
spec:
  type: ClusterIP
  selector:
    app: blog
  ports:
  - protocol: TCP
    port: 80
    targetPort: 2368
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: blog-content
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: hello
spec:
  rules:
  - host: hello.teada.net
    http:
      paths:
      - path: /
        backend:
          serviceName: blog
          servicePort: 80