Docker Deployment

ctk is a single static Go binary, making it trivial to containerize.

Dockerfile

FROM golang:1.24-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o /ctk ./cmd/ctk

FROM alpine:3.21
RUN apk add --no-cache ca-certificates
COPY --from=builder /ctk /usr/local/bin/ctk
ENTRYPOINT ["ctk"]
CMD ["mcp"]

Build and run:

docker build -t ctk .
docker run -i --rm \
  -e CONFLUENCE_DOMAIN=mycompany \
  -e CONFLUENCE_EMAIL=jane@example.com \
  -e CONFLUENCE_API_TOKEN=your-api-token \
  ctk

Docker Compose

stdio mode (for local MCP clients)

services:
  ctk:
    build: .
    stdin_open: true
    environment:
      - CONFLUENCE_DOMAIN=mycompany
      - CONFLUENCE_EMAIL=jane@example.com
      - CONFLUENCE_API_TOKEN=${CONFLUENCE_API_TOKEN}

HTTP Streamable mode (for remote access)

services:
  ctk:
    build: .
    command: ["mcp", "--port", "8080"]
    ports:
      - "8080:8080"
    environment:
      - CONFLUENCE_DOMAIN=mycompany
      - CONFLUENCE_EMAIL=jane@example.com
      - CONFLUENCE_API_TOKEN=${CONFLUENCE_API_TOKEN}
      - CTK_ENABLE_WRITES=true
    restart: unless-stopped

Read-only mode (production)

services:
  ctk:
    build: .
    command: ["mcp", "--port", "8080"]
    ports:
      - "8080:8080"
    env_file: .env
    restart: unless-stopped
    # CTK_ENABLE_WRITES is NOT set — all writes are blocked by default

With environment file

Create a .env file:

.env

CONFLUENCE_DOMAIN=mycompany
CONFLUENCE_EMAIL=jane@example.com
CONFLUENCE_API_TOKEN=your-api-token
CONFLUENCE_TOKEN_TYPE=classic

Caution

Never commit .env files to version control. Add .env to your .gitignore.

Kubernetes

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ctk
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ctk
  template:
    metadata:
      labels:
        app: ctk
    spec:
      containers:
      - name: ctk
        image: ctk:latest
        args: ["mcp", "--port", "8080"]
        ports:
        - containerPort: 8080
        envFrom:
        - secretRef:
            name: confluence-credentials
        env:
        - name: CTK_ENABLE_WRITES
          value: "false"
        resources:
          requests:
            memory: "32Mi"
            cpu: "50m"
          limits:
            memory: "128Mi"
            cpu: "200m"
---
apiVersion: v1
kind: Service
metadata:
  name: ctk
spec:
  selector:
    app: ctk
  ports:
  - port: 8080
    targetPort: 8080

Create the secret:

kubectl create secret generic confluence-credentials \
  --from-literal=CONFLUENCE_DOMAIN=mycompany \
  --from-literal=CONFLUENCE_EMAIL=jane@example.com \
  --from-literal=CONFLUENCE_API_TOKEN=your-api-token

Tip

ctk is a single static binary (~15MB). The Alpine-based Docker image is under 30MB, starts instantly, and uses minimal memory. No runtime dependencies.

Write Gating in Production

By default, ctk runs in read-only mode — write operations (create, update, delete, move pages) are disabled. This is ideal for production deployments where agents should only read content.

To enable writes explicitly:

environment:
  - CTK_ENABLE_WRITES=true

Disabling Tools in Production

Restrict available tools for security:

environment:
  - CTK_DISABLED_TOOLS=manage_comments,manage_attachments