- Create the resources required to run the Email Signature Server in a Kubernetes cluster
- Install and run Email Signature Server on the created resources
The resources that are going to be created automatically by the terraform script are the following:
- Service principal, this is required for the Kubernetes cluster to access the azure resources.
- Resource group, the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
- Node resource group,
MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
- Kubernetes cluster, this is required to host the email signature server component.
- Log analytics, from here the performance of the Kubernetes cluster can be monitored.
- Storage account, this is where the email signature generated from Templafy will be stored.
The Terraform files provided by Templafy (here)
Admin access to Azure Portal. The account needs to have rights to create service principals.
- Azure CLI on the local machine to be used during implementation.
- Azure Kubernetes Services CLI
az aks install-cli
Certificates for encrypted communication.
- It is possible to use existing certificates or to create self-signed ones by following Step 1. Configure certificates.
- When creating self-signed certificates it will generate two pfx files with a specified password and two files corresponding to the pfx files with the password
- The pfx and password files (either existing or generated) need to have the following names:
azureAppRegistrationCertificate.pfx azureAppRegistrationCertificatePassword smtpTlsCertificate.pfx smtpTlsCertificatePassword
Installation steps from Azure Cloud Shell
Note: These steps are based on the
Bash version of Cloud Shell
Log in to Azure portal.
Start Cloud Shell
- The first time you are using Cloud Shell you need to create a storage account for Cloud Shell. It is used to persist files.
- When prompted to choose Bash or PowerShell choose
Read more here: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart
Set the default subscription to the one all resources should be created under, with the following command:
az account set --subscription <subscription name or id>
In Cloud Shell navigate to
clouddriveby using the following command:
Create a new directory which will host the terraform files:
Change to this directory
Download and extract the terraform-root.zip file:
curl https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip > terraform-root.zip
Open the editor by executing the following command:
Select the configuration file
input.auto.tfvarsand edit the variables based on your environment.
Remember to save the file before moving on to the next step. (Ctrl-S)
office365ApplicationIdis the Application Id assigned in the app registration
(Step 2. Configure access to mailboxes)
office365SmtpServerHostnamecan be retrieved from the exchange admin portal, by accessing https://admin.microsoft.com/AdminPortal/Home#/Domains and selecting the default domain.
From here we need the address with the MX type:
This value can also be confirmed by entering the domain in https://mxtoolbox.com
https://login.microsoftonline.com/<your Primary Domain or Tenant ID>
Initialize terraform by running the following command to download the required providers:
Run terraform plan to create an execution plan (it will not change anything yet):
terraform plan -out out.plan
Apply the changes by running:
terraform apply out.plan
The output result will display the public IP on which the email signature server is listening on.
Look for the value of the email_signature_server_public_ip field.
The created resources can be seen in Azure Portal, under the chosen resource group.
Configure Standard Azure Load Balancer
Go to portal.azure.com
Select the generated node resource group for the Kubernetes cluster, it has the following format MC_<Cluster resource Group Name><Cluster Name><Location>
Select the Public IP address for the cluster, it should be named templafy-emailsignatureserver
Click Properties under the Settings section
Copy the Resource ID
In the Cloud Shell fill in and run the following command, <resource group> here is the resource_group_name set in the
az aks update --name templafyemailsignatureserver --resource-group <resource group> --load-balancer-outbound-ips <Public IP Resource ID>
Upload the secrets to the Kubernetes cluster
Run the following commands on the machine and in the directory containing the certificates:
az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>
kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature
kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx
Activate the replica set
- Run the following command in the same session used for the secrets commands above:
kubectl scale --current-replicas=0 --replicas=1 deployment/email-signature-server-deployment
- Verify pod creation:
kubectl get pods
Configure Azure Storage blob Shared Access
Still in the Azure Portal, click on the newly created Storage account
Storage Explorer (preview)
Get Shared Access Signature
Set the Expiry time to a date far in the future; year 2050+
Select Permissions: Read, Write, Delete, List
Copy the URI and save it for use in Step 4. Configure Templafy