- Create the resources required to run the Email Signature Server in a Kubernetes cluster
- Install and run Email Signature Server on the created resources
The resources that are going to be created automatically by the terraform script are the following:
- Service principal, this is required for the Kubernetes cluster to access the azure resources.
- Resource group, all the created resources will be stored in this resource group.
Note that Kubernetes cluster will also generate another resource group with a similar format:
MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
- Kubernetes cluster, this is required to host the email signature server component.
- Log analytics, from here the performance of the Kubernetes cluster can be monitored.
- Storage account, this is where the email signature generated from Templafy will be stored.
The Terraform files provided by Templafy (here)
Admin access to Azure Portal. The account needs to have rights to create service principals.
Certificates for encrypted communication.
- It is possible to use existing certificates or to create self-signed ones by following Step 1. Configure certificates.
- When creating self-signed certificates it will generate a pfx file with a specified password.
- Save the password in text file and duplicate the pfx file and password text file so there will be two pfx files and two password files.
- The pfx and password files (either existing or generated) need to have the following names:
azureAppRegistrationCertificate.pfx azureAppRegistrationCertificatePassword smtpTlsCertificate.pfx smtpTlsCertificatePassword
Installation steps from Azure Cloud Shell
Note: These steps are based on the
bash version of Cloud Shell
Log in to Azure portal.
Start Cloud Shell
- The first time you are using Cloud Shell you need to create a storage account for Cloud Shell. It is used to persist files.
- When prompted to choose bash or powershell choose
Read more here: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart
Set the default subscription to the one all resources should be created under, with the following command:
az account set --subscription <subscription name or id>
In Cloud Shell navigate to
clouddriveby using the following command:
Create a new directory which will host the terraform files:
Go to 'Upload/Download' and choose 'Manage file share'. (see picture) This will open the file browser, which you can use to upload the extracted terraform files:
Upload the extracted terraform files to the terraform directory. (See Prerequisites)
Go back to the Cloud Shell, open the editor by executing the following command:
Open the configuration file
input.auto.tfvarsand edit the variables based on your environment.
Remember to save the file before moving on to the next step.
office365ApplicationIdis the Application Id assigned in the app registration
(Step 2. Configure access to mailboxes)
office365SmtpServerHostnamecan be retrieved from the exchange admin portal, by accessing https://admin.microsoft.com/AdminPortal/Home#/Domains and selecting the default domain.
From here we need the address with the MX type:
This value can also be confirmed by entering the domain in https://mxtoolbox.com
Initialize terraform by running the following command to download the required providers:
Run terraform plan to create an execution plan (it will not change anything yet):
terraform plan -out out.plan
Apply the changes by running:
terraform apply out.plan
The output result will display the public IP on which the email signature server is listening on.
Look for the value of the email_signature_server_public_ip field.
The created resources can be seen in Azure Portal, under the chosen resource group.
Configure Standard Azure Load Balancer
Go to portal.azure.com
Select the generated resource group for the kubernetes cluster, it has the following format `MC_<Cluster resource Group Name><Cluster Name><Location>
Select the Load balancer, it should be a single one named
Select aksOutboundRule in the left pane
For the Frontend IP address select the Public IP address that matches what the terraform script output earlier. Deselect any other IP address.
Upload the secrets to the Kubernetes cluster
Run the following commands on the directory in which the certificates were generated:
az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>
kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature
kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx
Configure Azure Storage blob Shared Access
Still in the Azure Portal, click on the newly created Storage account
Storage Explorer (preview)
Get Shared Access Signature
Set the Expiry time to a date far in the future; year 2050+
Select Permissions: Read, Write, Delete, List
Copy the URI and save it for use in Step 4. Configure Templafy