About this article
In this article we will be using the provided Terraform scripts to configure and create the Kubernetes cluster and resources required to run the Email Signature Server.
- Installation steps from Azure Cloud Shell
- Configure Standard Azure Load Balancer
- Upload the secrets to the Kubernetes cluster
- Activate the replica set
- Configure Azure Storage blob Shared Access
The following resources will be created by the Terraform scripts:
- Service principal, this is required for the Kubernetes cluster to access the azure resources.
- Resource group, the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
- Node resource group,
MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
- Kubernetes cluster, this is required to host the email signature server component.
- Log analytics, from here the performance of the Kubernetes cluster can be monitored.
- Storage account, this is where the email signature generated from Templafy will be stored.
Installation steps from Azure Cloud Shell
These steps are based on the
Log in to Azure portal.
Start Cloud Shell
- The first time you are using Cloud Shell you need to create a storage account for Cloud Shell. It is used to persist files.
- When prompted to choose Bash or PowerShell choose
Read more here: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart
Set the default subscription to the one all resources should be created under, with the following command:
az account set --subscription <subscription name or id>
In Cloud Shell navigate to
clouddriveby using the following command:
Create a new directory which will host the terraform files:
Change to this directory
Download and extract the terraform-root.zip file:
curl https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip > terraform-root.zip
Open the editor by executing the following command:
Select the configuration file
input.auto.tfvarsand edit the variables based on your environment.
Remember to save the file before moving on to the next step. (Ctrl-S)
office365ApplicationIdis the Application Id assigned in the app registration
(Step 2. Configure access to mailboxes)
office365SmtpServerHostnamecan be retrieved from the exchange admin portal, by accessing https://admin.microsoft.com/AdminPortal/Home#/Domains and selecting the default domain.
From here we need the address with the MX type:
This value can also be confirmed by entering the domain in https://mxtoolbox.com
https://login.microsoftonline.com/<your Primary Domain or Tenant ID>
Initialize terraform by running the following command to download the required providers:
Run terraform plan to create an execution plan (it will not change anything yet):
terraform plan -out out.plan
Apply the changes by running:
terraform apply out.plan
The output result will display the public IP on which the email signature server is listening on.
Save the value of the email_signature_server_public_ip field for the next steps.
If the SPF record for your organization ends with " -all" (hard fail) then you will need to add the Email Signature Server public IP address to the SPF record.
nslookup -type=txt <your primary domain>
The created resources can be seen in Azure Portal, under the chosen resource group.
Configure Standard Azure Load Balancer
Go to portal.azure.com
Select the generated node resource group for the Kubernetes cluster, it has the following format MC_<Cluster resource Group Name><Cluster Name><Location>
Select the Public IP address for the cluster, it should be named templafy-emailsignatureserver
Click Properties under the Settings section
Copy the Resource ID
In the Cloud Shell fill in and run the following command, <resource group> here is the resource_group_name set in the
az aks update --name templafyemailsignatureserver --resource-group <resource group> --load-balancer-outbound-ips <Public IP Resource ID>
Upload the secrets to the Kubernetes cluster
Run the following commands on the machine, and in the directory, containing the certificates:
az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>
kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature
kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx
Activate the replica set
- Run the following command in the same session used for the secrets commands above:
kubectl scale --current-replicas=0 --replicas=1 deployment/email-signature-server-deployment
- Verify pod creation:
kubectl get pods
Configure Azure Storage blob Shared Access
Still in the Azure Portal, click on the newly created Storage account
Storage Explorer (preview)
Get Shared Access Signature
Set the Expiry time to a date far in the future; year 2050+
Select Permissions: Read, Write, Delete, List
Copy the URI and save it for use in Step 4. Configure Templafy