Configure a new Email Signature Server in Kubernetes

About this article

In this article we will be using the provided Terraform scripts to configure and create the Kubernetes cluster and resources required to run the Email Signature Server.

• Installation steps from Azure Cloud Shell
• Configure Standard Azure Load Balancer
• Upload the secrets to the Kubernetes cluster
• Activate the replica set
• Create Azure Blob storage Shared Access Signature

The following resources will be created by the Terraform scripts:

• Service principal, this is required for the Kubernetes cluster to access the azure resources.
• Resource group, the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
• Node resource group, MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
• Kubernetes cluster, this is required to host the email signature server component.
• Log analytics, from here the performance of the Kubernetes cluster can be monitored.
• Storage account, this is where the email signature generated from Templafy will be stored.

Prerequisites

Installation steps from Azure Cloud Shell

1. Log in to Azure portal.

2. Start Cloud Shell

   • The first time you are using Cloud Shell you need to create a storage account for Cloud Shell. It is used to persist files.
   • When prompted to choose Bash or PowerShell choose Bash.
     Read more here: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart

3. Set the default subscription to the one all resources should be created under, with the following command:
   az account set --subscription <subscription name or id>

4. In Cloud Shell navigate to clouddrive by using the following command:
   cd clouddrive

5. Create a new directory which will host the terraform files:
   mkdir terraform

6. Change to this directory
   cd terraform

7. Download and extract the terraform-root.zip file:

   curl https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip > terraform-root.zip

   unzip terraform-root.zip

8. Open the editor by executing the following command:
   code .

9. Select the configuration file input.auto.tfvars and edit the variables based on your environment.

   Remember to save the file before moving on to the next step. (Ctrl-S)

   Naming rules and restrictions for Azure resources

   Check global availability of storage account name

   • office365ApplicationId is the Application Id assigned in the app registration
     (Step 2. Configure access to mailboxes) 

   • office365SmtpServerHostname can be retrieved from the exchange admin portal, by accessing https://admin.microsoft.com/AdminPortal/Home#/Domains and selecting the default domain.

     From here we need the address with the MX type:

     

     This value can also be confirmed by entering the domain in https://mxtoolbox.com

     

   • office365AuthenticationUrl is https://login.microsoftonline.com/<your Primary Domain or Tenant ID>

10. Initialize terraform by running the following command to download the required providers:
    terraform init

11. Run terraform plan to create an execution plan (it will not change anything yet):
    terraform plan -out out.plan

12. Apply the changes by running:
    terraform apply out.plan

13. The output result will display the public IP on which the email signature server is listening on.
    Save the value of the email_signature_server_public_ip field for the next steps.

    If the SPF record for your organization ends with " -all" (hard fail) then you will need to add the Email Signature Server public IP address to the SPF record. nslookup -type=txt <your primary domain> Below an example (SPF Record): v=spf1 ip4:<ess_public_ip> -all

14. The created resources can be seen in Azure Portal, under the chosen resource group.

Configure Standard Azure Load Balancer

1. Go to portal.azure.com 

2. Select the generated node resource group for the Kubernetes cluster, it has the following format MC_<Cluster resource Group Name><Cluster Name><Location>

3. Select the Public IP address for the cluster, it should be named templafy-emailsignatureserver

4. Click Properties under the Settings section

5. Copy the Resource ID

6. In the Cloud Shell fill in and run the following command, <resource group> here is the resource_group_name set in the input.auto.tfvars file above:

   az aks update --name templafyemailsignatureserver --resource-group <resource group> --load-balancer-outbound-ips <Public IP Resource ID>

Upload the secrets to the Kubernetes cluster

• Run the following commands on the machine, and in the directory, containing the certificates:

  az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>

  kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature

  kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx

Activate the replica set

• Run the following command in the same session used for the secrets commands above:

  kubectl scale --current-replicas=0 --replicas=1 deployment/email-signature-server-deployment

• Verify pod creation:

  kubectl get pods

Create Azure Blob storage Shared Access Signature

1. Go to portal.azure.com 
2. Navigate to the Storage Account in the newly created cluster Resource group
3. Click Storage browser (preview)
4. Select Blob containers 
5. Right Click on templafyemailsignatures 
6. Select Generate SAS from the dropdown list
7. Select Read, Write, Delete, and List from Permissions
8. Set the Expiry to a date in the future: year 2030+
9. Click Generate SAS token and URL
10. Copy the Blob SAS URL and save it for use in Configure Templafy for Email Signature Server