Articles in this section

Configure a new Email Signature Server in Kubernetes

Avatar
Kevin Waddle
Updated
Follow

About this article

In this article we will be using the provided Terraform scripts to configure and create the Kubernetes cluster and resources required to run the Email Signature Server.

The following resources will be created by the Terraform scripts:

  • Service principal, this is required for the Kubernetes cluster to access the azure resources.
  • Resource group, the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
  • Node resource group, MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
  • Kubernetes cluster, this is required to host the email signature server component.
  • Log analytics, from here the performance of the Kubernetes cluster can be monitored.
  • Storage account, this is where the email signature generated from Templafy will be stored.

Prerequisites

 

  • Terraform scripts provided by Templafy

  • Admin access to Azure Portal. The account needs to have rights to create service principals.

  • Azure CLI on the local machine to be used during implementation.

    Install the Azure CLI

  • Azure Kubernetes Services CLI  (kubectl)

    az aks install-cli

  • Certificates for encrypted communication.

    • CA issued or self-signed certificates (Step 1. Configure certificates)
    • When creating self-signed certificates the scripts will generate two PKCS #12 archive (PFX) files with two corresponding files containing the provided password to the PFX archive files.
    • The PFX and password files (either existing or generated) need to have the following names: 
      azureAppRegistrationCertificate.pfx 
azureAppRegistrationCertificatePassword 
smtpTlsCertificate.pfx 
smtpTlsCertificatePassword

 

Installation steps from Azure Cloud Shell

 
  • These steps are based on the Bash version of Cloud Shell

  1. Log in to Azure portal.

  2. Start Cloud Shell start-cloudshell.png

  3. Set the default subscription to the one all resources should be created under, with the following command:
    az account set --subscription <subscription name or id>

  4. In Cloud Shell navigate to clouddrive by using the following command:
    cd clouddrive

  5. Create a new directory which will host the terraform files:
    mkdir terraform

  6. Change to this directory
    cd terraform

  7. Download and extract the terraform-root.zip file:

    curl https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip > terraform-root.zip
    unzip terraform-root.zip

  8. Open the editor by executing the following command:
    code .

  9. Select the configuration file input.auto.tfvars and edit the variables based on your environment.

     
    • Remember to save the file before moving on to the next step. (Ctrl-S)

    Naming rules and restrictions for Azure resources

    Check global availability of storage account name

  10. Initialize terraform by running the following command to download the required providers:
    terraform init

  11. Run terraform plan to create an execution plan (it will not change anything yet):
    terraform plan -out out.plan

  12. Apply the changes by running:
    terraform apply out.plan

  13. The output result will display the public IP on which the email signature server is listening on.
    Save the value of the email_signature_server_public_ip field for the next steps.

     
    • If the SPF record for your organization ends with " -all" (hard fail) then you will need to add the Email Signature Server public IP address to the SPF record.
    • nslookup -type=txt <your primary domain>

  14. The created resources can be seen in Azure Portal, under the chosen resource group.

Configure Standard Azure Load Balancer

  1. Go to portal.azure.com 

  2. Select the generated node resource group for the Kubernetes cluster, it has the following format MC_<Cluster resource Group Name><Cluster Name><Location>

  3. Select the Public IP address for the cluster, it should be named templafy-emailsignatureserver

  4. Click Properties under the Settings section

  5. Copy the Resource ID

  6. In the Cloud Shell fill in and run the following command, <resource group> here is the resource_group_name set in the input.auto.tfvars file above:

    az aks update --name templafyemailsignatureserver --resource-group <resource group> --load-balancer-outbound-ips <Public IP Resource ID>

Upload the secrets to the Kubernetes cluster

  • Run the following commands on the machine, and in the directory, containing the certificates:

    az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>
    kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature
    kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx

Activate the replica set

  • Run the following command in the same session used for the secrets commands above: 
    kubectl scale --current-replicas=0 --replicas=1 deployment/email-signature-server-deployment
  • Verify pod creation: 
    kubectl get pods

Configure Azure Storage blob Shared Access

  1. Still in the Azure Portal, click on the newly created Storage account

  2. Click Storage Explorer (preview)

  3. Click BLOB CONTAINERS

  4. Right-click templafyemailsignatures and select Get Shared Access Signature

  5. Set the Expiry time to a date far in the future; year 2050+

  6. Select Permissions: Read, Write, Delete, List

    Items.png

  7. Click [Create]

  8. Copy the URI and save it for use in Step 4. Configure Templafy

    shared_access_URI.png

Related articles

Comments

0 comments

Article is closed for comments.