About this article
In this article we will be using the provided Terraform scripts to configure and create the Kubernetes cluster and resources required to run the Email Signature Server.
- Installation steps from Azure Cloud Shell
- Configure Standard Azure Load Balancer
- Upload the secrets to the Kubernetes cluster
- Activate the replica set
- Create Azure Blob storage Shared Access Signature
The following resources will be created by the Terraform scripts:
- Service principal, this is required for the Kubernetes cluster to access the azure resources.
- Resource group, the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
- Node resource group,
MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
- Kubernetes cluster, this is required to host the email signature server component.
- Log analytics, from here the performance of the Kubernetes cluster can be monitored.
- Storage account, this is where the email signature generated from Templafy will be stored.
Prerequisites
|
Installation steps from Azure Cloud Shell
|
-
Log in to Azure portal.
-
Start Cloud Shell
- The first time you are using Cloud Shell you need to create a storage account for Cloud Shell. It is used to persist files.
- When prompted to choose Bash or PowerShell choose
Bash
.
Read more here: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart
-
Set the default subscription to the one all resources should be created under, with the following command:
az account set --subscription <subscription name or id>
-
In Cloud Shell navigate to
clouddrive
by using the following command:cd clouddrive
-
Create a new directory which will host the terraform files:
mkdir terraform
-
Change to this directory
cd terraform
-
Download and extract the terraform-root.zip file:
curl https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip > terraform-root.zip
unzip terraform-root.zip
-
Open the editor by executing the following command:
code .
-
Select the configuration file
input.auto.tfvars
and edit the variables based on your environment.- Remember to save the file before moving on to the next step. (Ctrl-S)
Naming rules and restrictions for Azure resources
Check global availability of storage account name
-
office365ApplicationId
is the Application Id assigned in the app registration
(Step 2. Configure access to mailboxes) -
office365SmtpServerHostname
can be retrieved from the exchange admin portal, by accessing https://admin.microsoft.com/AdminPortal/Home#/Domains and selecting the default domain.From here we need the address with the MX type:
This value can also be confirmed by entering the domain in https://mxtoolbox.com
-
office365AuthenticationUrl
ishttps://login.microsoftonline.com/<your Primary Domain or Tenant ID>
-
Initialize terraform by running the following command to download the required providers:
terraform init
-
Run terraform plan to create an execution plan (it will not change anything yet):
terraform plan -out out.plan
-
Apply the changes by running:
terraform apply out.plan
-
The output result will display the public IP on which the email signature server is listening on.
Save the value of the email_signature_server_public_ip field for the next steps.- If the SPF record for your organization ends with " -all" (hard fail) then you will need to add the Email Signature Server public IP address to the SPF record.
nslookup -type=txt <your primary domain>
- Below an example (SPF Record):
v=spf1 ip4:<ess_public_ip> -all
-
The created resources can be seen in Azure Portal, under the chosen resource group.
Configure Standard Azure Load Balancer
-
Go to portal.azure.com
-
Select the generated node resource group for the Kubernetes cluster, it has the following format MC_<Cluster resource Group Name><Cluster Name><Location>
-
Select the Public IP address for the cluster, it should be named templafy-emailsignatureserver
-
Click Properties under the Settings section
-
Copy the Resource ID
-
In the Cloud Shell fill in and run the following command, <resource group> here is the resource_group_name set in the
input.auto.tfvars
file above:az aks update --name templafyemailsignatureserver --resource-group <resource group> --load-balancer-outbound-ips <Public IP Resource ID>
Upload the secrets to the Kubernetes cluster
-
Run the following commands on the machine, and in the directory, containing the certificates:
az aks get-credentials --name templafyemailsignatureserver --resource-group <resource_group>
kubectl config set-context templafyemailsignatureserver --namespace=templafy-emailsignature
kubectl create secret generic templafysecrets --from-file=azureAppRegistrationCertificatePassword=./azureAppRegistrationCertificatePassword --from-file=azureAppRegistrationCertificate.pfx=./azureAppRegistrationCertificate.pfx --from-file=smtpTlsCertificatePassword=./smtpTlsCertificatePassword --from-file=smtpTlsCertificate.pfx=./smtpTlsCertificate.pfx
Activate the replica set
- Run the following command in the same session used for the secrets commands above:
kubectl scale --current-replicas=0 --replicas=1 deployment/email-signature-server-deployment
- Verify pod creation:
kubectl get pods
Create Azure Blob storage Shared Access Signature
Navigate to the Storage Account in the newly created cluster Resource group
- Click
Storage browser (preview)
- Select
Blob containers
- Right Click on
templafyemailsignatures
- Select
Generate SAS
from the dropdown list - Select
Read
,Write
,Delete
, andList
from Permissions - Set the Expiry to a date in the future: year
2030+
- Click
Generate SAS token and URL
- Copy the Blob SAS URL and save it for use in Configure Templafy for Email Signature Server
Comments
0 comments
Article is closed for comments.