Documentation

Azure via ARM

Suggest Edits

Overview

Welcome to the Sublime Platform self-managed Azure deployment!

This deployment leverages Azure Resource Manager (ARM) to set up the Sublime Platform in your own VPC without sending or storing email data externally.

Setup

Enabling Monitoring

Monitoring allows Sublime to see metrics and other high level telemetry about your deployment and create alerts, monitor via dashboards, and improve the Azure experience. An example of these metrics are DB CPU, pods in the AKS cluster, etc. Logs and more granular data can be collected via the “Send errors and system health information” setting within the platform.

Monitoring is an optional step, but it must be enabled to receive support from Sublime.

  1. Create a new app registration
    1. Select “Microsoft Entra ID”
    2. Expand “Manage” and select “App registrations”
    3. Click “New registration”
    4. Name the application whatever you would like and select “Accounts in this organizational directory only” for “Supported account types”. Leave “Redirect URI” empty.
    5. Click “Register”
    6. Copy the “Application (client) ID”, you will need it when running the ARM template
  2. Create a client secret
    1. Navigate to the App registration resource
    2. Expand “Manage” and select “Certificates & secrets”
    3. Click “Client secrets”
    4. Click “New client secret”
    5. Give the secret a name and expiration of your choice
    6. Click “Add”
    7. Copy the “Value” and save it somewhere, you will not be able to retrieve it later and you will need it when running the ARM template
  3. Grant permissions to the application
    1. Navigate to the subscription you’re using for Sublime
    2. Select “Access control (IAM)”
    3. Select “Role assignments”
    4. Click “Add” and “Add role assignment”
    5. Select the “Monitoring Reader” role
    6. Click “Members”
    7. Select the “User, group, or service principal” radial and click “Select members”
    8. Enter the name of the application you created and click “Select”
    9. Click “Review + assign”

Deploy the template

  1. Click the following link to open the template and fill out the information.

Verify & complete the installation

  1. To check the installation status go to the Kubernetes resource in the Azure portal, expand “Kubernetes resources”, and click “Run command”. You can run the following command to check installation status (it may take a bit for the release to show up at first): kubectl get helmrelease -n flux-system. Once the installation is complete, “Ready” will be “True” and “Status” will be “Release reconciliation succeeded”.
  2. Create a DNS record to point to your Sublime dashboard. This should simply be an A record pointing to our Ingress’s IP, which you can find either of two ways:
    1. Using the “Run command” page above run kubectl get ingress -n sublime. The external IP will be in the “Address” column.
    2. Using the Azure portal you can view the “kubernetes” Load Balancer resource, expand “Settings”, select “Frontend IP configuration”, and the configuration with 3 rules will be the external IP.

Upload your TLS Certificate

  1. Go to the key vault that was created after running the ARM template (it’ll be named sublime-vault-<your unique name>)
  2. You may have to grant yourself access to the key vault.
    1. Click “Access control (IAM)”, “Add”, and then “Add role assignment”
    2. Grant your Principal the “Key Vault Certificates Officer” role
    3. Click “Review + assign”
  3. Expand “Objects” and click “Certificates”
  4. Click “Generate/Import”
  5. Select “Import” for “Method of Certificate Creation” and then upload your certificate file.
    1. If you do not have a preferred Certificate Authority, you can generate one in Azure and upload it here. To do so expand the steps below.
    • Generating a Certificate in Azure
      1. Open “App Service Certificates” in Azure and click “Create”.
      2. Set the resource group to the resource group used previously & leave the SKU as is.
      3. Enter the DNS name you’ll access Sublime through (e.g. sublime.my-org.com), you’ll need the ability to add DNS records for this domain.
      4. Enter any name and click “Review and Create” then “Create”.
      5. Wait for the “Deployment in Progress” step to complete, then select “Go to resource”.
      6. Ignore any errors and select “Configure required Key Vault store”.
      7. Click the checkbox next to “Store”, follow “Select from Key Vault”, and select the newly created Sublime key vault, and finish with “Select”.
      8. Go back and click the checkbox next to “Verify” and follow Azure’s instructions for validating your certificate.
      9. Once your certificate is validated, you can proceed.
      10. Now go into the sublime Key Vault and open Objects > Secrets.
      11. Select the certificate previously saved into Secrets — it’ll have a Type of “application/x-pkcs12”.
      12. Select the ID listed under “Current Version” and then click “Download as Certificate”
      13. You may now use this downloaded certificate for the “Import” step (yes this is very convoluted, we’re sorry there’s not a better way in Azure).
  6. The certificate name must be ingress.
  7. Click “Create”

Updated 3 months ago