Merge branch 'main' into ml-traefik

2022-10-25 14:44:53 +01:00 · 2022-10-25 14:44:53 +01:00 · 303f6a87fd
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -111,7 +111,7 @@ Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath $paramPath -Format File -o

 The [configuration experience](https://azure.github.io/AKS-Construction/) is hosted in GitHub pages. It's a static web app, written in NodeJS using [FluentUI](https://developer.microsoft.com/en-us/fluentui).

-For a deep dive into contributing to the Wizard Web App, please see this [document](docs/ContributingWizard.md).
+For a deep dive into contributing to the Wizard Web App, please see this [document](docs/ContributingHelper.md).

 #### Playwright tests

--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
-# AKS Accelerator
+# AKS Construction

-Building a complete Kubernetes operational environment is hard work! __AKS Accelerator__ dramatically speeds up this work by providing the templates and deployment scripts to quickly create a  __fully configured__, Kubernetes environment, tailored to meet your operational and security needs, ready to run your workloads in production.
+Building a complete Kubernetes operational environment is hard work! __AKS Construction__ dramatically accelerates this work by providing the templates and deployment scripts to quickly create a  __fully configured__, Kubernetes environment, tailored to meet your operational and security needs, ready to run your workloads in production.

 ![animated preview of AKS Construction Helper](docs/images/animgif.gif)

@ -12,7 +12,7 @@ Building a complete Kubernetes operational environment is hard work! __AKS Accel
 * #### **Step 2** Select your Requirements (optional)
  Select your base `Operational` and `Security` Principles using the presets that have been designed from our field experience

-  ![](docs/images/helper-presets.jpg)
+  ![presets](docs/images/helper-presets.jpg)
  <br/>
  > **Note**
  > If following Azure's **Landing Zone** methodology, select `Enterprise Scale` from the dropdown, then select your environment type
@ -20,11 +20,11 @@ Building a complete Kubernetes operational environment is hard work! __AKS Accel
 * #### **Step 3** Fine tune (optional)
  Use the tabs to fine tune your cluster requirements

-  ![](docs/images/helper-tabs.jpg)
+  ![fine tune](docs/images/helper-tabs.jpg)
 * #### **Step 4** Deploy
  In the `Deploy` tab, choose how you will deploy your new cluster, and follow the instructions

-  ![](docs/images/helper-deploy.jpg)
+  ![deploy](docs/images/helper-deploy.jpg)

 ## Advanced Scenarios

@ -57,9 +57,9 @@ For a more in depth look at the GitHub Actions used in this project, which steps

 ## Background

-This project unifies guidance provided by the [AKS Secure Baseline](https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks), [Well Architected Framework](https://docs.microsoft.com/azure/architecture/framework/), [Cloud Adoption Framework](https://azure.microsoft.com/cloud-adoption-framework/) and [Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) by providing tangible artifacts to deploy Azure resources from CLI or CI/CD systems.
+This project unifies guidance provided by the [AKS Secure Baseline](https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks), [Well Architected Framework](https://docs.microsoft.com/azure/architecture/framework/), [Cloud Adoption Framework](https://azure.microsoft.com/cloud-adoption-framework/) and [Azure Landing Zones](https://github.com/Azure/Enterprise-Scale) by providing tangible artifacts to deploy Azure resources from CLI or CI/CD systems.

-This project is part of the official [AKS Landing Zone Accelerator (Enterprise Scale)](https://github.com/Azure/AKS-Landing-Zone-Accelerator) architectural approach. To read more about this project and how the it fits with Enterprise Scale and the AKS Secure Baseline, look [here](referencearchs.md).
+This project is part of the official [AKS Landing Zone Accelerator (Azure Landing Zones)](https://github.com/Azure/AKS-Landing-Zone-Accelerator) architectural approach. To read more about this project and how the it fits with Azure Landing Zones and the AKS Secure Baseline, look [here](referencearchs.md).

 ## Project Principals

--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@ -17,6 +17,7 @@ Resource sections
 6. Application Gateway
 7. AKS
 8. Monitoring / Log Analytics
+9. Deployment for telemetry
 */


@ -832,7 +833,7 @@ output ApplicationGatewayName string = deployAppGw ? appgw.name : ''
 param dnsPrefix string = '${resourceName}-dns'

@description('Kubernetes Version')
-param kubernetesVersion string = '1.23.8'
+param kubernetesVersion string = '1.23.12'

@description('Enable Azure AD integration on AKS')
 param enable_aad bool = false
@ -1159,12 +1160,11 @@ var aks_addons1 = ingressApplicationGateway ? union(aks_addons, deployAppGw ? {
    enabled: true
    config: {
      applicationGatewayName: appgwName
-      subnetCIDR: '10.2.0.0/16'
+      subnetCIDR: '10.225.0.0/16'
    }
  }
 }) : aks_addons

-
 var aks_identity = {
  type: 'UserAssigned'
  userAssignedIdentities: {
@ -1176,7 +1176,6 @@ var aks_identity = {
 var aksPrivateDnsZone = privateClusterDnsMethod=='privateDnsZone' ? (!empty(dnsApiPrivateZoneId) ? dnsApiPrivateZoneId : 'system') : privateClusterDnsMethod
 output aksPrivateDnsZone string = aksPrivateDnsZone

-
@description('Needing to seperately declare and union this because of https://github.com/Azure/AKS-Construction/issues/344')
 var managedNATGatewayProfile =  {
  natGatewayProfile : {
@ -1287,7 +1286,12 @@ output aksOidcFedIdentityProperties object = {
  subject: 'system:serviceaccount:ns:svcaccount'
 }

+@description('The name of the managed resource group AKS uses')
 output aksNodeResourceGroup string = aks.properties.nodeResourceGroup
+
+@description('The Azure resource id for the AKS cluster')
+output aksResourceId string = aks.id
+
 //output aksNodePools array = [for nodepool in agentPoolProfiles: name]

@description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.')
@ -1536,5 +1540,29 @@ resource eventGridDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-previe
  }
 }

+@description('Enable usage and telemetry feedback to Microsoft.')
+param enableTelemetry bool = true
+
+var telemetryId = '3c1e2fc6-1c4b-44f9-8694-25d00ae30a3a-${location}'
+
+/*.___________. _______  __       _______ .___  ___.  _______ .___________..______     ____    ____     _______   _______ .______    __        ______   ____    ____ .___  ___.  _______ .__   __. .___________.
+|           ||   ____||  |     |   ____||   \/   | |   ____||           ||   _  \    \   \  /   /    |       \ |   ____||   _  \  |  |      /  __  \  \   \  /   / |   \/   | |   ____||  \ |  | |           |
+`---|  |----`|  |__   |  |     |  |__   |  \  /  | |  |__   `---|  |----`|  |_)  |    \   \/   /     |  .--.  ||  |__   |  |_)  | |  |     |  |  |  |  \   \/   /  |  \  /  | |  |__   |   \|  | `---|  |----`
+    |  |     |   __|  |  |     |   __|  |  |\/|  | |   __|      |  |     |      /      \_    _/      |  |  |  ||   __|  |   ___/  |  |     |  |  |  |   \_    _/   |  |\/|  | |   __|  |  . `  |     |  |
+    |  |     |  |____ |  `----.|  |____ |  |  |  | |  |____     |  |     |  |\  \----.   |  |        |  '--'  ||  |____ |  |      |  `----.|  `--'  |     |  |     |  |  |  | |  |____ |  |\   |     |  |
+    |__|     |_______||_______||_______||__|  |__| |_______|    |__|     | _| `._____|   |__|        |_______/ |_______|| _|      |_______| \______/      |__|     |__|  |__| |_______||__| \__|     |__|     */
+
+//  Telemetry Deployment
+resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) {
+  name: telemetryId
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#'
+      contentVersion: '1.0.0.0'
+      resources: {}
+    }
+  }
+}

 //ACSCII Art link : https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Star%20Wars&text=changeme
--- a/helper/src/components/addonsTab.js
+++ b/helper/src/components/addonsTab.js
@ -384,18 +384,16 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                <Checkbox styles={{ root: { marginLeft: '50px' } }} inputProps={{ "data-testid": "addons-osm-Checkbox"}} checked={addons.openServiceMeshAddon} onChange={(ev, v) => updateFn("openServiceMeshAddon", v)} label="Install the Open Service Mesh AddOn" />
            </Stack.Item>

-            { wiFeatureFlag &&
-            <>
-                <Separator className="notopmargin" />
+            <Separator className="notopmargin" />

-                <Stack.Item align="start">
-                    <Label required={true}>
-                        Workload Identity : Enable Azure Workload Identity on the AKS Cluster
-                        (<a target="_new" href="https://github.com/Azure/azure-workload-identity">project</a>)
-                    </Label>
-                    <Checkbox styles={{ root: { marginLeft: '50px' } }} inputProps={{ "data-testid": "addons-workloadIdentity-Checkbox"}} checked={addons.workloadIdentity} onChange={(ev, v) => updateFn("workloadIdentity", v)} label="Install Workload Identity" />
-                </Stack.Item>
-            </>}
+            <Stack.Item align="start">
+                <Label required={true}>
+                    Workload Identity : Enable Azure Workload Identity on the AKS Cluster
+                    (<a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster">*preview</a>)
+                    (<a target="_new" href="https://github.com/Azure/azure-workload-identity">project</a>)
+                </Label>
+                <Checkbox styles={{ root: { marginLeft: '50px' } }} inputProps={{ "data-testid": "addons-workloadIdentity-Checkbox"}} checked={addons.workloadIdentity} onChange={(ev, v) => updateFn("workloadIdentity", v)} label="Install Workload Identity" />
+            </Stack.Item>

            <Separator className="notopmargin" />

--- a/helper/src/components/deployTab.js
+++ b/helper/src/components/deployTab.js
@ -63,6 +63,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
        ...(addons.csisecret === 'akvNew' && deploy.keyVaultIPAllowlist  && apiips_array.length > 0 && {keyVaultIPAllowlist: apiips_array }),
        ...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}),
    }),
+    ...(deploy.enableTelemetry !== defaults.deploy.enableTelemetry && {enableTelemetry: deploy.enableTelemetry }),
    ...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }),
    ...(addons.networkPolicy !== "none" && { networkPolicy: addons.networkPolicy }),
    ...(defaults.addons.openServiceMeshAddon !== addons.openServiceMeshAddon && {openServiceMeshAddon: addons.openServiceMeshAddon }),
@ -128,7 +129,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
    }),
    ...(defaults.addons.kedaAddon !== addons.kedaAddon && {kedaAddon: addons.kedaAddon }),
    ...(defaults.addons.blobCSIAddon !== addons.blobCSIAddon && {blobCSIAddon: addons.blobCSIAddon }),
-    ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {workloadIdentity: addons.workloadIdentity }),
+    ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {oidcIssuer: true, workloadIdentity: addons.workloadIdentity }),
    ...(net.networkPlugin === 'azure' && net.networkPluginMode && {networkPluginMode: 'Overlay'}),
    ...(urlParams.getAll('feature').includes('defender') && cluster.DefenderForContainers !== defaults.cluster.DefenderForContainers && { DefenderForContainers: cluster.DefenderForContainers })
  }
@ -351,7 +352,6 @@ az role assignment create --role "Managed Identity Operator" --assignee-principa

          <TextField label="Current IP Address" prefix="IP or Cidr , separated" errorMessage={getError(invalidArray, 'apiips')} onChange={(ev, val) => updateFn("apiips", val)} value={deploy.apiips || ''} required={cluster.apisecurity === "whitelist"} />

-
            <Label>Grant AKS Cluster Admin Role <a target="_target" href="https://docs.microsoft.com/en-gb/azure/aks/manage-azure-rbac#create-role-assignments-for-users-to-access-cluster">docs</a></Label>
            <Stack.Item>
              <Checkbox disabled={cluster.enable_aad === false || cluster.enableAzureRBAC === false} checked={deploy.clusterAdminRole} onChange={(ev, v) => updateFn("clusterAdminRole", v)} label="Assign deployment user 'ClusterAdmin'" />
@ -364,11 +364,14 @@ az role assignment create --role "Managed Identity Operator" --assignee-principa

            <Label>Grant Key Vault Certificate and Secret Officer role <a target="_target" href="https://docs.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations">docs</a></Label>
            <Stack.Item>
-            <Checkbox disabled={addons.csisecret !== 'akvNew'} checked={deploy.kvCertSecretRole} onChange={(ev, v) => updateFn("kvCertSecretRole", v)} label="Assign deployment user Certificate and Secret Officer" />
-            <Checkbox disabled={addons.csisecret !== 'akvNew' || !net.vnetprivateend} checked={deploy.keyVaultIPAllowlist} onChange={(ev, v) => updateFn("keyVaultIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" />
+              <Checkbox disabled={addons.csisecret !== 'akvNew'} checked={deploy.kvCertSecretRole} onChange={(ev, v) => updateFn("kvCertSecretRole", v)} label="Assign deployment user Certificate and Secret Officer" />
+              <Checkbox disabled={addons.csisecret !== 'akvNew' || !net.vnetprivateend} checked={deploy.keyVaultIPAllowlist} onChange={(ev, v) => updateFn("keyVaultIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" />
            </Stack.Item>
            { deploy.keyVaultIPAllowlist && net.vnetprivateend && <MessageBar messageBarType={MessageBarType.info}> <Text >"Add current IP to KeyVault firewall" will enable KeyVaults  PublicNetworkAccess property</Text></MessageBar> }

+            <Stack.Item>
+              <Checkbox checked={deploy.enableTelemetry} onChange={(ev, v) => updateFn("enableTelemetry", v)} label="Enable telemetry feedback to Microsoft" />
+            </Stack.Item>
        </Stack>

      </Stack>
@ -418,7 +421,7 @@ az role assignment create --role "Managed Identity Operator" --assignee-principa
          <CodeBlock hideSave={true} lang="shell script"  error={allok ? false : 'Configuration not complete, please correct the tabs with the warning symbol before running'} deploycmd={deploycmd} testId={'deploy-deploycmd'}/>

          { urlParams.toString() !== "" &&
-            <Text variant="medium">Not ready to deploy? Bookmark your configuration : <a href={"?" + urlParams.toString()}>here</a></Text>
+            <Text variant="medium">Not ready to deploy? Bookmark your configuration by copying <a href={"?" + urlParams.toString()}>this link</a></Text>
          }
        </PivotItem>

--- a/helper/src/components/portalnav.js
+++ b/helper/src/components/portalnav.js
@ -4,7 +4,7 @@ import { CommandBarButton, Image, ThemeProvider, Link, Toggle, TooltipHost, Pivo
 import { AzureThemeLight, AzureThemeDark } from '@fluentui/azure-themes';
 import { mergeStyles, mergeStyleSets } from '@fluentui/merge-styles';

-import {Presets, SeparatorStyle} from './presets'
+import { Presets, SeparatorStyle } from './presets'

 import NetworkTab from './networkTab'
 import AddonsTab from './addonsTab'
@ -38,16 +38,16 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {


  return (
-    <nav  role="menubar">
+    <nav role="menubar">

      <div style={{ width: "100%" }}>

-        <div style={{display: "inline-block", padding: "11px 12px 0px"}}>
+        <div style={{ display: "inline-block", padding: "11px 12px 0px" }}>
          <Link className="navbar-brand no-outline" >
            <Image src="aks.svg" height="33px" />
          </Link>
-          <Text nowrap variant="xLarge" className={titleClass} >AKS Construction <span style={{"color": "red"}}>helper</span></Text>
-          <Text className={titleClass} style={{"marginTop": "6px", "marginLeft": "20px"}}>Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a></Text>
+          <Text nowrap variant="xLarge" className={titleClass} >AKS Construction <span style={{ "color": "red" }}>Helper</span></Text>
+          <Text className={titleClass} style={{ "marginTop": "6px", "marginLeft": "20px" }}>Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a> and at the <a href="https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/aks/landing-zone-accelerator" target="_blank" rel="noopener noreferrer">AKS Landing Zone Accelerator</a> docs</Text>
        </div>
        <div style={{ display: "inline-block", float: "right" }}>

@ -59,7 +59,8 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {
                disabled: presets[p].disabled,
                iconProps: { iconName: presets[p].icon },
                onClick: () => setPresets(p)
-              } })
+              }
+            })

          }} text={presets[selectedPreset].title} disabled={false} checked={true}
            styles={{ root: { "vertical-align": "top", padding: "11px 12px 13px", border: "2px solid transparent", background: "transparent" }, label: { color: "#0067b8", fontWeight: "600", fontSize: "15px", lineHeight: "1.3" } }} />
@ -75,17 +76,17 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {
 function Header2({ presets, setPresets, selectedPreset, featureFlag }) {
  return (
    <Stack horizontal tokens={{ childrenGap: 10 }}>
-      <img id="aksLogo" src="aks.svg" alt="Kubernetes Service" style={{  }}></img>
+      <img id="aksLogo" src="aks.svg" alt="Kubernetes Service" style={{}}></img>
      <Stack tokens={{ padding: 10, maxWidth: 700 }} className="intro">
        <Text variant="xLarge">AKS Construction helper</Text>
-        <Text variant="large" styles={{ root: { marginBottom: '6px'} }}>Generate Azure deployment assets by providing your requirements to quickly create a full operational environment from best practice guidance.</Text>
+        <Text variant="large" styles={{ root: { marginBottom: '6px' } }}>Generate Azure deployment assets by providing your requirements to quickly create a full operational environment from best practice guidance.</Text>
        <Text variant="medium" >Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a></Text>
      </Stack>
      <Stack grow={1} tokens={{ padding: 10 }} >

        <ChoiceGroup
          defaultSelectedKey={selectedPreset}
-          options={Object.keys(presets).map(p => { return { key: p, text: presets[p].title, disabled: presets[p].disabled, iconProps: { iconName: presets[p].icon }  } })}
+          options={Object.keys(presets).map(p => { return { key: p, text: presets[p].title, disabled: presets[p].disabled, iconProps: { iconName: presets[p].icon } } })}
          onChange={(ev, { key }) => setPresets(key)}
        >
        </ChoiceGroup>
@ -198,7 +199,7 @@ export default function PortalNav({ config }) {

    setUrlParams((currentUrlParams) => {

-    currentUrlParams.set(sectionKey, cardKey)
+      currentUrlParams.set(sectionKey, cardKey)
      return currentUrlParams
    })

@ -206,7 +207,7 @@ export default function PortalNav({ config }) {
    setSelected({ preset: selected.preset, values: { ...selected.values, [sectionKey]: cardKey } })
    setTabValues(currentTabValues => updateTabValues(currentTabValues, sections, sectionKey, cardKey))

-    //window.history.replaceState(null, null, "?"+urlParams.toString())
+    window.history.replaceState(null, null, "?"+urlParams.toString())
  }


@ -235,13 +236,13 @@ export default function PortalNav({ config }) {
      return response.json();
    }).then((res) => {
      console.log(`useEffect Get template versions`)
-      const releases = res.filter(rel => rel.assets.find(a => a.name === 'main.json') &&  rel.assets.find(a => a.name === 'postdeploy.sh')  &&  rel.assets.find(a => a.name === 'dependencies.json') && rel.draft === false).map((rel, i) => {
+      const releases = res.filter(rel => rel.assets.find(a => a.name === 'main.json') && rel.assets.find(a => a.name === 'postdeploy.sh') && rel.assets.find(a => a.name === 'dependencies.json') && rel.draft === false).map((rel, i) => {
        return {
          key: rel.tag_name,
          text: `${rel.tag_name}${i === 0 ? ' (latest)' : ''}`,
          main_url: rel.assets.find(a => a.name === 'main.json').browser_download_url,
          post_url: rel.assets.find(a => a.name === 'postdeploy.sh').browser_download_url,
-          base_download_url: rel.assets.find(a => a.name === 'main.json').browser_download_url.replace('/main.json','')
+          base_download_url: rel.assets.find(a => a.name === 'main.json').browser_download_url.replace('/main.json', '')
        }
      }).concat(defaults.deploy.templateVersions)
      //console.log (releases)
@ -301,14 +302,14 @@ export default function PortalNav({ config }) {
    }

    //maintains the current config in querystring for easy bookmarking
-    window.history.replaceState(null, null, "?"+urlParams.toString())
+    window.history.replaceState(null, null, "?" + urlParams.toString())

    setTabValues((p) => {
      return {
        ...p,
        [tab]: {
-            ...p[tab],
-            ...updatevals
+          ...p[tab],
+          ...updatevals
        }
      }
    })
@ -336,7 +337,7 @@ export default function PortalNav({ config }) {
  invalidFn('cluster', 'keyVaultKmsByoKeyId', cluster.keyVaultKms === "byoprivate" && !cluster.keyVaultKmsByoKeyId.match('https:\/\/[^]+.vault.azure.net/keys/[^ ]+/[^ ]+$'), 'Enter valid KeyVault Versioned Key ID (https://YOURVAULTNAME.vault.azure.net/keys/YOURKEYNAME/KEYVERSIONSTRING)')
  invalidFn('cluster', 'keyVaultKmsByoRG', cluster.keyVaultKms === "byoprivate" && !cluster.keyVaultKmsByoRG, 'Enter existing KeyVault Resource Group Name')
  invalidFn('addons', 'dnsZoneId', addons.dns && !addons.dnsZoneId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/(dnszones|privateDnsZones)/[^/ ]+$'), 'Enter valid Azure Public or Private DNS Zone resourceId')
-  invalidFn('cluster', 'dnsApiPrivateZoneId', cluster.apisecurity === 'private' && cluster.privateClusterDnsMethod==='privateDnsZone' && !cluster.dnsApiPrivateZoneId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/privateDnsZones/[^/ ]+.azmk8s.io$'), 'Enter valid Azure Private DNS Zone resourceId')
+  invalidFn('cluster', 'dnsApiPrivateZoneId', cluster.apisecurity === 'private' && cluster.privateClusterDnsMethod === 'privateDnsZone' && !cluster.dnsApiPrivateZoneId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/privateDnsZones/[^/ ]+.azmk8s.io$'), 'Enter valid Azure Private DNS Zone resourceId')
  invalidFn('addons', 'certEmail', addons.certMan && !addons.certEmail.match('^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'), 'Enter valid email for certificate generation')
  invalidFn('addons', 'kvId', addons.csisecret === "akvExist" && !addons.kvId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.KeyVault/vaults/[^/ ]+$'), 'Enter valid Azure KeyVault resourceId')
  invalidFn('addons', 'appgw_privateIpAddress', addons.ingress === "appgw" && addons.appgw_privateIp && !addons.appgw_privateIpAddress.match('^(?:[0-9]{1,3}.){3}[0-9]{1,3}$'), 'Enter valid IP address')
@ -348,9 +349,9 @@ export default function PortalNav({ config }) {
    net.vnet_opt === "byo" ?
      'Please de-select, when using Bring your own VNET, configure a firewall as part of your own VNET setup, (in a subnet or peered network)'
      :
-      'This template can only deploy Azure Firewall in single VNET with Custom Networking' )
+      'This template can only deploy Azure Firewall in single VNET with Custom Networking')
  invalidFn('net', 'aksOutboundTrafficType', (net.aksOutboundTrafficType === 'managedNATGateway' && net.vnet_opt !== "default") || (net.aksOutboundTrafficType === 'userAssignedNATGateway' && net.vnet_opt === "default"), 'When using Managed Nat Gateway, only default networking is supported. For other networking options, use Assigned NAT Gateway')
-  invalidFn('deploy', 'apiips', cluster.apisecurity === 'whitelist' && deploy.apiips.length < 7, 'Enter an IP/CIDR, or disable API Security in \'Cluster Details\' tab')
+  invalidFn('deploy', 'apiips', cluster.apisecurity === 'whitelist' && deploy.apiips.length < 7, 'Enter an IP/CIDR, or select \'Public IP with no IP restrictions\' in the \'Cluster API Server Security\' section of the \'Cluster Details\' tab')
  invalidFn('deploy', 'clusterName', !deploy.clusterName || deploy.clusterName.match(/^[a-z0-9][_\-a-z0-9]+[a-z0-9]$/i) === null || deploy.clusterName.length > 19, 'Enter valid cluster name')

  invalidFn('deploy', 'githubrepo', deploy.deployItemKey === 'github' && (!deploy.githubrepo || !deploy.githubrepo.match('https://github.com/[^/ ]+/[^/ ]+$')), 'enter repo URL. eg: https://github.com/org/repo')
@ -381,11 +382,11 @@ export default function PortalNav({ config }) {

          <Presets sections={sections} selectedValues={selected.values} updateSelected={updateSelected} featureFlag={featureFlag} />

-          <Separator styles={SeparatorStyle}><span style={{"color": "rgb(0, 103, 184)"}}>Fine tune & Deploy</span></Separator>
+          <Separator styles={SeparatorStyle}><span style={{ "color": "rgb(0, 103, 184)" }}>Fine tune & Deploy</span></Separator>

          <Pivot selectedKey={pivotkey} onLinkClick={_handleLinkClick} focusZoneProps={{ 'data-testid': `portalnav-Pivot` }}>
            <PivotItem headerText={tabLabels.deploy} itemKey="deploy" onRenderItemLink={(a, b) => _customRenderer('deploy', a, b)}>
-              <DeployTab defaults={defaults} tabValues={tabValues} updateFn={(field, value) => mergeState("deploy", field, value)} invalidArray={invalidArray['deploy']} invalidTabs={Object.keys(invalidArray).filter(t => invalidArray[t].length > 0).map(k => `'${tabLabels[k]}'`)} urlParams={urlParams}  featureFlag={featureFlag}  />
+              <DeployTab defaults={defaults} tabValues={tabValues} updateFn={(field, value) => mergeState("deploy", field, value)} invalidArray={invalidArray['deploy']} invalidTabs={Object.keys(invalidArray).filter(t => invalidArray[t].length > 0).map(k => `'${tabLabels[k]}'`)} urlParams={urlParams} featureFlag={featureFlag} />
            </PivotItem>
            <PivotItem headerText={tabLabels.cluster} itemKey="cluster" onRenderItemLink={(a, b) => _customRenderer('cluster', a, b)} >
              <ClusterTab tabValues={tabValues} featureFlag={featureFlag} updateFn={(field, value) => mergeState("cluster", field, value)} invalidArray={invalidArray['cluster']} />
--- a/helper/src/config.json
+++ b/helper/src/config.json
@ -8,7 +8,8 @@
    },
    "defaults": {
        "deploy": {
-            "kubernetesVersion": "1.23.8",
+            "enableTelemetry": true,
+            "kubernetesVersion": "1.23.12",
            "location": "WestEurope",
            "apiips": "",
            "demoapp": false,
--- a/referencearchs.md
+++ b/referencearchs.md
@ -1,12 +1,12 @@
 # Referenced Projects

-## Enterprise Scale
+## Enterprise Scale (Azure Landing Zones)

 Enterprise Scale provides prescriptive guidance based on authoritative design for the Azure platform as a whole.

 The [AKS Construction helper](https://azure.github.io/AKS-Construction/?default=es) has an Enterprise-Scale lens, with preset configurations for each landing zone area.

-## Enterprise-Scale for AKS
+## AKS Landing Zone Accelerator

 This is the [parent project](https://github.com/Azure/AKS-Landing-Zone-Accelerator/) that our work belongs to. The reference implementations in this repository are all focussed on guiding the creation of Landing Zones for AKS within an Enterprise Scale framework. They typically include deployments of Hub/Spoke infrastructure and development vm's, and includes a Terraform implementation.