profiseedev · Naveenr04 · Jul 19, 2022 · Jul 19, 2022 · Jul 20, 2022 · Jul 20, 2022
diff --git a/AWS-EKS-CLI/README.md b/AWS-EKS-CLI/README.md
@@ -1,19 +1,19 @@
 # Deploy Profisee platform on to AWS Elastic Kubernetes services (EKS)
 
-This explains the process to deploy the Profisee platform onto a new AWS EKS cluster
+The process below explains how to deploy the Profisee platform onto a new AWS EKS cluster. Profisee requires a Windows and a Linux node. Linux nodes are managed nodes
 
 ## Prerequisites
 
-1.  License
-    - Profisee license associated with the dns for the environment
+1.  The following will be provided by Profisee:
+    - Please decide on what DNS (FQDN) you will use to access Profisee at and we will generate a license for it.
     - ACR username, password and token
 
-2.  Https certificate and the private key
+2.  TLS certificate and the private key.
 
-3.  Choose your AWS region you want to use eg us-east-1
+3.  Pick your AWS region, our sample script uses us-east-1.
 
 4.  SQL Server
-    - AWS RDS instance - https://aws.amazon.com/getting-started/hands-on/create-microsoft-sql-db/
+    - An appropriately sized AWS RDS instance - https://aws.amazon.com/getting-started/hands-on/create-microsoft-sql-db/
 
 		- Goto https://console.aws.amazon.com/rds
 		- Click create database
@@ -30,9 +30,9 @@ This explains the process to deploy the Profisee platform onto a new AWS EKS clu
 			- Public access yes (simpler to debug) - Change to fit your security needs when ready
 		- Defaults for the rest of the options
 		- Wait for database to be available
-	- CLI sample: aws rds create-db-instance --engine sqlserver-ex --db-instance-class db.t3.small --db-instance-identifier profiseedemo --master-username sqladmin --master-user-password Password123 --allocated-storage 20
+	- CLI sample: aws rds create-db-instance --engine sqlserver-ex --db-instance-class db.t3.small --db-instance-identifier <pickyourname> --master-username <pickusername> --master-user-password <PickStrongPassword> --allocated-storage 50
 
-5.  Create EBS volume - must be created in the same region/zone as the eks cluster
+5.  You will need a storage account so please create an EBS volume. It must be created in the same region/zone as the EKS cluster
     - EBS volume - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html
 
 	    - https://console.aws.amazon.com/ec2
@@ -54,88 +54,88 @@ This explains the process to deploy the Profisee platform onto a new AWS EKS clu
           - Setup IAM - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-creds
 
 7.  Configure DNS	
-    - Choose a DNS host name that you want to use eg:  profiseemdm.mycompany.com
-    - Register that hostname in your DNS provider with a CNAME that points to xxxxxx.elb.<region>.amazonaws.com (this will be updated later.
+    - Choose a fully qualified domain name that you would like to use, ex. https://profiseemdm.mycompany.com
+    - Create a CNAME record for the profiseemdm hostname with your domain DNS provider and map it to point to xxxxxx.elb.<region>.amazonaws.com (this will be updated later).
 
 
 ## Deployment
 
-1.  Make cluster.yaml and upload to cloudshell.
+1.  Edit the provided cluster.yaml to match your requirement and upload it to cloudshell.
 	- Download the cluster.yaml
 
-			curl -fsSL -o cluster.yaml https://raw.githubusercontent.com/profiseedev/kubernetes/master/AWS-EKS-CLI/cluster.yaml;
+			curl -fsSL -o cluster.yaml https://raw.githubusercontent.com/profiseeadmin/kubernetes/master/AWS-EKS-CLI/cluster.yaml;
 
-	- Change the name, region and availabilityzones
+	- Change the name, region and availability zones
 	- Change the instance type(s) to fit your needs.  https://aws.amazon.com/ec2/pricing/on-demand/
-	- For more complex deployments, including networking vpc and subnet configurations see https://eksctl.io/usage/schema/
+	- For more complex deployments, including networking VPC and subnet configurations see https://eksctl.io/usage/schema/
 
-2.  Create the EKS Clusterr
+2.  Using CLI, create the EKS Cluster.
 
         eksctl create cluster -f cluster.yaml --install-vpc-controllers --timeout 30m
 
-3.  Configure kubectl
+3.  Using CLI, configure kubectl to connect to the newly created cluster.
 
-        aws eks --region us-east-1 update-kubeconfig --name MyCluster
+        aws eks --region us-east-1 update-kubeconfig --name <ClusterNAmeYouPicked>
 
-4.  Update the sql security group to allow the kubernetes nodes ips in
-    - Get the outbound IP's of the cluster.
+4.  Configure your SQL security group to permit inbound traffic from the cluster's subnet (you can further lock it down to just the kubernetes Windows node IPs. Note: As AWS implements a rolling deprecation of old Windows Server AMIs you will need to implement a maintenance window to update the underlying AMI in the Windows Nodegroup, so please make sure to update your SQL security group with those updated node IPs. 
+    - Get the outbound IPs of the cluster.
 
 		kubectl get nodes  -o jsonpath='{.items[*].status.addresses[?(@.type == "ExternalIP")].address}'
 
-	- Click on sql instance
+	- Click on SQL instance
 	- Click on VPC security group
 	- Inbound rules
 	- Edit inbound rules
-	- Add MSSQL for outbound IP's of cluster
+	- Add MSSQL for outbound IPs of cluster
 
 5.  Install nginx for AWS
 
             helm repo add stable https://charts.helm.sh/stable;
             curl -o nginxSettingsAWS.yaml https://raw.githubusercontent.com/Profisee/kubernetes/master/AWS-EKS-CLI/nginxSettingsAWS.yaml;
             kubectl create namespace profisee
-	    	helm install nginx stable/nginx-ingress --values nginxSettingsAWS.yaml --namespace profisee
+	    	helm install nginx stable/nginx-ingress --values nginxSettingsAWS.yaml -n profisee
 
-	- Wait for the load balancer to be provisioned.  goto aws ec2/load balancing console and wait for the state to go from provisioning to active (3ish minutes)
+	- Wait for the load balancer to be provisioned. Go to AWS EC2 load balancing console and wait for the state to go from provisioning to active (approximately 3 minutes).
 
 6.  Get nginx IP
 
-        kubectl get services nginx-nginx-ingress-controller --namespace profisee
+        kubectl get services nginx-nginx-ingress-controller -n profisee
         #Note the external-ip and update the DNS hostname you created earlier and have it point to it (xxxxxx.elb.<region>.amazonaws.com)
 
 7.  (Optional) - Install cert-manager for Let's Encrypt
 
-	helm install --namespace profisee cert-manager jetstack/cert-manager --namespace default --version v0.16.1 --set installCRDs=true --set nodeSelector."beta\.kubernetes\.io/os"=linux --set webhook.nodeSelector."beta\.kubernetes\.io/os"=linux --set cainjector.nodeSelector."beta\.kubernetes\.io/os"=linux
+	helm install -n profisee cert-manager jetstack/cert-manager --set installCRDs=true --set nodeSelector."beta\.kubernetes\.io/os"=linux --set webhook.nodeSelector."beta\.kubernetes\.io/os"=linux --set cainjector.nodeSelector."beta\.kubernetes\.io/os"=linux
 
-	update Settings.yaml useLetsEncrypt flag to true
+	Set the Settings.yaml useLetsEncrypt flag to true.
 
 8.  Configue Authentication provider
-	- Create/configure an auth provider in your auth providr of choice.  eg Azure Active Directory, OKTA
-	- Register redirect url http(s)://profiseemdm.mycompany.com/Profisee/auth/signin-microsoft
+	- Create/configure an auth provider in your auth provider of choice.  eg Azure Active Directory, OKTA
+	- Register redirect url http(s)://profiseemdm.mycompany.com/Profisee/auth/signin-microsoft (or .../auth/signing-okta). Make sure that your URL in the the application registration matches. The /signin-microsoft part from the URL can be anything you like so long as the application registration redirect URL and the value in the Settings.yaml template match.
 	- Note the clientid, secret and authority url.  The authority url for AAD is https://login.microsoftonline.com/{tenantid}
 
 9.  Create Profisee Settings.yaml
     - Fetch the Settings.yaml template, download the yaml file so you can edit it locally
 
-            curl -fsSL -o Settings.yaml https://raw.githubusercontent.com/profiseedev/kubernetes/master/AWS-EKS-CLI/Settings.yaml;
+            curl -fsSL -o Settings.yaml https://raw.githubusercontent.com/profiseeadmin/kubernetes/master/AWS-EKS-CLI/Settings.yaml;
     - Update the values
     - Upload to cloudshell    
 
 10.  Install Profisee
 
-            helm repo add profisee https://profiseedev.github.io/kubernetes
-            helm uninstall --namespace profisee profiseeplatform
-            helm install --namespace profisee profiseeplatform profisee/profisee-platform --values Settings.yaml
+            helm repo add profisee https://profiseeadmin.github.io/kubernetes
+            helm uninstall -n profisee profiseeplatform
+            helm install -n profisee profiseeplatform profisee/profisee-platform --values Settings.yaml
 
 # Verify and finalize:
 
-1.  The initial deploy will have to download the container which takes about 10 minutes.  Verify its finished downloading the container:
+1.  The initial deployment will have to download the container which takes about 10 minutes.  Verify it's finished downloading the container:
 
 	    #check status and wait for "Pulling" to finish
-	    kubectl --namespace profisee describe pod profisee-0
+	    kubectl -n profisee describe pod profisee-0
 
-2.  View the kubernetes logs and wait for it to finish successfully starting up.  takes longer on the first time as it has to create all the objects in teh database
+2.  View the kubernetes logs and wait for it to finish successfully starting up. It takes longer on the first time as it has to create all the objects in the database.
 
-		kubectl logs profisee-0 --namespace profisee --follow
+		kubectl logs profisee-0 -n profisee --follow
 
 3.  Voila, goto Profisee Platform web portal
 	- http(s)://FQDNThatPointsToClusterIP/Profisee
diff --git a/Azure-ARM/README.md b/Azure-ARM/README.md
@@ -1,21 +1,69 @@
 # DEVELOPMENT.  INTERNAL USE ONLY
-# Deploy Profisee platform on to AKS using ARM template
+# Deploying Profisee Platform on AKS using the ARM template
 
-This ARM template deploys Profisee platform into a Azure Kubernetes Service cluster.
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fprofiseedev%2Fkubernetes%2Fmaster%2FAzure-ARM%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fprofiseedev%2Fkubernetes%2Fmaster%2FAzure-ARM%2FcreateUIDefinition.json)
 
 ## Prerequisites
 
-1.  Managed Identity
-    - A user assigned managed identity configured ahead of time.  The managed identity must have Contributor role for the resource group, and the DNS zone resource group if updating Azure DNS.  This can be done by assigning the contributor role to each individual resource group, or assigning the subscription level resource group.  If creating an Azure Active Directory application registration, the managed identity must have the Application Developer role assigned to it.  Click [here](https://support.profisee.com/wikis/2020_r2_support/planning_your_managed_identity_configuration) for more information.
-2.  License
-    - Profisee license associated with the dns for the environment.
+Please **DO** review the guide and links below **before** you run the Azure ARM template. We have a pre-requisites script that runs before the deployment to check on the permissions needed.
+
+Click [here](https://support.profisee.com/wikis/2022_r2_support/deploying_the_AKS_cluster_with_the_arm_template) for a detailed deployment guide for Profisee ver. 2022R2 and [here](https://support.profisee.com/lms/courseinfo?id=00u00000000002b00aM&mode=browsecourses) for video training course and slide deck.
+
+
+Here's **what** you will need. You will need a license tied to the DNS URL that will be used by the environment (ex. customer.eastus2.cloudapp.azure.com OR YourOwnEnvironment.Customer.com) This license can be acquired from [Profisee Support](https://support.profisee.com/aspx/ProfiseeCustomerHome). 
+
+Here's **what** will be deployed, or used if available, by the ARM template:
+1. An AKS Cluster with a **publicly** accessible Management API.
+2. Two Public IPs for Ingress and Egress.
+3. A Load Balancer needed for Nginx.
+4. A SQL Server, or we'll use one that you already have. You can either pre-create the database or let the Managed Identity create one for you.
+5. A Storage account, or use one that you already have. If you precreate the storage account, please make sure to precreate the files share that you'd like to use.
+6. A DNS entry into a zone, assuming the necessary permissions are there. If you use external DNS, you'd have to update/create the record to match the Egress IP.
+7. A free Let's Encrypt certificate, if you choose that option. Please be aware that if you plan on using your own domain with Let's Encrypt you'll need to make sure that if there is a [CAA record set](https://letsencrypt.org/docs/caa/) on your domain it allows Let's Encrypt as the Issuing Authority.
+
+Here's **how** it will be deployed. You must have a Managed Identity created to run the deployment. This Managed Identity must have the following permissions ONLY when running a deployment. After it is done, the Managed Identity can be deleted. Based on your ARM template choices, you will need some or all of the following permissions assigned to your Managed Identity:
+1. **Contributor** role to the Resource Group where AKS will be deployed. This can either be assigned directly to the Resource Group OR at Subscription level. **Note:** If you want to allow the Deployment Managed Identity to create the resource group for you, then this permission would have to be at Subscription level. 
+2. **DNS Zone Contributor** role to the particular DNS zone where the entry will be created OR **Contributor** role to the DNS Zone Resource Group.This is needed only if updating DNS hosted in Azure. To follow best practice for least access, the DNS Zone Contributor on the zone itself is the recommended option.
+3. **Application Administrator** role in Azure Active Directory, so the Application registration can be created by the Deployment Managed Identity and the required permissions can be assigned to it.
+4. **Managed Identity Contributor** and **User Access Administrator** at the Subscription level. These two are needed in order for the ARM template Deployment Managed Identity to be able to create the Key Vault specific Managed Identity that will be used by Profisee to pull the values stored in the Key Vault, as well as to assign the AKSCluster-agentpool the Managed Identity Operator role (to the Resource and Infrastructure Resource groups) and Virtual Machine Operator role (to the Infrastructure Resource group). If Key Vault will not be used, these roles are not required.
+5. **Key Vault requirements**. If you are using a Key Vault, please make sure that your Access Policy page has a checkmark on "Azure Resource Manager for template deployment". Otherwise, MS will not be able to validate the ARM template's access against your Key Vault and will result in validation failure in the ARM template before it begins deployment.
+6. **Purview Integration requirements**. If Profisee will be configured to integrate with Microsoft Purview, a Purview specific Application Registration will need to be created and have the **Collections Admin** and **Data Curator Role** assigned in the Purview account at either collection or account level. It will also have to be assigned the User.Read **delegated** permission as well as the User.Read.All, Group.Read.All and GroupMember.Read.All **application** permissions (these 3 required Global Admin consent). During the ARM template deployment you will now have to provide the Purview collection friendly name, as seen in the Purview web portal, regardless if this is a sub-collection or the root collection of Purview. 
+
+
+## Upgrade instructions
+
+For customers upgrading **from** v2022**R1** and earlier. There are two changes that require careful consideration:
+1. Purview Collections integration necessitated changes in the ARM template, container and deployment templates. Please **DO** review the upgrade instructions posted below **before** you start the upgrade process.
+2. History tables improvements - you will need to run this immediately **after** the upgrade to 2022**R2**, one time **only**. 
+
+Please read through the upgrade instructions both here and in our Support portal and prepare for the upgrade process. The instructions below are combined for both Purview Collections and the History table improvements. 
+
+For customers who do **NOT** use Purview.
+1. Connect to your cluster from the Azure portal or powershell. For customers running Private PaaS please connect to your jumpbox first, then connect via powershell or Lens.
+2. Run the following commands (if you do not have the repo added that would be the first step):  
+helm -n profisee repo add profisee https://profiseedev.github.io/kubernetes  
+helm repo update  
+helm upgrade -n profisee profiseeplatform profisee/profisee-platform --reuse-values --set image.tag=2022r2.0  
+kubectl logs -n profisee profisee-0 -f #this will allow you to follow the upgrade as it is happening  
+3. This will upgrade your installation to version 2022r2.0 while keeping the rest of the values.
+4. To run the Histroy tables upgrade please follow the steps as outlined [here](https://support.profisee.com/wikis/release_notes/upgrade_considerations_and_prerequisites)
 
+For customers who **DO** use Purview.
+1. Connect to your cluster from the Azure portal or powershell. For customers running Private PaaS please connect to your jumpbox first, then connect via powershell or Lens.
+2. Locate your Purview collection Id by visiting your MS Purview Governance Portal. Go to the collection where you would like Profisee to deploy to. Your URL will look like so: web.purview.azure.com/resource/**YourPurviewAccountName**/main/datasource/collections?collection=**ThisIsTheCollectionId**&feature.tenant=**YourAzureTenantId**
+3. Run the following commands (if you do not have the repo added that would be the first step):  
+helm -n profisee repo add profisee https://profiseedev.github.io/kubernetes  
+helm repo update  
+helm upgrade -n profisee profiseeplatform profisee/profisee-platform --reuse-values --set cloud.azure.purview.collectionId=YourCollectionId --set image.tag=2022r2.0  
+kubectl logs -n profisee profisee-0 -f #this will allow you to follow the upgrade as it is happening  
+4. This will upgrade your installation to version 2022r2.0 and provide the required collection Id while keeping the rest of the values. Failure to provide the collection Id would result in a failed upgrade.
+5. To run the Histroy tables upgrade please follow the steps as outlined [here](https://support.profisee.com/wikis/release_notes/upgrade_considerations_and_prerequisites)
+
+
 ## Deployment steps
 
-Click the "Deploy to Azure" button at the beginning of this document.
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fprofiseeadmin%2Fkubernetes%2Fmaster%2FAzure-ARM%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fprofiseeadmin%2Fkubernetes%2Fmaster%2FAzure-ARM%2FcreateUIDefinition.json)
 
 ## Troubleshooting
 
-All troubleshooting is in the [Wiki](https://github.com/profiseedev/kubernetes/wiki)
+All troubleshooting is in the [Wiki](https://github.com/profisee/kubernetes/wiki)
+