Enterprise Docs (#2390)

* install VuePress Plugin Tabs https://www.npmjs.com/package/vuepress-plugin-tabs * init Enterprise documentation section * replace Vuepress tab plugin now using https://github.com/superbiger/vuepress-plugin-tabs * init Enterprise Quickstart * block of enterprise doc updates * Helm Quickstart Update (#2380) * removed/fixed redundant or incorrect config And some small copy edits * Update docs/docs/quick-start/helm.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * init console with helm doc * squash me * codeblock fix * init about page * updates to Enterprise section * consolidate on Postgres * WIP helm updates * update and align OS and Enterprise helm docs * Enterprise settings docs (#2397) * init console-specific reference docs files * remove shortdoc for name * init Enterprise Reference doc * expanding Enterprise Reference * init JS script for reference subpages When reviewing please remember that I'm not a developer, be kind * update script and apply * remove errant dep * document script and expand for CLI help output * import pomerium-console_serve.yaml In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo * init new output file * update script call and output * fix anchor links * BROKEN - import content from settings.yaml when dupe is true * filtering WiP * fix dupe script, more content * replace if dupe with if not docs * squash me * squash me! * add docs about PPL (#2404) * squash meeeeee * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * symlink img dir from docs/reference * squash mee * update install reqs * Fixed links throughout * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * remove internal note * - format python with black - format js with prettier Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * optimize images with imageOptim Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * run prettier on config.js Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * concepts.md Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * update concepts Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * copy edits * typo * symlink img dir from docs/reference * modify TLS section in quick-start * rm whitespace * add common links postamble * block of updates * block of updates * updates with @travisgroth * turtles all the way down * more content * import all the things * fill out reports * fill out reports * fix file extension * fix links * crosslink PPL ref * document embedded prometheus * expand example * update reqs * document non-directory users * typo fix * update metrics_address * fix broken links in example configs * update examples for route syntax * replaced required with deprecated Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link. * update enterprise/about * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * remove commented config lines * update non-domain user section in concepts * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/about.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * add console route to OSS conf * update enterprise settings copy from source file * Update docs/enterprise/concepts.md * Update reports reference * merge conflict resolution * update sourced doc content, fix whitespace Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com> Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-07-30 06:51:30 +02:00 · 2021-08-04 13:55:04 -05:00 · 2021-08-04 13:55:04 -05:00 · 5332a752d0
commit 5332a752d0
parent 0b9f06b5ae
72 changed files with 2775 additions and 217 deletions
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -2187,7 +2187,7 @@ There were no changes in the v0.7.1 release, but we updated the build process sl

 - Azure AD identity provider now uses globally unique and immutable `ID` for [group membership](https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http).
 - Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. [Group membership](https://developer.okta.com/docs/reference/api/groups/) is now determined by the globally unique and immutable `ID` field.
- Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account).
+- Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](https://www.pomerium.com/docs/reference/reference.html#identity-provider-service-account).
 - URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
 - OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. [Group membership](https://developers.onelogin.com/openid-connect/api/user-info/) is now determined by the globally unique and immutable `ID` field.

@ -2412,7 +2412,7 @@ There were no changes in the v0.7.1 release, but we updated the build process sl
 ### FEATURES

 - **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
- **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:
+- **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.com/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:

  - Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file.
  - Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made.
--- a/docs/docs/install/binary.md
+++ b/docs/docs/install/binary.md
@ -41,8 +41,8 @@ Finally, source the configuration `env` file and run pomerium specifying the `co

 Browse to `external-verify.your.domain.example`. Connections between you and [verify] will now be proxied and managed by Pomerium.

-[configuration variables]: ../../reference/readme.md
+[configuration variables]: /reference/readme.md
 [download]: https://github.com/pomerium/pomerium/releases
 [verify]: https://verify.pomerium.com/
-[identity provider]: ../identity-providers/
-[tls certificates]: ../topics/certificates.md
+[identity provider]: /docs/identity-providers/readme.md
+[tls certificates]: /docs/topics/certificates.md
--- a/docs/docs/install/from-source.md
+++ b/docs/docs/install/from-source.md
@ -71,8 +71,8 @@ make && ./bin/pomerium -config config.yaml

 Browse to `verify.localhost.pomerium.io`. Connections between you and [verify] will now be proxied and managed by Pomerium.

-[configuration variables]: ../../reference/readme.md
+[configuration variables]: /reference/readme.md
 [verify]: https://verify.pomerium.com/
-[identity provider]: ../identity-providers/
+[identity provider]: /docs/identity-providers/readme.md
 [make]: https://en.wikipedia.org/wiki/Make_(software)
-[tls certificates]: ../topics/certificates.md
+[tls certificates]: /docs/topics/certificates.md
--- a/docs/docs/install/helm.md
+++ b/docs/docs/install/helm.md
@ -8,54 +8,217 @@ meta:

 # Pomerium using Helm

-This quick-start will show you how to deploy Pomerium with [Helm](https://helm.sh) on [Kubernetes](https://kubernetes.io).
+This quick-start will show you how to deploy Pomerium with [Helm] on [Kubernetes].

 ## Prerequisites

- A [Google Cloud Account](https://console.cloud.google.com/)
- A configured [identity provider]
- Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
- Install the [Google Cloud SDK](https://cloud.google.com/kubernetes-engine/docs/quickstart)
- Install [helm](https://helm.sh/docs/using_helm/)
- [TLS certificates]
+- [Install kubectl].
+- [Install helm].
+- A Kubernetes provider.
+   - A cluster, with your local `kubectl` authorized to interact with it. The cluster configuration and node pool will depend on your provider and the scope of your project.
+   - Export the configuration file from your Kubernetes host and export it to your `KUBECONFIG` environment variable (usually by placing it in `~/.kube`).

-Though there are [many ways](https://unofficial-kubernetes.readthedocs.io/en/latest/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider.
+     See [Organizing Cluster Access Using kubeconfig Files] for more information.
+   - A namespace in the cluster for Pomerium. This document assumes the namespace `pomerium`.
+- A configured [identity provider].
+- [TLS certificates]. If you don't yet have a production environment with trusted certificates, this page will cover using [mkcert] to create locally trusted certificates, and [cert-manager] to manage them in the cluster.

-In addition to sharing many of the same features as the Kubernetes quickstart guide, the default helm deployment script also includes a bootstrapped certificate authority enabling mutually authenticated and encrypted communication between services that does not depend on the external LetsEncrypt certificates. Having the external domain certificate de-coupled makes it easier to renew external certificates.
+::: tip
+This configuration installs Redis as the data broker service. While this isn't strictly required when running Pomerium by itself, it is necessary for Pomerium Enterprise, and still highly recommended if not.
+:::

-## Configure
+## Certificates

-Download and modify the following helm_gke.sh script and values file to match your [identity provider] and [TLS certificates] settings.
+This setup uses [mkcert] to generate certificates that are trusted by your local web browser for testing, and cert-manager to manage them. If you already have a certificate solution, you can skip the steps below and move on to [the next stage](#install-pomerium).

-<<<@/examples/helm/helm_gke.sh
+### Install mkcert

-<<<@/examples/kubernetes/values.yaml
-
-## Run
-
-Run [./scripts/helm_gke.sh] which will:
-
-1. Provision a new cluster.
-2. Create authenticate, authorize, and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
-3. Provision and apply authenticate, authorize, and proxy [services](https://cloud.google.com/kubernetes-engine/docs/concepts/service).
-4. Configure an ingress, Google's default load balancer.
+After [installing mkcert], confirm the presence and names of your local CA files:

 ```bash
-./scripts/helm_gke.sh
+mkcert -install
+The local CA is already installed in the system trust store! 👍
+The local CA is already installed in the Firefox and/or Chrome/Chromium trust store! 👍
+
+ls $(mkcert -CAROOT)
+rootCA-key.pem  rootCA.pem
 ```

+The output of `mkcert -install` may vary depending on you operating system.
+
+## Install and Configure cert-manager
+
+If you haven't already, install cert-manager and create a CA issuer. You can follow their docs (listed below) or use the steps provided:
+
+   - [cert-manager: Installing with Helm]
+   - [cert-manager: CA]
+
+1. Create a namespace for cert-manager:
+
+   ```bash
+   kubectl create namespace cert-manager
+   ```
+
+1. Add the jetstack.io repository and update Helm:
+
+   ```bash
+   helm repo add jetstack https://charts.jetstack.io
+   helm repo update
+   ```
+
+1. Install cert-manager to your cluster:
+
+   ```bash
+   helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace \
+   --version v1.4.0 --set installCRDs=true
+   ```
+
+1. Confirm deployment with `kubectl get pods --namespace cert-manager`:
+
+    ```bash
+    kubectl get pods --namespace cert-manager
+    NAME                                       READY   STATUS    RESTARTS   AGE
+    cert-manager-5d7f97b46d-8g942              1/1     Running   0          33s
+    cert-manager-cainjector-69d885bf55-6x5v2   1/1     Running   0          33s
+    cert-manager-webhook-8d7495f4-s5s6p        1/1     Running   0          33s
+    ```
+
+1. In your Pomerium namespace, create a Kubernetes secret for the rootCA-key file in your local CA root:
+
+   ```bash
+   kubectl create secret tls pomerium-tls-ca --namespace=pomerium \
+   --cert=$(mkcert -CAROOT)/rootCA.pem --key=$(mkcert -CAROOT)/rootCA-key.pem
+   ```
+
+1. Define an Issuer configuration in `issuer.yaml`:
+
+   ```yaml
+   apiVersion: cert-manager.io/v1
+   kind: Issuer
+   metadata:
+     name: pomerium-issuer
+     namespace: pomerium
+   spec:
+     ca:
+       secretName: pomerium-tls-ca
+   ```
+
+1. Apply and confirm:
+
+   ```bash
+   kubectl apply -f issuer.yaml
+   issuer.cert-manager.io/pomerium-issuer created
+
+   kubectl get issuers.cert-manager.io --namespace pomerium
+   NAME              READY   AGE
+   pomerium-issuer   True    10s
+   ```
+
+## Install Pomerium
+
+1. Set your `kubectl` context to the Pomerium namespace:
+
+   ```bash
+   kubectl config set-context --current --namespace=pomerium
+   ```
+
+1. Create certificate configurations for Pomerium. Our example is named `pomerium-certificates.yaml`, to differentiate from a configuration file for Pomerium Enterprise, if you choose to install it later:
+
+   <<< @/examples/kubernetes/pomerium-certificates.yaml
+
+   ::: tip
+   If you already have a domain space for Pomerium with a certificate solution, use it in place of `*.localhost.pomerium.io`.
+   :::
+
+1. Apply the certificate configuration, and confirm:
+
+   ```bash
+   kubectl apply -f pomerium-certificates.yaml
+   ```
+
+   ```bash
+   kubectl get certificate
+   NAME                    READY   SECRET                 AGE
+   pomerium-cert           True    pomerium-tls           10s
+   pomerium-redis-cert     True    pomerium-redis-tls     10s
+   ```
+
+1. Create a values file for Helm to use when installing Pomerium. Our example is named `pomerium-values.yaml`.
+
+   <<< @/examples/kubernetes/pomerium-values.yaml
+
+   ::: tip
+   The options required in the `authenticate.idp` block will vary depending on your [identity provider].
+
+   If you changed the `*.localhost.pomerium.io` value in `pomerium-certificates.yaml` update `config.rootDomain` to match, omitting the `*`.
+   :::
+
+1. Add Pomerium's Helm repo:
+
+   ```bash
+   helm repo add pomerium https://helm.pomerium.io
+   ```
+
+1. So that we can create a valid test route, add Bitnami's Helm repo to pull nginx from:
+
+   ```bash
+   helm repo add bitnami https://charts.bitnami.com/bitnami
+   ```
+
+1. Update Helm:
+
+   ```bash
+   helm repo update
+   ```
+
+1. Install nginx to the cluster:
+
+   ```bash
+   helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
+   ```
+
+1. Install Pomerium to the cluster:
+
+   ```bash
+   helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml
+   ```
+
 ## Navigate

-Open a browser and navigate to `verify.your.domain.example`.
+If you are installing Pomerium with a valid domain name and certificates, update your DNS records to point to the external IP address of the `pomerium-proxy` service:

-You can also navigate to the special pomerium endpoint `verify.your.domain.example/.pomerium/` to see your current user details.
+```none
+kubectl get svc pomerium-proxy
+NAME             TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)                        AGE
+pomerium-proxy   LoadBalancer   10.128.117.25    192.0.2.20       443:30006/TCP,9090:30707/TCP   2m37s
+```
+
+For development and testing, you can use `kubectl` to create a local proxy:
+
+```bash
+sudo -E kubectl --namespace pomerium port-forward service/pomerium-proxy 443:443
+```
+
+Open a browser and navigate to `hello.localhost.pomerium.com`.
+
+You can also navigate to the special pomerium endpoint `hello.localhost.pomerium.com/.pomerium/` to see your current user details.

 ![currently logged in user](./img/logged-in-as.png)

-[./scripts/helm_gke.sh]: https://github.com/pomerium/pomerium/tree/master/examples
-[./scripts/kubernetes_gke.sh]: https://github.com/pomerium/pomerium/tree/master/examples
-[example kubernetes files]: https://github.com/pomerium/pomerium/tree/master/examples
+## Next Steps
+
+Congratulations on installing Pomerium to your Kubernetes cluster! If you're installing Pomerium Enterprise next, see [Install Pomerium Enterprise Console in Helm]. If not, check our our [guides](/guides/readme.md) to install common services behind Pomerium.
+
+[cert-manager]: https://cert-manager.io/docs/
+[cert-manager: CA]: https://cert-manager.io/docs/configuration/ca/
+[cert-manager: Installing with Helm]: https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm
+[Helm]: https://helm.sh
+[Install helm]: https://helm.sh/docs/using_helm/
 [identity provider]: ../identity-providers/readme.md
-[letsencrypt]: https://letsencrypt.org/
-[script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
-[tls certificates]: ../topics/certificates.md
+[Install Pomerium Enterprise Console in Helm]: /enterprise/install/helm.md
+[installing mkcert]: https://github.com/FiloSottile/mkcert#installation
+[Install kubectl]: https://kubernetes.io/docs/tasks/tools/install-kubectl/
+[Kubernetes]: https://kubernetes.io
+[mkcert]: https://github.com/FiloSottile/mkcert
+[Organizing Cluster Access Using kubeconfig Files]: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
+[tls certificates]: ../topics/certificates.md
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -8,7 +8,7 @@ description: This article describes various ways to install pomerium

 Pomerium is shipped in multiple formats and architectures to suit a variety of deployment patterns. There are two binaries:

- `pomerium` is the primary server component. It is a monolithic binary that can perform the function of any [services mode](/reference/#service-mode).
+- `pomerium` is the primary server component. It is a monolithic binary that can perform the function of any [services mode](/reference/readme.md#service-mode).
 - `pomerium-cli` (optional) is a command-line client for working with Pomerium.  Functions include acting as an authentication helper for tools like [kubtctl](topics/kubernetes-integration.md).


--- a/docs/docs/topics/data-storage.md
+++ b/docs/docs/topics/data-storage.md
@ -33,7 +33,7 @@ To prevent early session loss in production deployments, persistent storage back

 ## Backends

-Configuration options for each backend are detailed in [databroker configuration reference](/reference/#databroker-service).
+Configuration options for each backend are detailed in [databroker configuration reference](/reference/readme.md#data-broker-service).

 In all backends, Pomerium encrypts record values.  This ensures security of all records at rest, regardless of data store capabilities.  While this prevents many classes of attack vector, additional security measures should always be taken to secure data in transit and minimize access to the backends themselves.

--- a/docs/docs/topics/kubernetes-integration.md
+++ b/docs/docs/topics/kubernetes-integration.md
@ -43,14 +43,14 @@ Pomerium can be leveraged as a proxy for user requests to the API Server.
 Building on top of a standard Kubernetes and Pomerium deployment:

 1. Pomerium is given access to a Kubernetes service account with [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) permissions
-2. A [policy route](/reference/#policy) is created for the API server and [configured](/reference/#kubernetes-service-account-token) to use the service account token
+2. A [policy route](/reference/readme.md#policy) is created for the API server and [configured](/reference/readme.md#kubernetes-service-account-token) to use the service account token
 3. Kubernetes RoleBindings operate against IdP Users and Group subjects
-4. Users access the protected cluster through their standard tools, using [pomerium-cli](/docs/installation.md#pomerium-cli) as an auth provider in `~/.kube/config`
+4. Users access the protected cluster through their standard tools, using [pomerium-cli](/docs/releases.md#pomerium-cli) as an auth provider in `~/.kube/config`
 5. Pomerium authorizes requests and passes the user identity to the API server for fine grained RBAC

 ## Kubeconfig Setup

-After installing the [pomerium-cli](/docs/installation.md#pomerium-cli), you must configure your `kubeconfig` for authentication.
+After installing the [pomerium-cli](/docs/releases.md#pomerium-cli), you must configure your `kubeconfig` for authentication.

 Substitute `mycluster.pomerium.io` with your own API Server's `from` in Pomerium's policy:

--- a/docs/docs/topics/production-deployment.md
+++ b/docs/docs/topics/production-deployment.md
@ -6,13 +6,13 @@ description: >-

 # Production Deployment

-This page covers the topic of running Pomerium in a production configuration. See the [quick start section](../install/quickstart/) for canned example configurations.
+This page covers the topic of running Pomerium in a production configuration. See the [quick start section](/docs/install/readme.md) for canned example configurations.

-Please also see [architecture](../#architecture) for information on component interactions.
+Please also see [architecture](/docs/architecture.md) for information on component interactions.

 ## Service Mode

-For configuration of the service mode, see [Service Mode](../../reference/readme.md#service-mode).
+For configuration of the service mode, see [Service Mode](/reference/readme.md#service-mode).

 ### All in One

--- a/docs/docs/topics/tcp-support.md
+++ b/docs/docs/topics/tcp-support.md
@ -13,7 +13,7 @@ meta:

 Operations and engineering teams frequently require access to lower level administrative and data protocols such as SSH, RDP, Postgres, MySQL, Redis, etc.

-In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into [`pomerium-cli`](/docs/installation.md#pomerium-cli).
+In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into [`pomerium-cli`](/docs/releases.md#pomerium-cli).


 Internally, Pomerium uses the [`CONNECT` method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) to establish the TCP tunnel.
@ -26,17 +26,20 @@ Otherwise, the HTTP proxy in front of Pomerium must know how to properly handle

 ## Configuring

-TCP configuration is simple. Just specify the correct scheme and ports in your policy [`to`](/reference/#to) and [`from`](/reference/#from) fields.
+TCP configuration is simple. Just specify the correct scheme and ports in your route [`to`](/reference/readme.md#to) and [`from`](/reference/readme.md#from) fields.

 Example:
 ```yaml
-policy:
-    - from: tcp+https://redis.corp.example.com:6379
-      to: tcp://redis.internal.example.com:6379
-      allowed_users:
-        - contractor@not-example.com
-      allowed_groups:
-        - datascience@example.com
+routes:
+  - from: tcp+https://redis.corp.example.com:6379
+    to: tcp://redis.internal.example.com:6379
+    policy:
+    - allow:
+        or:
+          - email:
+              is: contractor@not-example.com
+          - groups:
+              has: ["datascience@example.com"]
 ```

 Notes:
@ -47,7 +50,7 @@ Notes:

 ## Using

-While HTTP routes can be consumed with just a normal browser, `pomerium-cli` must serve as a proxy for TCP routes.  It is [available](/docs/installation.md#pomerium-cli) for a variety of platforms in various formats.
+While HTTP routes can be consumed with just a normal browser, `pomerium-cli` must serve as a proxy for TCP routes.  It is [available](/docs/releases.md#pomerium-cli) for a variety of platforms in various formats.

 To connect, you normally need just the external hostname and port of your TCP route:

--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -68,11 +68,11 @@ To update your policies for v0.14, please remove any identity provider prefix.

 ### Upstream load balancing

-With the v0.13 release, routes may contain [multiple `to` URLs](/reference/#to), and Pomerium will load balance between the endpoints. This allows Pomerium to fill the role of an edge proxy without the need for additional HTTP load balancers.
+With the v0.13 release, routes may contain [multiple `to` URLs](/reference/readme.md#to), and Pomerium will load balance between the endpoints. This allows Pomerium to fill the role of an edge proxy without the need for additional HTTP load balancers.

- Active [health checks](/reference/#health-checks) and passive [outlier detection](/reference/#outlier-detection)
- Configurable [load balancing policies](/reference/#load-balancing-policy)
- Configurable [load balancing weight](/reference/#to)
+- Active [health checks](/reference/readme.md#health-checks) and passive [outlier detection](/reference/readme.md#outlier-detection)
+- Configurable [load balancing policies](/reference/readme.md#load-balancing-policy)
+- Configurable [load balancing weight](/reference/readme.md#to)

 See [Load Balancing](/docs/topics/load-balancing) for more information on using this feature set.

@ -82,7 +82,7 @@ With the v0.13 release, all TLS files referenced from Pomerium's configuration a

 ### Proxy Protocol support

-The Pomerium HTTP listener now [supports](/reference/#use-proxy-protocol) HAPROXY's [proxy protocol](https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt) to update `X-Forwarded-For` accurately when behind another proxy service.
+The Pomerium HTTP listener now [supports](/reference/readme.md#use-proxy-protocol) HAPROXY's [proxy protocol](https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt) to update `X-Forwarded-For` accurately when behind another proxy service.

 ## Breaking

@ -113,7 +113,7 @@ Pomerium can now be used for non-HTTP services.  See [documentation](/docs/topic

 ### Datadog Tracing

-Datadog has been added as a natively supported [tracing backend](/reference/#datadog)
+Datadog has been added as a natively supported [tracing backend](/reference/readme.md#datadog)

 # Since 0.10.0

@ -335,7 +335,7 @@ Please see the updated examples, and [cache service docs] as a reference and for

 - Okta no longer uses tokens to retrieve group membership. [Group membership](https://developer.okta.com/docs/reference/api/groups/) is now fetched using Okta's API.
 - Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group `ID` instead of group name.
- Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account).
+- Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](/reference/readme.md#identity-provider-service-account).

 ### OneLogin

@ -347,7 +347,7 @@ Force refresh has been removed from the dashboard. Logging out and back in again

 ### Programmatic Access API changed

-Previous programmatic authentication endpoints (`/api/v1/token`) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated [programmatic documentation](https://www.pomerium.io/docs/reference/programmatic-access.html) how to use the new programmatic access api.
+Previous programmatic authentication endpoints (`/api/v1/token`) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated [programmatic documentation](/docs/topics/programmatic-access.md) how to use the new programmatic access api.

 ### Forward-auth route change

@ -498,9 +498,9 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p

 The configuration variable [Authenticate Internal Service URL] must now be a valid [URL](https://golang.org/pkg/net/url/#URL) type and contain both a hostname and valid `https` schema.

-[authenticate internal service url]: ../reference/readme.md#authenticate-service-url
-[cache service docs]: ../reference/readme.md#cache-service
-[identity provider service account]: ../reference/readme.md#identity-provider-service-account
-[policy]: ../reference/readme.md#policy
-[storage backend configuration here]: ../reference/readme.md#cache-service
-[storage backend types]: ../reference/readme.md#data-broker-storage-type
+[authenticate internal service url]: /reference/readme.md#authenticate-service-url
+[cache service docs]: /reference/readme.md#data-broker-service
+[identity provider service account]: /reference/readme.md#identity-provider-service-account
+[policy]: /reference/readme.md#policy
+[storage backend configuration here]: /reference/readme.md#data-broker-service
+[storage backend types]: /reference/readme.md#data-broker-storage-type