Enterprise Docs (#2390)

* install VuePress Plugin Tabs https://www.npmjs.com/package/vuepress-plugin-tabs * init Enterprise documentation section * replace Vuepress tab plugin now using https://github.com/superbiger/vuepress-plugin-tabs * init Enterprise Quickstart * block of enterprise doc updates * Helm Quickstart Update (#2380) * removed/fixed redundant or incorrect config And some small copy edits * Update docs/docs/quick-start/helm.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * init console with helm doc * squash me * codeblock fix * init about page * updates to Enterprise section * consolidate on Postgres * WIP helm updates * update and align OS and Enterprise helm docs * Enterprise settings docs (#2397) * init console-specific reference docs files * remove shortdoc for name * init Enterprise Reference doc * expanding Enterprise Reference * init JS script for reference subpages When reviewing please remember that I'm not a developer, be kind * update script and apply * remove errant dep * document script and expand for CLI help output * import pomerium-console_serve.yaml In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo * init new output file * update script call and output * fix anchor links * BROKEN - import content from settings.yaml when dupe is true * filtering WiP * fix dupe script, more content * replace if dupe with if not docs * squash me * squash me! * add docs about PPL (#2404) * squash meeeeee * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * symlink img dir from docs/reference * squash mee * update install reqs * Fixed links throughout * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * remove internal note * - format python with black - format js with prettier Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * optimize images with imageOptim Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * run prettier on config.js Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * concepts.md Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * update concepts Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * copy edits * typo * symlink img dir from docs/reference * modify TLS section in quick-start * rm whitespace * add common links postamble * block of updates * block of updates * updates with @travisgroth * turtles all the way down * more content * import all the things * fill out reports * fill out reports * fix file extension * fix links * crosslink PPL ref * document embedded prometheus * expand example * update reqs * document non-directory users * typo fix * update metrics_address * fix broken links in example configs * update examples for route syntax * replaced required with deprecated Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link. * update enterprise/about * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * remove commented config lines * update non-domain user section in concepts * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/about.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * add console route to OSS conf * update enterprise settings copy from source file * Update docs/enterprise/concepts.md * Update reports reference * merge conflict resolution * update sourced doc content, fix whitespace Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com> Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-08-02 08:19:23 +02:00 · 2021-08-04 13:55:04 -05:00 · 2021-08-04 13:55:04 -05:00 · 5332a752d0
commit 5332a752d0
parent 0b9f06b5ae
72 changed files with 2775 additions and 217 deletions
--- a/docs/guides/ad-guard.md
+++ b/docs/guides/ad-guard.md
@ -33,8 +33,11 @@ This guide assumes you have already completed one of the [quick start] guides, a
 # config.yaml
 - from: https://adguard.domain.example
  to: http://adguard
-  allowed_users:
-    - user@example.com
+  policy:
+    - allow:
+        or:
+          - email:
+              is: user@example.com
  set_request_headers:
    # https://www.blitter.se/utils/basic-authentication-header-generator/
    Authorization: Basic dXNlcjpwYXNzd29yZA===
--- a/docs/guides/argo.md
+++ b/docs/guides/argo.md
@ -64,15 +64,18 @@ helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx

 ## Install Pomerium

-Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own):
+Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `email.is` and IDP `provider`/`clientID`/`clientSecret` with your own):

 ```yaml
 config:
-  policy:
+  routes:
    - from: https://argo.localhost.pomerium.io
      to: http://argo-server.kube-system.svc.cluster.local:2746
-      allowed_users:
-        - REPLACE_ME
+      policy:
+        - allow:
+            or:
+              - email:
+                  is: bdd@pomerium.io

 authenticate:
  idp:
--- a/docs/guides/code-server.md
+++ b/docs/guides/code-server.md
@ -21,7 +21,7 @@ This guide covers using Pomerium to secure an instance of [code-server]. Pomeriu

 [Visual Studio Code] is an open source code editor by Microsoft that has become [incredibly popular](https://insights.stackoverflow.com/survey/2019#technology-_-most-popular-development-environments) in the last few years. For many developers, [Visual Studio Code] hits the sweet spot between no frills editors like vim/emacs and full feature IDE's like Eclipse and IntelliJ. VS Code offers some of the creature comforts like intellisense, git integration, and plugins, while staying relatively lightweight.

-One of the interesting attributes of [Visual Studio Code] is that it is built on the [Electron](<https://en.wikipedia.org/wiki/Electron_(software_framework)>) framework which uses a headless instance of Chrome rendered as a desktop application. It didn't take long for folks to realize that if we already had this great IDE written in Javascript, it may be possible to make [Visual Studio Code] run remotely.
+One of the interesting attributes of [Visual Studio Code] is that it is built on the [Electron](https://en.wikipedia.org/wiki/Electron_(software_framework)) framework which uses a headless instance of Chrome rendered as a desktop application. It didn't take long for folks to realize that if we already had this great IDE written in Javascript, it may be possible to make [Visual Studio Code] run remotely.

 > "Any application that can be written in JavaScript, will eventually be written in JavaScript." -- [Jeff Atwood](https://blog.codinghorror.com/the-principle-of-least-power/)

@ -33,7 +33,7 @@ One of the interesting attributes of [Visual Studio Code] is that it is built on

 ## Pre-requisites

-This guide assumes you have already completed one of the [quick start] guides, and have a working instance of Pomerium up and running. For purpose of this guide, I'm going to use docker-compose, though any other deployment method would work equally well.
+This guide assumes you have already completed one of the [install] guides, and have a working instance of Pomerium up and running. For purpose of this guide, I'm going to use docker-compose, though any other deployment method would work equally well.

 ## Configure

@ -41,19 +41,23 @@ This guide assumes you have already completed one of the [quick start] guides, a

 ```
 # config.yaml
-# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
+# See detailed configuration settings : https://www.pomerium.com/docs/reference/
+
 authenticate_service_url: https://authenticate.corp.domain.example

-# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
+# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
 idp_provider: google
 idp_client_id: REPLACE_ME
 idp_client_secret: REPLACE_ME

-policy:
+routes:
  - from: https://code.corp.domain.example
    to: http://codeserver:8080
-    allowed_users:
-      - some.user@domain.example
+    policy:
+      - allow:
+          or:
+            - email:
+                is: user@example.com
    allow_websockets: true
 ```

@ -129,7 +133,7 @@ When the code-server container is rebuilt, any files outside of `/home/coder/pro

 [integrated terminal]: https://code.visualstudio.com/docs/editor/integrated-terminal
 [path]: https://en.wikipedia.org/wiki/PATH_(variable)
-[quick start]: ../docs/quick-start
-[synology nas]: ./synology.md
+[install]: /docs/install/readme.md
+[synology nas]: /guides/synology.md
 [visual studio code]: https://code.visualstudio.com/
 [code-server]: https://github.com/cdr/code-server
--- a/docs/guides/kubernetes-dashboard.md
+++ b/docs/guides/kubernetes-dashboard.md
@ -226,7 +226,8 @@ We can retrieve the token to add to our proxied policy's authorization header as
 $ kubectl describe secret helm-dashboard
 ```

-```Name:         dashboard-kubernetes-dashboard-token-bv9jq
+```bash
+Name:         dashboard-kubernetes-dashboard-token-bv9jq
 Namespace:    default
 Labels:       <none>
 Annotations:  kubernetes.io/service-account.name: dashboard-kubernetes-dashboard
@ -259,12 +260,15 @@ config:
  sharedSecret: YOUR_SHARED_SECRET
  cookieSecret: YOUR_COOKIE_SECRET

-  policy:
+  routes:
    # this route is directly proxied by pomerium & injects the authorization header
    - from: https://dashboard-proxied.domain.example
      to: https://helm-dashboard-kubernetes-dashboard
-      allowed_users:
-        - user@domain.example
+      policy:
+        - allow:
+            or:
+              - email:
+                  is: user@domain.example
      tls_skip_verify: true # dashboard uses self-signed certificates in its default configuration
      set_request_headers:
        Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.....
@ -272,8 +276,11 @@ config:
    # this route is indirectly checked for access using forward-auth
    - from: https://dashboard-forwardauth.domain.example
      to: https://helm-dashboard-kubernetes-dashboard
-      allowed_users:
-        - user@domain.example
+      policy:
+        - allow:
+            or:
+              - email:
+                  is: user@domain.example
 ingress:
  annotations:
    kubernetes.io/ingress.class: "nginx"
--- a/docs/guides/local-oidc.md
+++ b/docs/guides/local-oidc.md
@ -10,7 +10,7 @@ description: >-

 # Local OIDC Provider

-You can use the same below configs for other supported [identity providers](/docs/identity-providers).
+You can use the same below configs for other supported [identity providers](/docs/identity-providers/readme.md).

 ## Configure
 ### Docker-compose
@ -24,10 +24,11 @@ services:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=<reducted>
    volumes:
-      # Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates
+      # Mount your domain's certificates : https://www.pomerium.com/docs/reference/certificates
      - ./_wildcard.localhost.pomerium.io-key.pem:/pomerium/privkey.pem:ro
      - ./_wildcard.localhost.pomerium.io.pem:/pomerium/cert.pem:ro
-      # Mount your config file : https://www.pomerium.io/docs/reference/reference/
+      # Mount your config file : https://www.pomerium.com/docs/reference/
+
      - ./config.yaml:/pomerium/config.yaml
    ports:
      - 443:443
@ -53,13 +54,14 @@ services:
      - 9000:9000
 ```

-You can generate certificates for `*.localhost.pomerium.io` using [this instruction](https://www.pomerium.io/docs/reference/certificates.html#certificates-2)
+You can generate certificates for `*.localhost.pomerium.io` using [this instruction](/docs/topics/certificates.md#certificates-2)

 ### Pomerium config

 ```yaml
 # config.yaml
-# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
+# See detailed configuration settings : https://www.pomerium.com/docs/reference/
+
 authenticate_service_url: https://authenticate.localhost.pomerium.io

 autocert: false
@ -151,5 +153,5 @@ $ docker-compose up -d

 Now accessing to `https://verify.localhost.pomerium.io` and you will be redireted to OIDC server for authentication.

-[identity provider]: ../docs/identity-providers/
+[identity provider]: ../docs/identity-providers/readme.md
 [qlik/simple-oidc-provider]: https://hub.docker.com/r/qlik/simple-oidc-provider/
--- a/docs/guides/synology.md
+++ b/docs/guides/synology.md
@ -104,16 +104,19 @@ We'll also need a test application to manage access to. For this guide we'll use

 ![Synology download httpbin docker image](./img/synology-httpbin.png)

-### Policy
+### Route

-We will create an extremely basic policy where `httpbin.int.nas.example` is replaced with the subdomain you want to use for the httpbin service, and `your.email.address@gmail.com` is replaced with your email address. All other users will be denied, and all other routes will be `404`.
+We will create an extremely basic route where `httpbin.int.nas.example` is replaced with the subdomain you want to use for the httpbin service, and `your.email.address@gmail.com` is replaced with your email address. All other users will be denied, and all other routes will be `404`.

 ```yaml
-# policy.yaml
+# route.yaml
 - from: https://httpbin.int.nas.example
  to: http://httpbin
-  allowed_users:
-    - your.email.address@gmail.com
+  policy:
+    - allow:
+        or:
+          - email:
+              is: your.email.address@gmail.com
 ```

 ### Configure
@ -215,12 +218,12 @@ And just to be safe, try logging in from another google account to see what happ

 ![Synology done](./img/synology-step-4-unauthorized.png)

-[certificate documentation]: ../topics/certificates.md
-[configuration variable docs]: ../../reference/readme.md
+[certificate documentation]: /docs/topics/certificates.md
+[configuration variable docs]: /reference/readme.md
 [diskstation manager]: https://www.synology.com/en-us/dsm
 [docker-capable]: https://www.synology.com/en-us/dsm/packages/Docker
 [httpbin]: https://httpbin.org
-[identity provider]: ../identity-providers/readme.md
+[identity provider]: /docs/identity-providers/readme.md
 [letsencrypt]: https://letsencrypt.org/
 [nginx]: https://www.nginx.com
 [self-hosted apps]: https://github.com/Kickball/awesome-selfhosted
--- a/docs/guides/tcp.md
+++ b/docs/guides/tcp.md
@ -10,7 +10,7 @@ description: >-

 # Securing TCP based services

-The following guide demonstrates how to use Pomerium's [TCP Proxying](/topics/tcp-support.md) support with various TCP services such as databases and other non-HTTP protocols.  It also covers integration points with them when possible.
+The following guide demonstrates how to use Pomerium's [TCP Proxying](/docs/topics/tcp-support.md) support with various TCP services such as databases and other non-HTTP protocols.  It also covers integration points with them when possible.

 The source files from this guide can be found on [GitHub](https://github.com/pomerium/pomerium/tree/master/examples/tcp/).

@ -25,7 +25,7 @@ Important notes:

 ## How it works

-* Create a standard Pomerium configuration for your [identity provider (IdP)](/docs/identity-providers/)
+* Create a standard Pomerium configuration for your [identity provider (IdP)](/docs/identity-providers/readme.md)
 * `pomerium-cli` runs on your workstation, listening on loopback for TCP connections
 * When an inbound connection is made, `pomerium-cli` proxies the connection through `pomerium`, authenticating the user if needed
 * Pomerium authorizes the connection and forwards it to the upstream service
@ -39,7 +39,7 @@ This recipe is designed to run on a local docker-compose instance. The included
 * docker-compose
 * A copy of the [example repo](https://github.com/pomerium/pomerium/tree/master/examples/tcp/) checked out
 * Valid credentials for your OIDC provider
-* The [Pomerium Client](/docs/installation.md#pomerium-cli) installed
+* The [Pomerium Client](/docs/releases.md#pomerium-cli) installed
 * (Optional) `mkcert` to generate locally trusted certificates

 ## Certificates (optional)
@ -82,7 +82,7 @@ Included in our compose file:

 ## Connect

-To connect to your service, ensure [`pomerium-cli`](/docs/installation.md#pomerium-cli) is in your `$PATH` and run the `tcp` command, specifying the service you wish to reach.
+To connect to your service, ensure [`pomerium-cli`](/docs/releases.md#pomerium-cli) is in your `$PATH` and run the `tcp` command, specifying the service you wish to reach.

 ```bash
 pomerium-cli tcp [hostname]:[port]
--- a/docs/guides/tiddlywiki.md
+++ b/docs/guides/tiddlywiki.md
@ -38,9 +38,13 @@ jwt_claims_headers: email
 policy:
 - from: https://wiki.example.local
  to: http://tiddlywiki:8080
-  allowed_users:
-    - reader1@example.com    
-    - writer1@example.com    
+  policy:
+    - allow:
+        or:
+          - email:
+              is: reader1@example.com
+          - email:
+              is: writer1@example.com
 ```
 ### Docker-compose

@ -56,4 +60,4 @@ Navigate to your TiddlyWiki instance (e.g. `https://wiki.example.local`) and log

 * as another email: pomerium displays a permission denied error.

-[quick start]: ../docs/quick-start
+[quick start]: /docs/install/readme.md
--- a/docs/guides/transmission.md
+++ b/docs/guides/transmission.md
@ -24,7 +24,7 @@ While there are software clients available to interact with the daemon over RPC,
 ::: warning
 Because RPC traffic to and from a Transmission daemon is unencrypted, we strongly suggest you only communicate from Pomerium to Transmission on a trusted private network. Note that some cloud hosting providers differentiate "private networking" (which is visible to all hosts in a data center) from "VLANS" which are only visible to your hosts. While you can configure a local proxy on your Transmission host to provide TLS encryption, that configuration is outside of the scope of this guide.

-Running Pomerium and Transmission on the same host, using [docker](../docs/quick-start) for example,  negates this concern.
+Running Pomerium and Transmission on the same host, using [docker](/docs/install/readme.md) for example,  negates this concern.
 :::

 ## Before You Begin
@ -43,10 +43,13 @@ Edit your `config.yaml` file to add the following policy. Note that `<>` denotes
 policy:
  - from: https://<transmission.mydomain.com> # Replace with the domain you want to use to access Transmission
    to: http://<private.ip.address>:9091 # Replace with the private network address of the Transmission host, or `localhost` if running on the same host.
-    allowed_users:
-      - myUser@mydomain.com # Replace with authorized user(s), or remove if using group permissions only.
-    allowed_groups:
-      - <transmission-users> # Replace with authorized user group(s), or remove if using user permissions only.
+    policy:
+      - allow:
+          or:
+            - email:
+                is: myUser@mydomain.com # Replace with authorized user(s), or remove if using group permissions only.
+            - groups:
+                has: ["<transmission-users>"] # Replace with authorized user group(s), or remove if using user permissions only.
 ```
 Remember to restart the Pomerium instance after saving your changes.

@ -109,4 +112,4 @@ You should now be able to authenticate and access your Transmission daemon remot
 In addition to the lock symbol in your browser's address bar, you can go to `<transmission.mydomain.com>/.pomerium` to view and confirm your session details.

 [Transmission]: https://transmissionbt.com/
-[quick start]: ../docs/quick-start
+[quick start]: /docs/install/readme.md