Enterprise Docs (#2390)

* install VuePress Plugin Tabs

https://www.npmjs.com/package/vuepress-plugin-tabs

* init Enterprise documentation section

* replace Vuepress tab plugin

now using https://github.com/superbiger/vuepress-plugin-tabs

* init Enterprise Quickstart

* block of enterprise doc updates

* Helm Quickstart Update (#2380)

* removed/fixed redundant or incorrect config

And some small copy edits

* Update docs/docs/quick-start/helm.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* init console with helm doc

* squash me

* codeblock fix

* init about page

* updates to Enterprise section

* consolidate on Postgres

* WIP helm updates

* update and align OS and Enterprise helm docs

* Enterprise settings docs (#2397)

* init console-specific reference docs files

* remove shortdoc for name

* init Enterprise Reference doc

* expanding Enterprise Reference

* init JS script for reference subpages

When reviewing please remember that I'm not a developer, be kind

* update script and apply

* remove errant dep

* document script and expand for CLI help output

* import pomerium-console_serve.yaml

In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo

* init new output file

* update script call and output

* fix anchor links

* BROKEN - import content from settings.yaml when dupe is true

* filtering WiP

* fix dupe script, more content

* replace if dupe with if not docs

* squash me

* squash me!

* add docs about PPL (#2404)

* squash meeeeee

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* symlink img dir from docs/reference

* squash mee

* update install reqs

* Fixed links throughout

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* remove internal note

* - format python with black
- format js with prettier

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* optimize images with imageOptim

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* run prettier on config.js

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* concepts.md

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* update concepts

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* copy edits

* typo

* symlink img dir from docs/reference

* modify TLS section in quick-start

* rm whitespace

* add common links postamble

* block of updates

* block of updates

* updates with @travisgroth

* turtles all the way down

* more content

* import all the things

* fill out reports

* fill out reports

* fix file extension

* fix links

* crosslink PPL ref

* document embedded prometheus

* expand example

* update reqs

* document non-directory users

* typo fix

* update metrics_address

* fix broken links in example configs

* update examples for route syntax

* replaced required with deprecated

Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link.

* update enterprise/about

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* remove commented config lines

* update non-domain user section in concepts

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/about.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* add console route to OSS conf

* update enterprise settings copy from source file

* Update docs/enterprise/concepts.md

* Update reports reference

* merge conflict resolution

* update sourced doc content, fix whitespace

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

examples/kubernetes/kubernetes-config.yaml

@@ -1,4 +1,5 @@
-# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+# Main configuration flags : https://www.pomerium.com/docs/reference/
+
 insecure_server: true
 grpc_insecure: true
 address: ":80"

examples/kubernetes/pomerium-certificates.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-cert
+  namespace: pomerium
+spec:
+  secretName: pomerium-tls
+  issuerRef:
+    name: pomerium-issuer
+    kind: Issuer
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - pomerium-proxy.pomerium.svc.cluster.local
+    - pomerium-authorize.pomerium.svc.cluster.local
+    - pomerium-databroker.pomerium.svc.cluster.local
+    - pomerium-authenticate.pomerium.svc.cluster.local
+    # TODO - Replace the following entry with your domain space.
+    - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-redis-cert
+  namespace: pomerium
+spec:
+  secretName: pomerium-redis-tls
+  issuerRef:
+    name: pomerium-issuer
+    kind: Issuer
+  dnsNames:
+    - pomerium-redis-master.pomerium.svc.cluster.local
+    - pomerium-redis-headless.pomerium.svc.cluster.local
+    - pomerium-redis-replicas.pomerium.svc.cluster.local

examples/kubernetes/pomerium-console-certificate.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-console-cert
+  namespace: pomerium
+spec:
+  secretName: pomerium-console-tls
+  issuerRef:
+    name: pomerium-issuer
+    kind: Issuer
+  dnsNames:
+    - pomerium-console.pomerium.svc.cluster.local

examples/kubernetes/pomerium-values.yaml

@@ -0,0 +1,54 @@
+authenticate:
+  existingTLSSecret: pomerium-tls
+  idp:
+    provider: "google"
+    clientID: YOUR_CLIENT_ID
+    clientSecret: YOUR_SECRET
+    serviceAccount: YOUR_SERVICE_ACCOUNT
+  proxied: false
+
+proxy:
+  existingTLSSecret: pomerium-tls
+  service:
+    type: LoadBalancer
+
+databroker:
+  existingTLSSecret: pomerium-tls
+  storage:
+    connectionString: rediss://pomerium-redis-master.pomerium.svc.cluster.local
+    type: redis
+    clientTLS:
+      existingSecretName: pomerium-tls
+      existingCASecretKey: ca.crt
+
+authorize:
+  existingTLSSecret: pomerium-tls
+
+redis:
+  enabled: true
+  auth:
+    enabled: false
+  usePassword: false
+  generateTLS: false
+  tls:
+    certificateSecret: pomerium-redis-tls
+
+ingress:
+  enabled: false
+
+config:
+  sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate.
+  cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate.
+  rootDomain: localhost.pomerium.io
+  existingCASecret: pomerium-tls
+  generateTLS: false # On by default, disabled when cert-manager or another solution is in place.
+  policy:
+      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
+    - from: https://hello.localhost.pomerium.io
+      to: http://nginx.pomerium.svc.cluster.local:80
+      allowed_domains:
+        - companydomain.com # Use the domain your company email address uses.
+    - from: https://authenticate.localhost.pomerium.io
+      to: https://pomerium-authenticate.pomerium.svc.cluster.local
+      preserve_host_header: true
+      allow_public_unauthenticated_access: true

examples/kubernetes/values.yaml

@@ -18,6 +18,7 @@ proxy:
       cloud.google.com/app-protocols: '{"https":"HTTPS"}'
 
 config:
+  rootDomain: localhost.pomerium.io
   policy:
     - from: https://hello.localhost.pomerium.io
       to: http://nginx.default.svc.cluster.local:80