From 83a12414994eb183f07ed28da755e0030c755efe Mon Sep 17 00:00:00 2001
From: alexfornuto <alex@fornuto.com>
Date: Thu, 29 Jul 2021 11:49:23 -0500
Subject: [PATCH] squash mee

---
 docs/.vuepress/config.js                      |  1 -
 docs/enterprise/console-settings.yaml         |  9 ++-
 .../reference/configuration-settings.md       | 17 -----
 docs/enterprise/reference/configure.md        |  4 +-
 docs/enterprise/reference/manage.md           | 68 ++++++++++++++++++-
 5 files changed, 72 insertions(+), 27 deletions(-)
 delete mode 100644 docs/enterprise/reference/configuration-settings.md

diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js
index e5816a32e..63e60a6b6 100644
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@@ -218,7 +218,6 @@ module.exports = {
               sidebarDepth: 2,
               children: [
                 "/enterprise/reference/config.md",
-                "/enterprise/reference/configuration-settings",
                 "/enterprise/reference/configure",
                 "/enterprise/reference/manage",
                 "/enterprise/reference/reports",
diff --git a/docs/enterprise/console-settings.yaml b/docs/enterprise/console-settings.yaml
index b19b21679..d7bc0dba7 100644
--- a/docs/enterprise/console-settings.yaml
+++ b/docs/enterprise/console-settings.yaml
@@ -49,7 +49,7 @@ settings:
                 keys: ["allow_websockets"]
               - name: "Timeout"
                 keys: ["timeout"]
-              - name: "Stream Idle Timeout"
+              - name: "Idle Timeout"
                 keys: ["idle_timeout"]
           - name: "Headers"
             settings:
@@ -124,7 +124,7 @@ settings:
           - `time_of_day`
           - `user`
 
-          Some criteria also support a subpath as part of the criterion name:
+          Some criteria also support a sub-path as part of the criterion name:
 
           ```yaml
           - allow:
@@ -150,9 +150,8 @@ settings:
   - name: "Configure"
     settings:
       - name: "User Impersonation"
-        keys: ["user impersonation"]
         doc: |
-          @travis fill me with delicious data!
+          Travis fill me with delicious data!
       - name: "Settings"
         settings:
           - name: "Global"
@@ -165,7 +164,7 @@ settings:
           - name: "Proxy"
       - name: "Service Accounts"
         doc: |
-          <!-- Explain Service Accounts -->
+          <!-- Explain Service Accounts --> Service accounts...
       - name: "Namespaces"
         keys: ["namespace"]
         doc: |
diff --git a/docs/enterprise/reference/configuration-settings.md b/docs/enterprise/reference/configuration-settings.md
deleted file mode 100644
index 87643c5f7..000000000
--- a/docs/enterprise/reference/configuration-settings.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Configuration Settings
-lang: en-US
-sidebarDepth: 2
-meta:
-    - name: keywords
-      content: configuration options settings Pomerium enterprise console
----
-
-# Configuration Settings
-
-These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI.
-
-## User Impersonation
-
-@travis fill me with delicious data!
-
diff --git a/docs/enterprise/reference/configure.md b/docs/enterprise/reference/configure.md
index e7bb40a41..4612890cc 100644
--- a/docs/enterprise/reference/configure.md
+++ b/docs/enterprise/reference/configure.md
@@ -11,7 +11,7 @@ meta:
 
 ## User Impersonation
 
-@travis fill me with delicious data!
+Travis fill me with delicious data!
 
 
 ## Settings
@@ -92,7 +92,7 @@ tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅
 
 ## Service Accounts
 
-<!-- Explain Service Accounts -->
+<!-- Explain Service Accounts --> Service accounts...
 
 
 ## Namespaces
diff --git a/docs/enterprise/reference/manage.md b/docs/enterprise/reference/manage.md
index 73296e8d9..4d3bb3973 100644
--- a/docs/enterprise/reference/manage.md
+++ b/docs/enterprise/reference/manage.md
@@ -159,8 +159,9 @@ If set, enables proxying of websocket connections.
 
 #### Timeout
 
+Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values.
 
-#### Stream Idle Timeout
+#### Idle Timeout
 
 If you are proxying long-lived requests that employ streaming calls such as websockets or gRPC,
 set this to either a maximum value there may be no data exchange over a connection (recommended),
@@ -242,6 +243,20 @@ The browser would be redirected to: `http://frontend/one/some/path/`. This is si
 ### Load Balancer
 
 
+#### Load Balancing Policy
+
+In presence of multiple upstreams, defines load balancing strategy between them.
+
+See [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-lbpolicy) for more details.
+
+- [`ROUND_ROBIN`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-round-robin) (default)
+- [`LEAST_REQUEST`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-least-request) and may be further configured using [`least_request_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-leastrequestlbconfig)
+- [`RING_HASH`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash) and may be further configured using [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig) option
+- [`RANDOM`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#random)
+- [`MAGLEV`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) and may be further configured using [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) option
+
+Some policy types support additional [configuration](#load-balancing-policy-config).
+
 ## Policies
 
 A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model.
@@ -264,6 +279,55 @@ From the **EDITOR** tab users can write policies in Pomerium Policy Language (**
 
 ![A policy as viewed from the editor tab](../img/example-policy-editor.png)
 
+PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
+Each logical operator contains criteria and each criterion has a name and corresponding data.
+
+PPL documents are defined via YAML:
+
+```yaml
+- allow:
+    or:
+      - email:
+          is: x@example.com
+      - email:
+          is: y@example.com
+```
+
+The available rule actions are:
+
+- `allow`
+- `deny`
+
+The available logical operators are:
+
+- `and`
+- `or`
+- `not`
+- `nor`
+
+The available criteria types are:
+
+- `accept`
+- `authenticated_user`
+- `claim`
+- `date`
+- `day_of_week`
+- `domain`
+- `email`
+- `groups`
+- `reject`
+- `time_of_day`
+- `user`
+
+Some criteria also support a subpath as part of the criterion name:
+
+```yaml
+- allow:
+    or:
+      - claim/family_name:
+          is: Smith
+```
+
 ### Rego
 
 For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.
@@ -275,7 +339,7 @@ A policy can only support PPL or Rego. Once one is set, the other tab is disable
 ### Overrides
 
 - **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**).
-- **CORS Preflight**: 
+- **CORS Preflight**:
 - **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.