Adds new Zero IA (#1439)

* moves cluster status

* changes to sidebar

* fixes breaking links

* removes releases, adds versioning partial to changelogs

* moves k8s, adds redirects

* removes production-deployment page

* moves clients, adds redirects

* creates upstream services guides directory

* removes Client from sidebar labels

* updates text

* Revert "creates upstream services guides directory"

This reverts commit f61e4bd.

* creates guides subsections

* removes securing tcp guide, adds to capabilities examples

* removes js-sdk guide, redirects to capabilities page

* removes local oidc, redirects to idp oidc guide

* updates sidebar to move guide locations

* removes idp and integrations sidebar slices

* splits up certificates concepts page & creates new mTLS guide

* adds integrations to capabilities section

* adds zero install page

* runs yarn format

* fixes breaking links

* fixes cspell errors

* runs prettier

.pre-commit-config.yaml

@@ -6,7 +6,7 @@ repos:
  additional_dependencies:
  - '[email protected]'
  files: ^content\/.*$
- exclude: content/docs/deploy/k8s/reference.md
+ exclude: content/docs/k8s/reference.md
  - repo: https://github.com/streetsidesoftware/cspell-cli
  rev: v6.2.0
  hooks:

content/docs/admonitions/_semantic-versioning.mdx

@@ -0,0 +1,9 @@
+### Versioning
+
+Pomerium uses [Semantic Versioning](https://semver.org/). In practice, this means for a given version number **vMAJOR**.**MINOR**.**PATCH** (for example, `v0.1.0`):
+
+- **MAJOR** indicates an incompatible API change
+- **MINOR** indicates a new, backwards-compatible functionality
+- **PATCH** indicates a backwards-compatible bug fix
+
+As Pomerium is still pre-`v1.0.0`, you should expect breaking changes between releases.

content/docs/admonitions/_upgrade-versions.mdx

@@ -1 +1 @@
-**Before you upgrade:** Set your Core and Enterprise instances to the same **MINOR** version number. For example, if your Core instance is on **v0.22.1**, Enterprise should be set to **v0.22.0**. See [Versioning](/docs/deploy/releases#versioning) for more information.
+**Before you upgrade:** Set your Core and Enterprise instances to the same **MINOR** version number. For example, if your Core instance is on **v0.22.1**, Enterprise should be set to **v0.22.0**.

content/docs/capabilities/authentication.mdx

@@ -56,7 +56,7 @@ By configuring your applications to route requests to Pomerium’s Proxy service
 
 :::enterprise
 
-[Enterprise customers](https://www.pomerium.com/enterprise-sales/) can enforce context-aware access with Pomerium’s [external data sources](/docs/integrations) feature (directory sync).
+[Enterprise customers](https://www.pomerium.com/enterprise-sales/) can enforce context-aware access with Pomerium’s [external data sources](/docs/capabilities/integrations) feature (directory sync).
 
 :::
 

content/docs/capabilities/authorization.mdx

@@ -108,7 +108,7 @@ In this example, Pomerium will grant a user access if their email address ends i
 
 :::enterprise
 
-The Enterprise Console provides a policy builder GUI so you can build policies and reapply them to multiple routes and namespaces. See our [**Enterprise**](/docs/deploy/enterprise) page to learn more.
+The Enterprise Console provides a policy builder GUI so you can build policies and reapply them to multiple routes and namespaces. See our [**Enterprise**](/docs/enterprise) page to learn more.
 
 :::
 
@@ -274,7 +274,7 @@ This example pulls session data from the Databroker service using `type.googleap
 
 ::::enterprise
 
-In the [**Enterprise Console**](/docs/deploy/enterprise), you can write policies in Rego with the PPL builder:
+In the [**Enterprise Console**](/docs/enterprise), you can write policies in Rego with the PPL builder:
 
 ![Apply Rego in Console editor](./img/authorization/ppl-rego-policy.png)
 
@@ -311,7 +311,7 @@ For routes with policies that allow public, unauthenticated access, Pomerium _wi
 
 :::enterprise
 
-[Device identity](/docs/capabilities/device-identity) is an Enterprise feature. Check out our [Enterprise](/docs/deploy/enterprise) page to learn more.
+[Device identity](/docs/capabilities/device-identity) is an Enterprise feature. Check out our [Enterprise](/docs/enterprise) page to learn more.
 
 :::
 

content/docs/capabilities/branding.md

@@ -7,7 +7,7 @@ description: Add custom colors, logos, and error messages.
 
 :::enterprise
 
-This article describes a use case available to [Pomerium Enterprise](/docs/deploy/enterprise/install) customers.
+This article describes a use case available to [Pomerium Enterprise](/docs/enterprise/install) customers.
 
 :::
 

content/docs/capabilities/device-identity.mdx

@@ -32,7 +32,7 @@ Device identity is the unique ID associated with a device. In the context of zer
 
 ## Device identity with Pomerium
 
-Pomerium versions [0.16.0](/docs/deploy/core/upgrading#policy-for-device-identity) and up support the use of device identity as a criteria in authorization policies. Pomerium uses the [Web Authentication](https://www.w3.org/TR/webauthn-2/#registration-extension) (WebAuthn) API to bring authentication and authorization based on device identity into your security framework. With Pomerium’s device identity support, users can register devices and administrators can limit access to devices they trust.
+Pomerium versions [0.16.0](/docs/core/upgrading#policy-for-device-identity) and up support the use of device identity as a criteria in authorization policies. Pomerium uses the [Web Authentication](https://www.w3.org/TR/webauthn-2/#registration-extension) (WebAuthn) API to bring authentication and authorization based on device identity into your security framework. With Pomerium’s device identity support, users can register devices and administrators can limit access to devices they trust.
 
 ## Device identity features
 
@@ -102,7 +102,7 @@ Give the link to the user.
 
 If a Pomerium route [requires device authentication](/docs/capabilities/ppl#device-matcher), the user must register a [trusted execution environment](/docs/concepts/device-identity#authenticated-device-types) (**TEE**) device before accessing the route. Registration differs depending on the device.
 
-The steps below cover enrollment of a device by a user. This is available for both Pomerium Core and [Pomerium Enterprise](/docs/deploy/enterprise/install) installations. However, Enterprise users may also receive registration links [generated by their administrators](/docs/capabilities/device-identity), which will mark the newly enrolled device as approved in the Enterprise Console.
+The steps below cover enrollment of a device by a user. This is available for both Pomerium Core and [Pomerium Enterprise](/docs/enterprise/install) installations. However, Enterprise users may also receive registration links [generated by their administrators](/docs/capabilities/device-identity), which will mark the newly enrolled device as approved in the Enterprise Console.
 
 1. Users are prompted to register a new device when accessing a route that requires device authentication:
 

content/docs/capabilities/enterprise-api.mdx

@@ -17,7 +17,7 @@ The Pomerium Enterprise Console supports programmatic interaction through a gRPC
 
 This doc assumes:
 
-- You've installed [Pomerium Core](/docs/deploy/core) and [Pomerium Enterprise](/docs/deploy/enterprise/install)
+- You've installed [Pomerium Core](/docs/core) and [Pomerium Enterprise](/docs/enterprise/install)
 - The connection to the Enterprise Console service is encrypted
 
 ## Configure a new route

content/docs/capabilities/getting-users-identity.md

@@ -118,8 +118,6 @@ A single-page javascript application can verify the JWT using the [JavaScript SD
 
 <ReactApp />
 
-See the [JavaScript SDK guide](/docs/guides/js-sdk) for more information.
-
 ### Manual verification
 
 Though you will likely verify signed headers programmatically in your application's middleware with a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like.

content/docs/capabilities/high-availability.mdx

@@ -40,7 +40,7 @@ Pomerium's individual components can be divided into two categories; the data pl
 
 :::tip
 
-Our [Kubernetes](/docs/deploy/k8s/quickstart) supports [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
+Our [Kubernetes](/docs/k8s/quickstart) supports [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
 
 :::
 
@@ -92,7 +92,7 @@ In any production deployment, running multiple replicas of each Pomerium service
 
 You should deploy Layer 4 load balancing between end users and Pomerium Proxy services to provide high availability and horizontal scaling. Do not use L7 load balancers, since the Proxy service handles redirects, sticky sessions, etc.
 
-Note that deployments on Kubernetes can utilize The [Pomerium Ingress Controller](/docs/deploy/k8s/ingress) to simplify configuration.
+Note that deployments on Kubernetes can utilize The [Pomerium Ingress Controller](/docs/k8s/ingress) to simplify configuration.
 
 ### Authenticate
 

content/docs/capabilities/hosted-authenticate-service.md

@@ -36,7 +36,7 @@ Pomerium's hosted services solution removes the tedium of configuring your own i
 
 If you're testing Pomerium for the first time, run [Pomerium with Docker](/docs/quickstart) using our hosted services – you can run Pomerium Core in **under 5 minutes** with minimal setup.
 
-Current Pomerium users who are interested in our [Enterprise Console](https://www.pomerium.com/enterprise-sales/) can test out the [Docker Enterprise Quickstart](/docs/deploy/enterprise/quickstart) using hosted services as well.
+Current Pomerium users who are interested in our [Enterprise Console](https://www.pomerium.com/enterprise-sales/) can test out the [Docker Enterprise Quickstart](/docs/enterprise/quickstart) using hosted services as well.
 
 ## Configure the Hosted Authenticate Service
 

content/docs/capabilities/jwt-verification.mdx

@@ -38,12 +38,6 @@ The following code provides a minimum working example of how JWT verification wo
 
 <ReactApp />
 
-:::tip
-
-See the [JavaScript SDK guide](/docs/guides/js-sdk) for more complete client- and server-side examples using React and Express.
-
-:::
-
 <details>
  <summary>Trust on first use (TOFU)</summary>
  <div>

content/docs/capabilities/kubernetes-access.md

@@ -37,19 +37,19 @@ Pomerium can be leveraged as a proxy for user requests to the API Server.
 
 ## How it works
 
-![Kubernetes Integration](../deploy/k8s/img/kubernetes-integration.svg)
+![Kubernetes Integration](./img/kubernetes/kubernetes-integration.svg)
 
 Building on top of a standard Kubernetes and Pomerium deployment:
 
 1. Pomerium is given access to a Kubernetes service account with [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) permissions
 2. A [route's policy](/docs/reference/routes/policy) is created for the API server and [configured](/docs/reference/routes/kubernetes-service-account-token) to use the service account token
 3. Kubernetes RoleBindings operate against IdP Users and Group subjects
-4. Users access the protected cluster through their standard tools, using [pomerium-cli](/docs/deploy/clients/pomerium-cli) as an auth provider in `~/.kube/config`
+4. Users access the protected cluster through their standard tools, using [pomerium-cli](/docs/clients/pomerium-cli) as an auth provider in `~/.kube/config`
 5. Pomerium authorizes requests and passes the user identity to the API server for fine grained RBAC
 
 ## Kubeconfig Setup
 
-After installing the [pomerium-cli](/docs/deploy/clients/pomerium-cli), you must configure your `kubeconfig` for authentication.
+After installing the [pomerium-cli](/docs/clients/pomerium-cli), you must configure your `kubeconfig` for authentication.
 
 Substitute `mycluster.pomerium.io` with your own API Server's `from` in Pomerium's policy:
 

content/docs/capabilities/metrics.md

@@ -76,4 +76,4 @@ To take advantage of Prometheus embedded in Pomerium Enterprise, edit Pomerium C
 prometheus_data_dir: /var/lib/pomerium-console/tsdb
 ```
 
-The directory path can be any location that the `pomerium` system user can write to. The example above uses the default location created by the [OS packages](/docs/deploy/enterprise/quickstart).
+The directory path can be any location that the `pomerium` system user can write to. The example above uses the default location created by the [OS packages](/docs/enterprise/quickstart).

content/docs/capabilities/mtls-services.mdx

@@ -43,7 +43,7 @@ To provide a general explanation, in this guide you will use [mkcert](https://gi
 
 To complete this proof-of-concept guide:
 
-- Run Pomerium in [all-in-one mode](/docs/internals/configuration#all-in-one-vs-split-service-mode) as a system service with a configuration file in the [standard location](/docs/deploy/core/from-source#configure)
+- Run Pomerium in [all-in-one mode](/docs/internals/configuration#all-in-one-vs-split-service-mode) as a system service with a configuration file in the [standard location](/docs/core/from-source#configure)
 - Configure an [identity provider](/docs/identity-providers) (IdP) to communicate with your Pomerium instance
 - Run all commands on the same host (You may have to move files or adjust paths and commands to match a different configuration)
 - Install [`mkcert`](https://github.com/FiloSottile/mkcert) to generate self-signed certificates and a root Certificate Authority (CA) (`mkcert` will take the place of your trusted certificate tooling solution)

content/docs/capabilities/original-request-context.md

@@ -9,7 +9,7 @@ description: This article describes how the original user context is passed seco
 
 :::enterprise
 
-This article describes a use case available to [Pomerium Enterprise](/docs/deploy/enterprise/install) customers.
+This article describes a use case available to [Pomerium Enterprise](/docs/enterprise/install) customers.
 
 :::
 

content/docs/capabilities/ppl.mdx

@@ -136,7 +136,7 @@ deny:
 
 Below is an exhaustive list of PPL criteria.
 
-Entries marked with `*` denote criteria that are only available in the [Enterprise Console](/docs/deploy/enterprise) PPL builder. All other entries are available in both Pomerium Core and Pomerium Enterprise.
+Entries marked with `*` denote criteria that are only available in the [Enterprise Console](/docs/enterprise) PPL builder. All other entries are available in both Pomerium Core and Pomerium Enterprise.
 
 | Criterion Name | Data Format | Description |
 | --- | --- | --- |
@@ -155,12 +155,12 @@ Entries marked with `*` denote criteria that are only available in the [Enterpri
 | `http_path` | [String Matcher] | Returns true if the HTTP path matches the given value. |
 | `invalid_client_certificate` | Anything. Typically `true`. | Returns true if the incoming request does not have a trusted client certificate. By default, a `deny` rule using this criterion is added to all Pomerium policies when [downstream mTLS] is configured (but this default can be changed using the [Enforcement Mode](/docs/reference/downstream-mtls-settings#enforcement-mode) setting.) |
 | `pomerium_routes` | Anything. Typically `true`. | Returns true if the incoming request is for the special `.pomerium` routes. A default `allow` rule using this criterion is added to all Pomerium policies. |
-| \* `record` | variable | Allows policies to be extended using data from [external data sources](/docs/integrations) |
+| \* `record` | variable | Allows policies to be extended using data from [external data sources](/docs/capabilities/integrations) |
 | `reject` | Anything. Typically `true`. | Always returns false. The opposite of `accept`. |
 | \* `time_of_day` | [Time of Day Matcher] | Returns true if the time of the request (for the current day) matches the constraints. |
 | `user` | [String Matcher] | Returns `true` if the logged-in user's ID matches the supplied value. (The actual value of the user ID claim depends on how the identity provider sets this value.) |
 
-Entries marked with `*` denote criteria that are only available in the [Enterprise Console](/docs/deploy/enterprise) PPL builder. All other entries are available in both Pomerium Core and Pomerium Enterprise.
+Entries marked with `*` denote criteria that are only available in the [Enterprise Console](/docs/enterprise) PPL builder. All other entries are available in both Pomerium Core and Pomerium Enterprise.
 
 ## Matchers
 
@@ -385,7 +385,7 @@ allow:
 [`allow_any_authenticated_user`]: /docs/reference/routes/allow-any-authenticated-user
 [cors pre-flight requests]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests
 [downstream mtls]: /docs/reference/downstream-mtls-settings
-[pomerium enterprise]: /docs/deploy/enterprise/install
+[pomerium enterprise]: /docs/enterprise/install
 [yaml]: https://en.wikipedia.org/wiki/YAML
 [string matcher]: #string-matcher
 [string list matcher]: #string-list-matcher

content/docs/capabilities/service-accounts.md

@@ -19,7 +19,7 @@ Service accounts offer a protected and standardized method of authenticating mac
 
 :::enterprise
 
-Service Accounts are a Pomerium Enterprise feature. The steps below show you how to create and use a Service Account in the Enterprise Console. See our [Pomerium Enterprise](/docs/deploy/enterprise) page for more information.
+Service Accounts are a Pomerium Enterprise feature. The steps below show you how to create and use a Service Account in the Enterprise Console. See our [Pomerium Enterprise](/docs/enterprise) page for more information.
 
 :::
 

content/docs/capabilities/single-sign-out.md

@@ -65,7 +65,7 @@ Note, a CSRF token is required for the single sign out endpoint (despite support
 
 ### Single sign-out example with Pomerium
 
-The example below demonstrates how to correctly implement SSO using the [JavaScript SDK](/docs/guides/js-sdk):
+The example below demonstrates how to correctly implement SSO using the [JavaScript SDK](/docs/capabilities/jwt-verification):
 
 ```js
 export const signOut = (redirectUrl) => {

content/docs/capabilities/tcp.mdx

@@ -22,7 +22,7 @@ import LongLivedConnections from '@site/content/docs/admonitions/_long-lived-con
 
 # TCP over HTTP Support
 
-In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into [`pomerium-cli`](/docs/deploy/clients/pomerium-cli).
+In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into [`pomerium-cli`](/docs/clients/pomerium-cli).
 
 Operations and engineering teams frequently require access to lower level administrative and data protocols such as SSH, RDP, Postgres, MySQL, Redis, etc.
 

content/docs/capabilities/tcp/client.mdx

@@ -89,7 +89,7 @@ You can connect to this route with either the Pomerium CLI or Pomerium Desktop c
 
 ### Desktop client steps
 
-If you haven't, install [Pomerium Desktop](/docs/deploy/clients/pomerium-desktop).
+If you haven't, install [Pomerium Desktop](/docs/clients/pomerium-desktop).
 
 Then, add a connection by filling in the fields defined below:
 
@@ -110,7 +110,7 @@ Then, add a connection by filling in the fields defined below:
 
 ### Pomerium CLI steps
 
-If you haven't, install [Pomerium CLI](/docs/deploy/clients/pomerium-cli).
+If you haven't, install [Pomerium CLI](/docs/clients/pomerium-cli).
 
 Then, connect to a TCP route:
 
@@ -147,7 +147,7 @@ Then, connect to a TCP route:
 For more examples and detailed usage information, see the following docs:
 
 - [**TCP Reference**](/docs/capabilities/tcp/reference)
-- [**Securing TCP-based Services**](/docs/guides/securing-tcp)
+- [**Securing TCP-based Services**](/docs/capabilities/tcp)
 
 :::
 

content/docs/capabilities/tcp/examples/_service-template.mdx

@@ -21,7 +21,7 @@ This example assumes you've already [created a TCP route](/docs/capabilities/tcp
 
  ## Basic Connection
 
- 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/deploy/clients/pomerium-cli) or the Pomerium Desktop client:
+ 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/clients/pomerium-cli) or the Pomerium Desktop client:
 
  <Tabs>
  <TabItem value="pomerium-cli" label="pomerium-cli">

content/docs/capabilities/tcp/examples/git.mdx

@@ -23,7 +23,7 @@ This example assumes you've already [created a TCP route](/docs/capabilities/tcp
 
  ## Basic Connection
 
- 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/deploy/clients/pomerium-cli) or the Pomerium Desktop client. These examples use Git connections over SSH:
+ 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/clients/pomerium-cli) or the Pomerium Desktop client. These examples use Git connections over SSH:
 
  <Tabs>
  <TabItem value="pomerium-cli" label="pomerium-cli">

content/docs/capabilities/tcp/examples/ms-sql.mdx

@@ -26,7 +26,7 @@ This example assumes you've already [created a TCP route](/docs/capabilities/tcp
 
  ## Basic Connection
 
- 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/deploy/clients/pomerium-cli) or the Pomerium Desktop client:
+ 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/clients/pomerium-cli) or the Pomerium Desktop client:
 
  <Tabs>
  <TabItem value="pomerium-cli" label="pomerium-cli">

content/docs/capabilities/tcp/examples/mysql.mdx

@@ -23,7 +23,7 @@ This example assumes you've already [created a TCP route](/docs/capabilities/tcp
 
  ## Basic Connection
 
- 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/deploy/clients/pomerium-cli) or the Pomerium Desktop client:
+ 1. Create a TCP tunnel, using either [`pomerium-cli`](/docs/clients/pomerium-cli) or the Pomerium Desktop client:
 
  <Tabs>
  <TabItem value="pomerium-cli" label="pomerium-cli">