diff --git a/check-links/popular-blog-links.txt b/check-links/popular-blog-links.txt
index 6605814fc..a2f95fe2a 100644
--- a/check-links/popular-blog-links.txt
+++ b/check-links/popular-blog-links.txt
@@ -1,51 +1 @@
/about
-/archive
-/bootstrapping-trust-part-1-encryption-everywhere
-/bootstrapping-trust-part-2-a-primer-on-public-key-cryptography
-/bootstrapping-trust-part-3-certificates
-/bootstrapping-trust-part-4-certificate-authorities-chains-of-trust
-/bootstrapping-trust-part-5-bootstrapping-trust
-/browzer-gateway-fqdn-certs
-/browzer-gateway-wildcard-certs
-/extrovert-wednesday
-/free-secure-access-to-nas-from-anywhere
-/golang-aha-moments-channels
-/golang-aha-moments-generics
-/high-level-publicprivate-cryptography
-/integrating-ziti-is-easy
-/introducing-openziti-browzer
-/its-a-zitiful-life
-/kubernetes
-/members
-/mobile-point-of-sale-mpos-app-ziti-android-java-sdk-integration
-/my-intern-assignment-call-a-dark-webhook-from-aws-lambda
-/newsletter
-/nginx-zerotrust-api-security
-/openziti-authentication-api-integrations
-/openziti-browzer-gateway
-/openziti-browzer-gateway-1
-/openziti-is-participating-in-hacktoberfest-prost
-/openziti-python-sdk-introduction
-/quickstart
-/securing-nodejs-applications
-/securing-web-apis-with-openziti
-/series/browzer
-/series/golang-aha
-/series/openziti-sdks
-/series/ziti-network-berlhome
-/setting-up-oracle-cloud-to-host-openziti
-/set-up-a-secure-multiplayer-minecraft-server
-/tag/aws-lambda
-/tag/developer
-/tag/ebpf
-/tag/go
-/tag/golang
-/tag/opensource
-/tag/openziti
-/tunneling-voip-over-openziti
-/using-ebpf-tc-to-securely-mangle-packets-in-the-kernel-and-pass-them-to-my-secure-networking-application
-/zero-trust-monitoring-with-openziti
-/zero-trust-overlay-network-to-access-homeassistant
-/zitification
-/zitifying-scp
-/zitifying-ssh
\ No newline at end of file
diff --git a/check-links/popular-docs-links.txt b/check-links/popular-docs-links.txt
index 94d7578ee..c5c1e8641 100644
--- a/check-links/popular-docs-links.txt
+++ b/check-links/popular-docs-links.txt
@@ -1,133 +1,2 @@
/docs/learn/introduction
-/docs/learn/quickstarts
-/docs/learn/introduction/components
-/docs/category/network
-/docs/learn/quickstarts/zac
-/docs/learn/core-concepts
-/docs/learn/quickstarts/network/hosted
-/docs/learn/introduction/key_concepts
-/docs/reference/deployments
-/docs/reference/tunnelers/linux
-/docs/learn/quickstarts/network/local-no-docker
-/docs/learn/quickstarts/browzer
-/docs/learn/quickstarts/network/local-docker-compose
-/docs/learn/introduction/features
-/docs/downloads
-/docs/learn/quickstarts/services
-/docs/reference/configuration/conventions
-/docs/learn/introduction/openziti-is-software
-/docs/learn/core-concepts/clients/choose
-/docs/reference/deployments/controller
-/docs/category/public-cloud-deployment
-/docs/learn/quickstarts/network/local-with-docker
-/docs/reference/tunnelers/windows
-/docs/category/local-gateway
-/docs/reference/deployments/router/deployment
-/docs/reference
-/docs/reference/config-types
-/docs/reference/developer
-/docs/learn/quickstarts/services/ztha
-/docs/learn/core-concepts/identities/overview
-/docs/guides
-/docs/category/kubernetes
-/docs/learn/core-concepts/zero-trust-models/overview
-/docs/learn/quickstarts/browzer/example
-/docs/guides/Public_Cloud_Deployment/Controller
-/docs/guides/Public_Cloud_Deployment/Router
-/docs/reference/tunnelers/linux/container
-/docs/category/process-sequences
-/docs/learn/core-concepts/services/overview
-/docs/learn/quickstarts/network/local-kubernetes
-/docs/guides/data-flow-explainer
-/docs/learn/core-concepts/clients/process-sequences/EndpointInitialization
-/docs/reference/deployments/router/router-configuration
-/docs/guides/local-gateway/router
-/docs/category/hosting-openziti
-/docs/reference/developer/sdk
-/docs/reference/developer/api
-/docs/learn/core-concepts/security/overview
-/docs/reference/configuration/controller
-/docs/reference/configuration/router
-/docs/learn/core-concepts/config-store/overview
-/docs/learn/core-concepts/identities/creating
-/docs/reference/glossary
-/docs/guides/Public_Cloud_Deployment
-/docs/learn/core-concepts/clients/process-sequences/EndpointRegistration
-/docs/guides/Public_Cloud_Deployment/Services
-/docs/category/securing-apis
-/docs/guides/kubernetes/hosting/kubernetes-controller
-/docs/learn/core-concepts/zero-trust-models/ztaa
-/docs/learn/core-concepts/identities/enrolling
-/docs/reference/tunnelers/macos
-/docs/reference/tunnelers/android
-/docs/learn/core-concepts/zero-trust-models/ztha
-/docs/learn/core-concepts/metrics/overview
-/docs/learn/core-concepts/zero-trust-models/ztna
-/docs/guides/kubernetes/workload-tunneling
-/docs/learn/core-concepts/clients/process-sequences/ServiceDial
-/docs/reference/deployments/router/cli-mgmt
-/docs/guides/database-backup
-/docs/reference/tunnelers/linux/linux-tunnel-options
-/docs/learn/core-concepts/security/authentication/auth
-/docs/guides/local-gateway/tunneler
-/docs/learn/quickstarts/network/help/change-admin-password
-/docs/category/help
-/docs/reference/tunnelers/iOS
-/docs/guides/Local_Gateway/EdgeRouter
-/docs/guides/kubernetes/hosting/kubernetes-router
-/docs/reference/developer/api/edge-management-reference
-/docs/learn/core-concepts/pki
-/docs/learn/quickstarts/network/help/quickstart-walkthrough
-/docs/reference/developer/api/edge-client-reference
-/docs/reference/tunnelers/linux/linux-tunnel-troubleshooting
-/docs/reference/config-types/host.v1
-/docs/category/troubleshooting
-/docs/learn/core-concepts/config-store/config-type-host-v1
-/docs/guides/securing-apis/aks-api-with-nginx-ziti-module
-/docs/learn/quickstarts/services/kubernetes-service
-/docs/learn/core-concepts/security/authorization/auth
-/docs/guides/Local_Gateway/EdgeTunnel
-/docs/learn/core-concepts/metrics/available-metrics
-/docs/learn/core-concepts/security/authorization/policies/overview
-/docs/learn/quickstarts/network/help/reset-quickstart
-/docs/guides/hsm/yubikey
-/docs/reference/config-types/host.v2
-/docs/guides/kubernetes/hosting/kubernetes-console
-/docs/learn/core-concepts/security/SessionsAndConnections
-/docs/guides/hsm/softhsm
-/docs/learn/core-concepts/security/authentication/third-party-cas
-/docs/learn/core-concepts/security/connection-security
-/docs/learn/core-concepts/security/authentication/password-management
-/docs/learn/core-concepts/security/authentication/external-jwt-signers
-/docs/learn/core-concepts/metrics/types
-/docs/learn/quickstarts/network/help/upgrade-quickstart-network
-/docs/learn/core-concepts/security/authentication/identities
-/docs/guides/kubernetes/workload-tunneling/kubernetes-sidecar
-/docs/learn/core-concepts/metrics/prometheus
-/docs/learn/core-concepts/metrics/grafana
-/docs/guides/kubernetes/workload-tunneling/kubernetes-host
-/docs/learn/core-concepts/config-store/managing
-/docs/learn/core-concepts/config-store/config-type-intercept-v1
-/docs/learn/core-concepts/metrics/sequence-diagram
-/docs/learn/core-concepts/security/authentication/totp
-/docs/learn/core-concepts/security/sessions
-/docs/guides/kubernetes/workload-tunneling/kubernetes-daemonset
-/docs/reference/tunnelers
-/docs/learn/core-concepts/security/enrollment
-/docs/learn/core-concepts/config-store/consuming
-/docs/learn/core-concepts/security/authorization/posture-checks
-/docs/learn/core-concepts/metrics/inspect
-/docs/learn/core-concepts/security/authentication/authentication-policies
-/docs/learn/core-concepts/metrics/file
-/docs/learn/core-concepts/security/authorization/policies/creating-edge-router-policies
-/docs/learn/core-concepts/security/authentication/api-session-certificates
-/docs/learn/core-concepts/security/authentication/certificate-management
-/docs/guides/troubleshooting/circuit-create-error-codes
-/docs/reference/developer/api/fabric-api
-/docs/learn/core-concepts/security/authorization/policies/creating-service-edge-router-policies
-/docs/reference/developer/api/shared-api-capabilities
-/docs/guides/troubleshooting/pki-troubleshooting
-/docs/learn/core-concepts/security/authorization/policies/creating-service-policies
-/blog/zitification/prometheus/part1
-/docs/reference/developer/sdk/android
-/docs/category/deployments
+
diff --git a/docusaurus/docs/guides/deployments/10-linux/10-controller/10-deploy.mdx b/docusaurus/docs/deployments/20-controller/20-linux.mdx
similarity index 81%
rename from docusaurus/docs/guides/deployments/10-linux/10-controller/10-deploy.mdx
rename to docusaurus/docs/deployments/20-controller/20-linux.mdx
index 7d779cec0..7f8a33e88 100644
--- a/docusaurus/docs/guides/deployments/10-linux/10-controller/10-deploy.mdx
+++ b/docusaurus/docs/deployments/20-controller/20-linux.mdx
@@ -1,6 +1,6 @@
---
-title: Controller Deployment
-sidebar_label: Controller
+title: Linux Controller
+sidebar_label: Linux
id: deploy
---
@@ -8,7 +8,7 @@ import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import LinuxPackageRepo from '/docs/_linux-package-repo.mdx';
-This article is about deploying a controller as a Linux system service. [The controller introduction](/learn/introduction/03-components.mdx#controller) may be helpful to read first.
+This article is about deploying a controller as a Linux system service.
We'll cover the following topics:
@@ -40,40 +40,48 @@ Finally, install the package: **openziti-controller**
You must generate, migrate, or craft a configuration. Configuration consists of a PKI, a config YAML file, and a database.
-### Generate a Configuration
+### Generate a Configuration for the First Node in a New Cluster
-This is the recommended approach if you are installing a new controller.
+This is the simplest approach if you are installing a new controller as the first node in a new cluster and do not wish to craft a configuration from scratch.
#### Answer Interactively
-Run `bootstrap.bash` to be prompted for the required values.
+Run `bootstrap.bash` and answer prompts.
```text
sudo /opt/openziti/etc/controller/bootstrap.bash
```
+```buttonless title="Output"
+Create a new cluster (NO if joining a cluster) [Y/n]:
+```
+
#### Answer Non-interactively
-1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env**.
- 1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane permanent DNS name (required)
+1. Set the required values in the answer file **/opt/openziti/etc/controller/bootstrap.env** or export as environment variables.
+ 1. `ZITI_CTRL_ADVERTISED_ADDRESS` - control plane address (required, ex: `ctrl1.ziti.example.com`)
1. `ZITI_CTRL_ADVERTISED_PORT` - listener TCP port (default: 1280)
+ 1. `ZITI_CLUSTER_TRUST_DOMAIN` - SPIFFEE trust domain (required, ex: `ziti.example.com`)
+ 1. `ZITI_CLUSTER_NODE_NAME` - SPIFFEE node name (required, ex: `ctrl1`)
1. `ZITI_USER` - username (default: admin)
1. `ZITI_PWD` - password to initialize the database (required)
-1. Run `bootstrap.bash`
+1. Run `bootstrap.bash`.
```text
- sudo /opt/openziti/etc/controller/bootstrap.bash
+ sudo -E /opt/openziti/etc/controller/bootstrap.bash < /dev/null
```
+### Generate a Configuration for a New Node in an Existing Cluster
+
+
+
### Migrate an Existing Configuration
-[This example](./15-migrate.mdx) illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.
+[This example](./70-migrate.mdx) illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.
### Craft a Configuration
-Craft a new configuration by running `ziti create config controller`.
-
-Review the environment variables, especially those named like `ZITI_CTRL_*`, that influence the controller configuration with `ziti create config environment`.
+Craft a new configuration from scratch or start with a sane set of default values by running `ziti create config controller --clustered`.
Here's a link to [the controller configuration reference](/reference/30-configuration/controller.md).
diff --git a/docusaurus/docs/deployments/20-controller/40-docker.mdx b/docusaurus/docs/deployments/20-controller/40-docker.mdx
new file mode 100644
index 000000000..e9a072936
--- /dev/null
+++ b/docusaurus/docs/deployments/20-controller/40-docker.mdx
@@ -0,0 +1,11 @@
+---
+title: Docker Controller
+sidebar_label: Docker
+---
+
+import DockerControllerReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-controller/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+
+
+
diff --git a/docusaurus/docs/deployments/20-controller/60-kubernetes.mdx b/docusaurus/docs/deployments/20-controller/60-kubernetes.mdx
new file mode 100644
index 000000000..0f7646521
--- /dev/null
+++ b/docusaurus/docs/deployments/20-controller/60-kubernetes.mdx
@@ -0,0 +1,11 @@
+---
+title: Kubernetes Controller
+sidebar_label: Kubernetes
+---
+
+import ControllerHelmChartReadme from '/docs/_remotes/helm-charts/charts/ziti-controller/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+
+
+
\ No newline at end of file
diff --git a/docusaurus/docs/guides/deployments/10-linux/10-controller/15-migrate.mdx b/docusaurus/docs/deployments/20-controller/70-migrate.mdx
similarity index 89%
rename from docusaurus/docs/guides/deployments/10-linux/10-controller/15-migrate.mdx
rename to docusaurus/docs/deployments/20-controller/70-migrate.mdx
index e08ed64a0..6f0dfb58e 100644
--- a/docusaurus/docs/guides/deployments/10-linux/10-controller/15-migrate.mdx
+++ b/docusaurus/docs/deployments/20-controller/70-migrate.mdx
@@ -3,10 +3,10 @@ title: Migrate a Controller Installation
sidebar_label: Migrate
---
-Here's an example of migrating an existing controller's configuration to the Linux service's working directory.
+Here's an example of migrating an existing controller's configuration to the Linux service's working directory. Similarly, you could migrate a configuration to a Docker volume.
1. Remove the quickstart controller service if you followed the BASH quickstart to create **/etc/systemd/system/ziti-controller.service**.
-1. Follow [the Linux controller deployment guide](/guides/deployments/10-linux/10-controller/10-deploy.mdx) to install the controller service.
+1. Follow [the Linux controller deployment guide](/deployments/20-controller/20-linux.mdx) to install the controller service.
1. Ensure the controller service is disabled and the state is clean.
```text
diff --git a/docusaurus/docs/guides/deployments/10-linux/10-controller/60-backup.mdx b/docusaurus/docs/deployments/20-controller/80-backup.mdx
similarity index 100%
rename from docusaurus/docs/guides/deployments/10-linux/10-controller/60-backup.mdx
rename to docusaurus/docs/deployments/20-controller/80-backup.mdx
diff --git a/docusaurus/docs/deployments/20-controller/index.mdx b/docusaurus/docs/deployments/20-controller/index.mdx
new file mode 100644
index 000000000..7748f1acc
--- /dev/null
+++ b/docusaurus/docs/deployments/20-controller/index.mdx
@@ -0,0 +1,34 @@
+---
+title: Controller Deployment Overview
+sidebar_label: Controller
+---
+
+## Getting Started
+
+These requirements apply to all controller deployments. Check out the [Linux](/deployments/20-controller/20-linux.mdx), [Docker](/deployments/20-controller/40-docker.mdx), and [Kubernetes](/deployments/20-controller/60-kubernetes.mdx) articles for more details.
+
+## Requirements
+
+1. a root CA for the cluster
+1. a signer CA certificate, identity certificates, and configuration YAML file for each node
+1. an initialized database on the first node, replicated to subsequent nodes
+
+### The Cluster Root CA Certificate
+
+Before provisioning your first node, you must [create a new public key infrastructure](/reference/ha/bootstrapping/certificates.md) (PKI) for the cluster. This includes a root CA certificate and private key.
+
+The cluster's root CA is never required on any node. For security, secure the root CA separately from the deployment environment, not on the first node. For convenience, the root CA may be co-located with the first node in the cluster.
+
+### The Edge Enrollment Signer CA Certificate
+
+Each node must have an edge enrollment signer CA certificate issued by [the cluster's root CA](/reference/ha/bootstrapping/certificates.md). In the configuration YAML file, [the property `edge.enrollment.signingCert`](/reference/30-configuration/controller.md) configures the edge signer CA certificate and private key. The edge signer CA issues leaf certificates during identity and router enrollment.
+
+### The Controller's Identity Certificates
+
+These are leaf certificates from the edge enrollment signer CA. In the configuration YAML file, [the property `identity`](/reference/30-configuration/conventions.md) configures the controller's identity certificates and private keys.
+
+### The Configuration YAML File
+
+[The configuration YAML file](/reference/30-configuration/controller.md) is required for all nodes. It is used to configure the controller's signing cert, identity, database, listener addresses, and more.
+
+A utility or template is provided for each type of deployment to assist with generating a valid configuration YAML file.
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/10-deploy.mdx b/docusaurus/docs/deployments/40-router/20-linux.mdx
similarity index 91%
rename from docusaurus/docs/guides/deployments/10-linux/20-router/10-deploy.mdx
rename to docusaurus/docs/deployments/40-router/20-linux.mdx
index 1fdf00638..4d8b5fb58 100644
--- a/docusaurus/docs/guides/deployments/10-linux/20-router/10-deploy.mdx
+++ b/docusaurus/docs/deployments/40-router/20-linux.mdx
@@ -1,5 +1,6 @@
---
-title: Router Deployment
+title: Linux Router
+sidebar_label: Linux
---
import Tabs from '@theme/Tabs';
@@ -17,9 +18,9 @@ We'll cover the following topics:
## Router Creation
-You must create the router in the controller first with [the web console](/guides/deployments/10-linux/30-console.mdx) or [the CLI](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx).
+You must create the router in the controller first with [the web console](/deployments/60-console/20-linux.mdx) or [the CLI](/deployments/40-router/75-cli-mgmt.mdx).
-After [creating the router](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx#create-a-router), save the enrollment token (JWT) and provide the file path to the router during the configuration step below.
+After [creating the router](/deployments/40-router/75-cli-mgmt.mdx#create-a-router), save the enrollment token (JWT) and provide the file path to the router during the configuration step below.
## Install the Router Package
@@ -71,10 +72,6 @@ sudo /opt/openziti/etc/router/bootstrap.bash
sudo /opt/openziti/etc/router/bootstrap.bash
```
-### Migrate an Existing Configuration
-
-[This example](./50-migrate.mdx) illustrates copying the configuration and identity files from a previous installation to the router service's working directory.
-
### Craft a Configuration
Craft a new configuration by running `ziti create config router edge --routerName=router`.
@@ -100,7 +97,7 @@ sudo systemctl restart ziti-router.service
```
Here's a link to [the configuration reference](/reference/30-configuration/router.md).
-Learn more about [managing routers with the CLI](/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx).
+Learn more about [managing routers with the CLI](/deployments/40-router/75-cli-mgmt.mdx).
## Firewall
diff --git a/docusaurus/docs/deployments/40-router/40-docker.mdx b/docusaurus/docs/deployments/40-router/40-docker.mdx
new file mode 100644
index 000000000..beb836b30
--- /dev/null
+++ b/docusaurus/docs/deployments/40-router/40-docker.mdx
@@ -0,0 +1,11 @@
+---
+title: Docker Router
+sidebar_label: Docker
+---
+
+import DockerRouterReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-router/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+
+
+
diff --git a/docusaurus/docs/deployments/40-router/60-kubernetes.mdx b/docusaurus/docs/deployments/40-router/60-kubernetes.mdx
new file mode 100644
index 000000000..37bb95c54
--- /dev/null
+++ b/docusaurus/docs/deployments/40-router/60-kubernetes.mdx
@@ -0,0 +1,12 @@
+---
+sidebar_position: 20
+title: Kubernetes Router
+sidebar_label: Kubernetes
+---
+
+import RouterHelmChartReadme from '/docs/_remotes/helm-charts/charts/ziti-router/README.md';
+import MarkdownWithoutH1 from '@site/src/components/MarkdownWithoutH1';
+
+
+
+
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/30-configuration.mdx b/docusaurus/docs/deployments/40-router/70-configuration.mdx
similarity index 97%
rename from docusaurus/docs/guides/deployments/10-linux/20-router/30-configuration.mdx
rename to docusaurus/docs/deployments/40-router/70-configuration.mdx
index dc34a3ff0..92c8ba355 100644
--- a/docusaurus/docs/guides/deployments/10-linux/20-router/30-configuration.mdx
+++ b/docusaurus/docs/deployments/40-router/70-configuration.mdx
@@ -8,7 +8,7 @@ hide_table_of_contents: false
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
-This article expands on the [Linux router deployment](/guides/deployments/10-linux/20-router/10-deploy.mdx) article with configuration concepts and examples.
+This article expands on the [Linux router deployment](/deployments/40-router/20-linux.mdx) article with configuration concepts and examples.
## Config Management
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx b/docusaurus/docs/deployments/40-router/75-cli-mgmt.mdx
similarity index 100%
rename from docusaurus/docs/guides/deployments/10-linux/20-router/40-cli-mgmt.mdx
rename to docusaurus/docs/deployments/40-router/75-cli-mgmt.mdx
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/60-backup.mdx b/docusaurus/docs/deployments/40-router/80-backup.mdx
similarity index 93%
rename from docusaurus/docs/guides/deployments/10-linux/20-router/60-backup.mdx
rename to docusaurus/docs/deployments/40-router/80-backup.mdx
index 27bced927..0cac09814 100644
--- a/docusaurus/docs/guides/deployments/10-linux/20-router/60-backup.mdx
+++ b/docusaurus/docs/deployments/40-router/80-backup.mdx
@@ -33,7 +33,7 @@ re-enroll edge-router with id XVXqEG6ANz: OK
Enrollment expires at 2024-04-19T18:12:47.489Z
```
-[Link to API reference for the re-enroll operation](../../../../reference/developer/api/02-edge-management-reference.mdx#tag/Edge-Router/operation/reEnrollEdgeRouter).
+[Link to API reference for the re-enroll operation](/reference/developer/api/02-edge-management-reference.mdx#tag/Edge-Router/operation/reEnrollEdgeRouter).
### Restore Files
diff --git a/docusaurus/docs/deployments/40-router/index.mdx b/docusaurus/docs/deployments/40-router/index.mdx
new file mode 100644
index 000000000..d6a52ab48
--- /dev/null
+++ b/docusaurus/docs/deployments/40-router/index.mdx
@@ -0,0 +1,18 @@
+---
+title: Router Deployment Overview
+sidebar_label: Router
+---
+
+## Requirements
+
+Each router must have a unique identity and configuration YAML file.
+
+## The Router's Identity Certificates
+
+Each router is issued a client and server certificate from a controller's edge enrollment signer intermediate CA. In the configuration YAML file, [the property `identity`](/reference/30-configuration/conventions.md) configures the router's identity certificate and private key.
+
+## The Configuration YAML File
+
+[The configuration YAML file](/reference/30-configuration/router.md) is required for all routers. It is used to configure the router's identity, controller endpoints file, listener addresses, and more.
+
+A utility or template is provided for each type of deployment to assist with generating a valid configuration YAML file.
diff --git a/docusaurus/docs/guides/deployments/10-linux/30-console.mdx b/docusaurus/docs/deployments/60-console/20-linux.mdx
similarity index 85%
rename from docusaurus/docs/guides/deployments/10-linux/30-console.mdx
rename to docusaurus/docs/deployments/60-console/20-linux.mdx
index 951a67071..a8ee05b93 100644
--- a/docusaurus/docs/guides/deployments/10-linux/30-console.mdx
+++ b/docusaurus/docs/deployments/60-console/20-linux.mdx
@@ -1,12 +1,12 @@
---
-title: Console Deployment
-sidebar_label: Console
+title: Linux Console
+sidebar_label: Linux
---
import ConsoleAuthAdminClientCertificate from '/docs/reference/40-command-line/_console-auth-admin-client-certificate.mdx';
-import ConsolePublicCertsPlatformIntro from '/docs/guides/deployments/_console-public-certs-platform-intro.mdx'
-import ConsolePublicCertsBasicSteps from '/docs/guides/deployments/_console-public-certs-basic-steps.mdx'
-import ConsolePublicCertsConfigurationLink from '/docs/guides/deployments/_console-public-certs-configuration-link.mdx'
+import ConsolePublicCertsPlatformIntro from '/docs/deployments/60-console/_console-public-certs-platform-intro.mdx'
+import ConsolePublicCertsBasicSteps from '/docs/deployments/60-console/_console-public-certs-basic-steps.mdx'
+import ConsolePublicCertsConfigurationLink from '/docs/deployments/60-console/_console-public-certs-configuration-link.mdx'
## Installation
diff --git a/docusaurus/docs/guides/deployments/20-docker/30-console.mdx b/docusaurus/docs/deployments/60-console/40-docker.mdx
similarity index 86%
rename from docusaurus/docs/guides/deployments/20-docker/30-console.mdx
rename to docusaurus/docs/deployments/60-console/40-docker.mdx
index 17ff866fb..d96f6b976 100644
--- a/docusaurus/docs/guides/deployments/20-docker/30-console.mdx
+++ b/docusaurus/docs/deployments/60-console/40-docker.mdx
@@ -1,12 +1,12 @@
---
-title: Deploy the Console
-sidebar_label: Console
+title: Docker Console
+sidebar_label: Docker
---
import ConsoleAuthAdminClientCertificate from '/docs/reference/40-command-line/_console-auth-admin-client-certificate.mdx';
-import ConsolePublicCertsPlatformIntro from '/docs/guides/deployments/_console-public-certs-platform-intro.mdx'
-import ConsolePublicCertsBasicSteps from '/docs/guides/deployments/_console-public-certs-basic-steps.mdx'
-import ConsolePublicCertsConfigurationLink from '/docs/guides/deployments/_console-public-certs-configuration-link.mdx'
+import ConsolePublicCertsPlatformIntro from '/docs/deployments/60-console/_console-public-certs-platform-intro.mdx'
+import ConsolePublicCertsBasicSteps from '/docs/deployments/60-console/_console-public-certs-basic-steps.mdx'
+import ConsolePublicCertsConfigurationLink from '/docs/deployments/60-console/_console-public-certs-configuration-link.mdx'
This article is about enabling the console on a controller that is running in a container.
diff --git a/docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-console.mdx b/docusaurus/docs/deployments/60-console/60-kubernetes.mdx
similarity index 97%
rename from docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-console.mdx
rename to docusaurus/docs/deployments/60-console/60-kubernetes.mdx
index 416095198..c6718abfb 100644
--- a/docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-console.mdx
+++ b/docusaurus/docs/deployments/60-console/60-kubernetes.mdx
@@ -1,7 +1,7 @@
---
sidebar_position: 30
-sidebar_label: Console
title: Kubernetes Console
+sidebar_label: Kubernetes
---
import ConsoleAuthAdminClientCertificate from '/docs/reference/40-command-line/_console-auth-admin-client-certificate.mdx';
diff --git a/docusaurus/docs/guides/deployments/_console-public-certs-basic-steps.mdx b/docusaurus/docs/deployments/60-console/_console-public-certs-basic-steps.mdx
similarity index 100%
rename from docusaurus/docs/guides/deployments/_console-public-certs-basic-steps.mdx
rename to docusaurus/docs/deployments/60-console/_console-public-certs-basic-steps.mdx
diff --git a/docusaurus/docs/guides/deployments/_console-public-certs-configuration-link.mdx b/docusaurus/docs/deployments/60-console/_console-public-certs-configuration-link.mdx
similarity index 51%
rename from docusaurus/docs/guides/deployments/_console-public-certs-configuration-link.mdx
rename to docusaurus/docs/deployments/60-console/_console-public-certs-configuration-link.mdx
index ed88ca776..2aed81fbf 100644
--- a/docusaurus/docs/guides/deployments/_console-public-certs-configuration-link.mdx
+++ b/docusaurus/docs/deployments/60-console/_console-public-certs-configuration-link.mdx
@@ -1,4 +1,4 @@
:::note
-See [**The Console and Alternative Server Certificates**](./console.mdx)
+See [**The Console and Alternative Server Certificates**](./alt-server-certs.mdx)
for more details on how to use public certificates within your enviromment.
:::
\ No newline at end of file
diff --git a/docusaurus/docs/guides/deployments/_console-public-certs-note.mdx b/docusaurus/docs/deployments/60-console/_console-public-certs-note.mdx
similarity index 80%
rename from docusaurus/docs/guides/deployments/_console-public-certs-note.mdx
rename to docusaurus/docs/deployments/60-console/_console-public-certs-note.mdx
index 1e4490431..4b6d3862d 100644
--- a/docusaurus/docs/guides/deployments/_console-public-certs-note.mdx
+++ b/docusaurus/docs/deployments/60-console/_console-public-certs-note.mdx
@@ -3,6 +3,6 @@ As mentioned above, the ZAC will produce TLS warnings in the browser. It is enco
Valid certificates will promote confidence in the implementation. Let's Encrypt provides a free, automated
way to obtain trusted certificates.
-See [**The Console and Alternative Server Certificates**](./console.mdx)
+See [**The Console and Alternative Server Certificates**](./alt-server-certs.mdx)
for details on how to integrate.
:::
\ No newline at end of file
diff --git a/docusaurus/docs/guides/deployments/_console-public-certs-platform-intro.mdx b/docusaurus/docs/deployments/60-console/_console-public-certs-platform-intro.mdx
similarity index 100%
rename from docusaurus/docs/guides/deployments/_console-public-certs-platform-intro.mdx
rename to docusaurus/docs/deployments/60-console/_console-public-certs-platform-intro.mdx
diff --git a/docusaurus/docs/guides/deployments/console.mdx b/docusaurus/docs/deployments/60-console/alt-server-certs.mdx
similarity index 100%
rename from docusaurus/docs/guides/deployments/console.mdx
rename to docusaurus/docs/deployments/60-console/alt-server-certs.mdx
diff --git a/docusaurus/docs/deployments/60-console/index.mdx b/docusaurus/docs/deployments/60-console/index.mdx
new file mode 100644
index 000000000..e09a51b25
--- /dev/null
+++ b/docusaurus/docs/deployments/60-console/index.mdx
@@ -0,0 +1,12 @@
+---
+title: Console Deployment Overview
+sidebar_label: Console
+---
+
+The OpenZiti Admin Console (ZAC) is a web UI provided by the OpenZiti project for administration and observability.
+
+Deploying the console involves two steps.
+
+1. Deploy the console's static files, i.e., HTML, CSS, JavaScript, and images.
+2. Configure the controller to serve the console's static files from the management API web binding.
+
diff --git a/docusaurus/docs/downloads.mdx b/docusaurus/docs/downloads.mdx
index e220fd7da..91b6aa89d 100644
--- a/docusaurus/docs/downloads.mdx
+++ b/docusaurus/docs/downloads.mdx
@@ -188,7 +188,7 @@ docker pull openziti/ziti-cli \
[Learn about tunneling workloads in Kubernetes](/reference/tunnelers/80-kubernetes/index.mdx)
-[Learn about self-hosting Ziti in Kubernetes](/docs/category/kubernetes)
+[Learn about self-hosting Ziti in Kubernetes](/deployments/20-controller/60-kubernetes.mdx)
diff --git a/docusaurus/docs/guides/_category_.yml b/docusaurus/docs/guides/_category_.yml
index 7f6b7ad15..a2447e923 100644
--- a/docusaurus/docs/guides/_category_.yml
+++ b/docusaurus/docs/guides/_category_.yml
@@ -2,4 +2,4 @@ label: Guides
position: 60
link:
type: doc
- id: guides/index
+ id: guides/deployments/index
diff --git a/docusaurus/docs/guides/deployments/10-linux/10-controller/_category_.yml b/docusaurus/docs/guides/deployments/10-linux/10-controller/_category_.yml
deleted file mode 100644
index a251cf6cb..000000000
--- a/docusaurus/docs/guides/deployments/10-linux/10-controller/_category_.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-label: Controller
-link:
- type: doc
- id: deploy
-
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/50-migrate.mdx b/docusaurus/docs/guides/deployments/10-linux/20-router/50-migrate.mdx
deleted file mode 100644
index 3c8ae1775..000000000
--- a/docusaurus/docs/guides/deployments/10-linux/20-router/50-migrate.mdx
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Migrate a Router Installation
-sidebar_label: Migrate
----
-
-Here's an example of migrating an existing router configuration to the Linux service's working directory.
-
-1. Remove the quickstart router service if you followed the BASH quickstart to create **/etc/systemd/system/ziti-router.service**.
-1. Follow [the Linux router deployment guide](/guides/deployments/10-linux/20-router/10-deploy.mdx) to install the controller service.
-1. Ensure service is disabled and state is clean.
-
- ```text
- sudo systemctl disable --now ziti-router.service
- sudo systemctl clean --what=state ziti-router.service
- ```
-
-1. Copy the router-related parts of the configuration to the service's working directory and rename the configuration file to `config.yml`.
-
- ```text
- sudo mkdir -pv /var/lib/ziti-router/
- sudo cp -v ./quickstart-router.* /var/lib/ziti-router/
- sudo mv -v /var/lib/ziti-router/{quickstart-router.yaml,config.yml}
- ```
-
-1. Correct paths in the configuration YAML file.
-
- ```text
- sudo sed -Ei "s|$PWD|/var/lib/ziti-router|g" /var/lib/ziti-router/config.yml
- ```
-
-1. Disable bootstrapping. It's unnecessary because we are migrating, not generating, a complete router configuration.
-
- ```text
- sudo sed -Ei 's|(ZITI_BOOTSTRAP)=.*|\1=false|g' /opt/openziti/etc/router/service.env
- ```
-
-1. Start the service.
-
- ```text
- sudo systemctl enable --now ziti-router.service
- sudo systemctl status ziti-router.service
- ```
diff --git a/docusaurus/docs/guides/deployments/10-linux/20-router/_category_.yml b/docusaurus/docs/guides/deployments/10-linux/20-router/_category_.yml
deleted file mode 100644
index 215a209e0..000000000
--- a/docusaurus/docs/guides/deployments/10-linux/20-router/_category_.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-label: Router
-link:
- type: doc
- id: deploy
diff --git a/docusaurus/docs/guides/deployments/10-linux/_category_.yml b/docusaurus/docs/guides/deployments/10-linux/_category_.yml
deleted file mode 100644
index 0be003e60..000000000
--- a/docusaurus/docs/guides/deployments/10-linux/_category_.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-label: Linux
-link:
- type: generated-index
- title: Deploying on Linux
- description: Run a controller or router as a Linux service
diff --git a/docusaurus/docs/guides/deployments/20-docker/10-controller.mdx b/docusaurus/docs/guides/deployments/20-docker/10-controller.mdx
deleted file mode 100644
index 7530caa9f..000000000
--- a/docusaurus/docs/guides/deployments/20-docker/10-controller.mdx
+++ /dev/null
@@ -1,8 +0,0 @@
----
-title: Deploy the Controller with Docker
-sidebar_label: Controller
----
-
-import DockerControllerReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-controller/README.md';
-
-
diff --git a/docusaurus/docs/guides/deployments/20-docker/20-router.mdx b/docusaurus/docs/guides/deployments/20-docker/20-router.mdx
deleted file mode 100644
index 7732b060b..000000000
--- a/docusaurus/docs/guides/deployments/20-docker/20-router.mdx
+++ /dev/null
@@ -1,8 +0,0 @@
----
-title: Deploy the Router with Docker
-sidebar_label: Router
----
-
-import DockerRouterReadme from '/docs/_remotes/ziti-cmd/dist/docker-images/ziti-router/README.md';
-
-
diff --git a/docusaurus/docs/guides/deployments/20-docker/_category_.yml b/docusaurus/docs/guides/deployments/20-docker/_category_.yml
deleted file mode 100644
index d4d003822..000000000
--- a/docusaurus/docs/guides/deployments/20-docker/_category_.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-label: Docker
-link:
- type: generated-index
- title: Deploying with Docker
- description: Run a controller or router as a Docker container or use the console in the controller container
diff --git a/docusaurus/docs/guides/deployments/30-kubernetes/_category_.yml b/docusaurus/docs/guides/deployments/30-kubernetes/_category_.yml
deleted file mode 100644
index 85dfa9c95..000000000
--- a/docusaurus/docs/guides/deployments/30-kubernetes/_category_.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-label: Kubernetes
-position: 30
-link:
- type: generated-index
- title: Running on Kubernetes
- description: Deploy a Ziti stack on Kubernetes or tunnel existing Kubernetes services with Ziti.
diff --git a/docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-router.mdx b/docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-router.mdx
deleted file mode 100644
index 0c960763e..000000000
--- a/docusaurus/docs/guides/deployments/30-kubernetes/kubernetes-router.mdx
+++ /dev/null
@@ -1,9 +0,0 @@
----
-sidebar_position: 20
-sidebar_label: Router
-title: Install the Router in Kubernetes
----
-
-import RouterHelmChartReadme from '/docs/_remotes/helm-charts/charts/ziti-router/README.md';
-
-
diff --git a/docusaurus/docs/guides/deployments/40-cloud/10-controller.mdx b/docusaurus/docs/guides/deployments/40-cloud/10-controller.mdx
deleted file mode 100644
index 86606688a..000000000
--- a/docusaurus/docs/guides/deployments/40-cloud/10-controller.mdx
+++ /dev/null
@@ -1,412 +0,0 @@
----
-sidebar_label: Controller
-title: Run a Controller in a Public Cloud
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## 1.1 Create a VM to be used as the Controller
-
-
-
-
-- It is easier to use **resource group** to organize and manage all your resources for this demo.
-- Create a **resource group** and change into that resource group.
-- Use **+ Create** button to create a resource.
-- Azure will take you to the **Marketplace** screen. In the search bar, type in **Ubuntu Server**.
-- Choose "**Ubuntu Server 22.04 LTS**".
-
-
-
-On the **Create a virtual machine** screen.
-- The **Subscription** and **Resource group** should already be filled.
-- In the **Instance details** section, enter the **VM name**.
-- Select the **Region** to host your VM.
-- Leave default **Availability options** and **Security type**(Standard).
-- Leave the selected image **Ubuntu Server 22.04 LTS x64 Gen2**.
-- For the Size, choose the appropriate size for your application. For this demo, **Standard_B2s(2CPU,4 GB)** size was used.
-
-
-
-- Next, choose **Authentication type** to log in to the VM. **Logging in with a password is insecure**.
-- Enter a username (**remember the username, you will need it to log in to the VM**), or leave the default user **azureuser**
-- Choose your SSH key
-- For **inbound ports**, select the ssh. You can add an extra port based on your OpenZiti setup.
-- You can leave everything default.
-Press **Review + create**
-
-
-- After the Validation passed. Press **Create** to create VM.
-
-
-- **Important:** If you are creating the network controller, you need to associate a DNS name to the public IP of your VM.
-- You can do this from "Virtual machine" page.
-
-
-
-
-
-- login to the **AWS console**.
-- go to the **EC2 dashboard**.
-- Click on the **Instances**.
-- **Launch the instances**
-
-
-
-- Fill the **Name** of your instance.
-
-
-- On the Quick start select **Ubuntu**.
-- Select the **Ubuntu Server 22.04 LTS**.
-- Leave the Architecture as **64-bit (x86)**
-- Select the instance type **t2.medium**
-
-
-
-- In the **Key pair (login.)** section, choose the key name which you already created.
-- In the **Network settings** section, choose the VPC for your VM.
-- Select the subnet.
-- Select **Enable** for **Auto assign public IP**
-
-
-
-- Click on ** Create security group** to allow traffic into your VM.
-- Name the security group.
-- Create the Firewall rule based on the ports you configured for the controller.
-- Allow the same TCP port you configured (e.g., 1280) for the controller along with SSH.
-
-**Security Group For the controller.**
-
-
-**Security Group for the Router**
-
-
-- Under **Configure storage** section, choose at least **20** GiB storage space.
-
-Now click on **Launch instance**
-
-
-
-
-- Login to the GCP console.
-- Go to **COMPUTE ENGINE** dashboard.
-- Click on **CREATE INSTANCE**.
-
-
-- Configure the VM as follow:
-- **Name** of the VM
-- **Region** and **Zone**
-- Choose **e2-medium** for **Machine type**
-
-
-- Hit **CHANGE** at the "Boot disk** section to change the OS image.
-- On the "Boot disk" page, Choose **PUBLIC IMAGES**
-- Choose **Ubuntu** as the Operating system
-- Select **Ubuntu 22.04 LTS, x86** Version.
-- Hit **SELECT** to complete the selection.
-
-
-- Open **Advanced Options**, and then open **Networking**
-- **Highly recommended:** assign a Network tags. This will help you to configure the firewall later.
-- **For local GW VM**, **Enable** IP forwarding at this time. You will not be able to change this setting from the console after the VM is created.
-
-
-- **Optional** you can reserve static external IP ADDRESS under **Networking/Network interfaces** section. Reserving static IP is useful for the Network controller in case you have to shut down the VM.
-
-
-- Now click on **CREATE** to create the virtual machine.
-
-
-
-
-- Login to the Digital Ocean console and create a **Droplets** from the dropdown menu on the upper right-hand side.
-
-
-
-- On the "Create Droplets" screen, Choose "**Ubuntu**", version "**22.04**".
-- For the Size, choose the appropriate size for your application. For this guide, a smaller size was used.
-
-
-- Next, choose an ssh-key to log in to the VM. (We highly discourage login to the VM using Password),
-- then **Create Droplet**
-
-
-
-
-
-- Login to the **ORACLE Cloud** console.
-- Go to Home > Dashboard.
-- Click on **Instances** (Under **Compute** category).
-- Create an instance.
-- Name the instance.
-- Choose the compartment.
-- Select the Availability domain under Placement.
-- Leave the security disabled
-
-
-
-- Under the "Image and shape selection", click **Change image** icon.
-- Select the **Ubuntu** icon.
-- Select the **Canonical Ubuntu 22.04**.
-- Select any image build. And press **Select image**
-- Under the "Shape" selection, Choose **Change shape**.
-- Change to **2** OCUPs and **4** GB memory.
-
-
-
-- On the networking section.
-- Select your **Primary network** and **Subnet**.
-- For **Public IPv4 address**, check **Assign a public IPv4 address**.
-
-
-
-- In the **Add SSH keys** section, choose how you want your ssh keys generated. **Logging in with a password is insecure**.
-- Leave default boot volume.
-- Now click on **Create**.
-
-
-
-
-
-
-- Login to the IBM cloud.
-- Go to dashboard.
-- Click on **Create resource +** on the top right
-- Filter on "Compute" on the Category (on the left)
-- Choose **Virtual Server for Classic**.
-
-
-
-- Leave the "Type of virtual server" as **Public**.
-- Give it your **Hostname**.
-
-
-
-- Select the location.
-- Select the profile, the size of **B1.2x4** is adequate for our exercise.
-- Choose the SSH key.
-- On the "Operating system" select the **Ubuntu**. Select the version **22.04**
-
-
-
-
-- Leave everything else default except **Add-ons**, turn the **Firewall** features on.
-
-
-
-- Alternatively, you can select **allow_all** under the "Public security group", and leave the Add-on Firewall feature off. **This is not recommended as it opens your VM for attacks**.
-- Press **Create** on the right side menu to create the VM.
-
-
-
-
-## 1.2 Firewall
-
-
-
-
-- Azure's firewall is blocking all incoming access to the VM. You will need to open the ports you configured for Ziti services. Here is an example of the firewall ports.
-
-
-
-
-
-- You must open the same ports in the AWS Security Group that you configured Ziti to listen for.
-- Here is an example.
-
-
-
-
-
-
-- GCP’s default firewall is blocking all incoming access to the VM. You will need to open the same ports you specified for the controller and ZAC (if you plan to use ZAC). Here is an example of the firewall ports if you used the default ports.
-- Go to your VM screen, click on the **Network interfaces** name (i.e. nic0)
-- Click on **Firewall** menu on the left side to bring up the firewall screen
-- On the firewall screen, click on **+ CREATE FIREWALL RULE** to create new rules
-- Give a meaningful **name** to your firewall rule
-- Choose your **Network**
-- Use traffic direction **Ingress**
-- Action **Allow**
-- Targets, you can use "All instances in the network" (if you did not specify "Network tags" for your VM). In this example, we are using **Specified target tags** option.
-- Enter **Target tags** for your VM. In this example, our tag is **nc**
-- Enter Source IPv4 ranges: **0.0.0.0/0**
-- For the controller, you must allow the same **TCP** ports you configured Ziti to listen for along with the SSH port (**22**).
-Hit **CREAETE** to create rules.
-
-
-- The firewall rule also shows up on your "Network interface details" screen.
-- From your VM screen, click on the **Network interfaces** name (i.e. nic0)
-
-
-
-
-
-DigitalOcean by default does not set up the firewall for the VM.
-
-
-
----
-
-Oracle cloud by default blocks all incoming traffic to the VM. You will need to open the ports you specified for the controller and ZAC (if you plan to use ZAC).
-
-- First, we need to **Create a security group**
-- From the **Networking** category, select the **Virtual cloud networks**.
-- Select the VCN your VM is in.
-- On the left side menu, select the **Network Security Group**.
-- Select **Create Network Security Group**.
-- Name the security group and select the next.
-- Now create rules for ingress traffic.
-- Port 22/TCP for SSH
-- OpenZiti ports, e.g., 1280/tcp
-- Also create a rule to allow all traffic outbound (**Egress**).
-
-Following is the example of the Security Group for the controller
-
-
-
-- After the security group is created, attach it to the instance.
-- From the "Instance details" screen, select **Edit** under the **Network security groups** section.
-- Select the security group from the dropdown and press **Save changes**.
-
-
-
-
----
-**NOTE 1**
-```
-Oracle Cloud also uses Security Lists (on the subnet) to marshal the traffic,
-please make sure the setting under Security Lists is not conflicting
-with your security group rules.
-```
-
----
-**NOTE 2**
-```
-It is possible that after the security group configuration, the ufw does not
-work correctly on the VM.
-```
-
-You should **Turn on ufw** and **restart the VM** after the security group configuration.
-
-- ufw must be turned on for traffic to get to the VM.
-- after ufw is enabled, setup **allow** traffic for OpenZiti ports:
-
-```text
-sudo ufw enable
-sudo ufw allow 1280/tcp
-sudo shutdown -r 0
-```
-
-
-
-
-
-If you turn on the firewall feature, you will need to config firewall rules.
-
-- Open the Instance detail screen
-- Find the **Firewall details** at the bottom right. Open it.
-
-Add the following rules.
-- ssh: port 22/TCP
-- OpenZiti ports, e.g., 1280/tcp
-- Deny rules to deny all other traffic
-
-Make sure the firewall is active, it should display **Processing all rules** if it is active.
-
-
-
-
-
-
-## 1.3 Login and Setup Controller
-
-
-
-- Once the VM is created, we can get the IP address (and the DNS name) of the VM from the Virtual machine screen.
-- Login to the VM by using defined user "username" (default username is azureuser) and the private sshkey:
-```text
-ssh -i @
-or
-ssh -i @
-```
-
-Use a fully qualified domain name (FQDN) to [deploy the controller](/guides/deployments/10-linux/10-controller/10-deploy.mdx).
-
-
-
-
-- Once the VM is created, we can get the IP address (and the DNS name) of the VM from the Instance detail screen.
-- **NOTE:** DNS name is only available if you enabled **DNS Hostnames** under VPC.
-- Login to the VM with username "ubuntu":
-
-```text
-ssh -i ubuntu@
-or
-ssh -i ubuntu@
-```
-
-
-
-- Once the VM is created, we can log in through **SSH** button on the VM instances screen.
-
-
-
-
-
-- Once the VM is created, we can get the IP address of the droplet from the Resources screen.
-- Login to the VM with username "root" and IP address:
-```text
-ssh root@
-```
-
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the instance details screen.
-- Login to the VM with username "ubuntu" and the IP address:
-```text
-ssh -i ubuntu@
-```
-
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the Devices screen.
-- Login to the VM with username "ubuntu" and the IP address:
-```text
-ssh -i ubuntu@
-```
-
-
-
\ No newline at end of file
diff --git a/docusaurus/docs/guides/deployments/40-cloud/20-router.mdx b/docusaurus/docs/guides/deployments/40-cloud/20-router.mdx
deleted file mode 100644
index 1bb30bcae..000000000
--- a/docusaurus/docs/guides/deployments/40-cloud/20-router.mdx
+++ /dev/null
@@ -1,694 +0,0 @@
----
-sidebar_label: Router
-title: Run a Router in a Public Cloud
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## 2.0 Configure a Router
-
-In this section, we are describing how to setup the edge router (pub-er) for our [test network](/guides/topologies/10-services.mdx#311-network-diagram-1).
-
-## 2.1 Create the Edge Router VM
-Please follow **Create a VM section** of the controller cloud guide to setup a VM to be used as router.
-
-## 2.2 Login and Update the repo and apps on VM
-
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the Virtual machine screen.
-- Login to the VM by using defined user "username" (default username is azureuser) and the private sshkey:
-```text
-ssh -i @
-```
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the Instance(s) screen.
-
-Login to the VM by using user name "ubuntu":
-```text
-ssh -i ubuntu@
-```
-
-
-
-- Once the VM is created, we can login through **SSH** button on the VM instances screen. Make sure **ssh is allow** on the firewall before you do this. Alternatively, you can [configure firewall](#29-firewall) first.
-
-
-
-
-
-- Once the VM is created, get the IP address of the droplet from the Resources screen. Login to the VM by using user "root" and IP address:
-```text
-ssh root@
-```
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the instance details screen.
-- Login to the VM by using user name "ubuntu" and the IP address:
-```text
-ssh -i ubuntu@
-```
-
-
-
-- Once the VM is created, we can get the IP address of the VM from the Devices screen.
-- Login to the VM by using user name "ubuntu" and the IP address:
-```text
-ssh -i ubuntu@
-```
-
-
-
-### 2.2.1 apt update
-```text
-sudo apt update
-sudo apt upgrade
-```
-
-### 2.2.2 Download ziti_router_auto_enroll binary
-**ziti_router_auto_enroll** is an easy way to setup your router automatically.
-```text
-wget https://github.com/netfoundry/ziti_router_auto_enroll/releases/latest/download/ziti_router_auto_enroll.tar.gz
-tar xf ziti_router_auto_enroll.tar.gz
-```
-You should have a file **ziti_router_auto_enroll** under the directory.
-
-For detail info on ziti_router_auto_enroll, please checkout the [ziti_router_auto_enroll github page](https://github.com/netfoundry/ziti_router_auto_enroll)
-
-## 2.3 Create and Set Up Router Directly on Router VM
-
-You can setup the router directly on the router VM with one command if you did not block your controller's edge-management port. At this time, the quickstart for setting up controller does not separate edge-management port from edge-client port, so the edge-management port has to be open. You may continue this section if you know your controller's management password, Fabric Port (default 8440) and Management Port (default 8441).
-
-You can also choose to create router on the controller and then register with the jwt file (created when creating the router) on the router. The procedure for this is detailed in ["Create Router On the Controller"](#24-creating-router-on-the-controller-first) section.
-
-### 2.3.1 Info needed for creating Router
-In order to create the Router, the VM needs to contact controller. We need the following information before we can continue:
-- Controller IP or Controller NDS
-- Controller Fabric Port: On the controller, issue this command **echo $ZITI_CTRL_PORT**
-- Controller Management Port: On the controller, issue this command **echo $ZITI_EDGE_CONTROLLER_PORT**
-- Controller Passwd: On the controller, issue this command **echo $ZITI_PWD**
-- Router Name: Name for this router
-
-### 2.3.2 Info gathered for creating Router
-Here is information I gathered from previous step:
-- Controller IP: 68.183.52.206
-- Controller Fabric Port: 8440 **(default value if following controller setup guide)**
-- Controller Management Port: 8441 **(default value if following controller setup guide)**
-- Controller Passwd: Test@123
-- Router Name: pub-er
-
-We are also going to create the router without healthcheck section, so the following option will be used to create the router:
-- --disableHealthChecks
-
-If you choose to explore these two functionalities, you can remove the options (from command line) when creating router.
-
-### 2.3.3 Create the Router with link listener
-Use this procedure to create a Public Router with link listener (but without tunnel).
-```text
-sudo ./ziti_router_auto_enroll -f -n --controller 68.183.52.206 --controllerFabricPort 8440 --controllerMgmtPort 8441 --adminUser admin --adminPassword Test@123 --assumePublic --disableHealthChecks --routerName pub-er
-```
-**output**
-```
-2023-04-05-04:07:44-INFO-Writing jwt file: pub-er_enrollment.jwt
-2023-04-05-04:07:44-INFO-Version not specified, going to check with controller
-2023-04-05-04:07:45-INFO-Found version 0.27.7
-2023-04-05-04:07:45-INFO-Downloading file: https://github.com/openziti/ziti/releases/download/v0.27.7/ziti-linux-amd64-0.27.7.tar.gz
-Downloading: 100%|████████████████████████████████████████████████████████████████████████████████████████████| 115M/115M [00:01<00:00, 67.3MiB/s]
-2023-04-05-04:07:47-INFO-Successfully downloaded file
-2023-04-05-04:07:47-INFO-Starting binary install
-2023-04-05-04:07:50-INFO-Installing service unit file
-2023-04-05-04:07:50-INFO-Creating config file
-2023-04-05-04:07:50-INFO-Starting Router Enrollment
-2023-04-05-04:07:54-INFO-Successfully enrolled Ziti
-2023-04-05-04:07:54-INFO-Service ziti-router.service start successful.
-Created symlink /etc/systemd/system/multi-user.target.wants/ziti-router.service → /etc/systemd/system/ziti-router.service.
-2023-04-05-04:07:55-INFO-Service ziti-router.service enable successful.
-```
-
-**Alternative way of creating router**
-
-Instead of passing parameters through the command line to create routers, the parameters can be specified via environmental variables. Here is example on how to accomplish that.
-```
-export CONTROLLER="68.183.52.206"
-export CONTROLLERFABRICPORT="8440"
-export CONTROLLERMGMTPORT="8441"
-export ADMINUSER="admin"
-export ADMINPASSWORD="Test@123"
-
-sudo -E ./ziti_router_auto_enroll -f -n --assumePublic --disableHealthChecks --routerName pub-er
-```
-
----
-**NOTE**
-```
-When using the environmental variable for ziti_router_auto_enroll, you must
-use "-E" option to pass the environmental value to sudo.
-```
-
-### 2.3.4 Other Router creation options
-If you need to create router with difference options than the one mentioned above, please choose one of the options from this section.
-
-#### 2.3.4.1 Create the Router with link listener and tunneler
-```
-sudo ./ziti_router_auto_enroll -f -n --controller 68.183.52.206 --controllerFabricPort 8440 --controllerMgmtPort 8441 --adminUser admin --adminPassword Test@123 --assumePublic --disableHealthChecks --autoTunnelListener --routerName pub-er
-```
-
-#### 2.3.4.2 Create the Router with edge listener only (no link listener)
-```
-sudo ./ziti_router_auto_enroll -f -n --controller 68.183.52.206 --controllerFabricPort 8440 --controllerMgmtPort 8441 --adminUser admin --adminPassword Test@123 --disableHealthChecks --routerName pub-er
-```
-#### 2.3.4.3 Create the Router with edge listener and tunneler
-```
-sudo ./ziti_router_auto_enroll -f -n --controller 68.183.52.206 --controllerFabricPort 8440 --controllerMgmtPort 8441 --adminUser admin --adminPassword Test@123 --disableHealthChecks --autoTunnelListener --routerName pub-er
-```
-
-## 2.4 Creating Router on the Controller first
-**If you already setup the router directly on the VM, you can skip to the next [section 2.5](#25-auto-start-the-router)**
-
-You can create the router on the controller first then register the router on the router VM.
-
-### 2.4.1 Creating Router on the controller Using ZAC
-**If you prefer to create router using CLI, you can jump to [cli section](#242-creating-router-on-the-controller-using-cli).**
-
-**In order to complete the procedures in this section, you need to install ZAC first and have access to the controller using the ZAC. If you have trouble using ZAC, you can use the [CLI procedures](#242-creating-router-on-the-controller-using-cli) to create router.**
-
-From the ZAC welcome screen, choose the **ROUTERS**
-
-
-
-Click on **+** to bring up the **CREATE EDGE ROUTER** widget. The **NAME** of Router is required, and it has to be unique. Also choose whether you want the tunneler to be enable or not on the router. Enter other optional fields and hit **SAVE**
-
-
-
-If the router is created successfully, you will be back to the **MANAGE EDGE ROUTERS** screen. From the list of edge routers, you will see the **JWT** icon on the newly created router. You need this JWT for the registration.
-
-
-
-Click on the **JWT ICON**, the JWT will be downloaded to your machine. On Chrome browser, the downloaded file will appear on the bottom left corner of the browser like picture below.
-
-
-
-Open the JWT file, and copy the content. Now you are ready for the registration.
-
-
-
-
-### 2.4.2 Creating Router on the controller Using CLI
-**If you already created router using ZAC, you can skip ahead to [register the router](#243-register-the-router-with-link-listener).**
-
-Otherwise, this section provides CLI commands to create routers on the controller.
-
-**login to controller**
-
-login to CLI first
-```text
-zitiLogin
-```
-
-To create an edge router (no tunneler)
-```text
-ziti edge create edge-router pub-er -o pub-er.jwt
-```
-**output**
-```
-New edge router pub-er2 created with id: BzUtjC7E.
-Enrollment expires at 2023-04-07T03:52:03.997Z
-```
-
-To create an edge router with tunneler
-```text
-ziti edge create edge-router pub-er -t -o pub-er.jwt
-```
-
-Cat out the content of the jwt file. We will need to use the jwt to register router
-```
-# cat pub-er.jwt
-eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6ImVyb3R0IiwiZXhwIjoxNjgwODM5NjA4LCJpc3MiOiJodHRwczovLzE2MS4zNS4xMDguMjE4Ojg0NDEiLCJqdGkiOiJhNDg5N2Q0ZS1lZTY4LTQ1M2UtYjY1NS03MGU0YjgyZTllNDciLCJzdWIiOiJpY2JLakM3RS5QIn0.Y6DohYyWEeJQmRMe29v4cL3Y1APCnBlrv_-S_941au2OESuQdt2CS4C4djvESYzV5vbnbgZgyU5xtNvb4lW5Uv2HP3XUGQNVsWjpwZbazNoTXg1IX6hhWb7T6u1AhS4xnJ3jpoapKsdOkUSqeQNUMSiN3aeLNcGVA_XK1-utCYjVsHDC90M1ZYZqgd8C9IKziDI10XQVlKTqosv8hoJD0OKIu7WZMslweRSMBtQUA2lZ2QSkIhFr2bvtgPll-5aBnG7eo6Ka_WtEW6EikU2fxgpNaVVBEIdZs1tkdGU6dfBDA6j5wA1TBI0FZnuKlNW24bMZCWKy2B_AMqJW1a80I0qNDx-QHEy-pt8FzZ-eqXWyfhc_nYzwT9kr6hO9VJrrD81hboCeTl8G6EXZjwCi2lPbKHROtkQu08-Ns1Kps7R3GILeNMltW9tKApP746ek4DVxm2cKqiB1Axcb0tNjDWTthjyp8m40aSiiqOPIoQbwa43JLqbHcuhZOSBLQNb_bwzkxBSf34D2w5eVETWy9VX-lgHwM-uhT5SfZIWdnWtO7-Cxn-cqgz89twtOim-yc5j0p0ieAbrOArbjKFBXiQjP8yWkorQKlj5PTSk7vyb3X4q6p--RxP2Z5F8alCPQx3XiVcohvIJnrJiEP86myNIYcKhhJ4OB4r9iOr0qTc8
-```
-
-We also need the management port (default 8441) and fabric port (default 8440) of the controller to register the router
-```
-# echo $ZITI_EDGE_CONTROLLER_PORT
-8441
-# echo $ZITI_CTRL_PORT
-8440
-```
-
-### 2.4.3 Register the Router with link listener
-**Perform this on the Router VM**
-
-Use this procedure to create a Public Router with link listener (but without tunnel).
-
-**command**
-```
-sudo ./ziti_router_auto_enroll -f -n --controllerFabricPort 8440 --controllerMgmtPort 8441 --assumePublic --disableHealthChecks
-```
-
-```
-sudo ./ziti_router_auto_enroll -f -n --controllerFabricPort 8440 --controllerMgmtPort 8441 --assumePublic --disableHealthChecks eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6ImVyb3R0IiwiZXhwIjoxNjgwODM5NjA4LCJpc3MiOiJodHRwczovLzE2MS4zNS4xMDguMjE4Ojg0NDEiLCJqdGkiOiJhNDg5N2Q0ZS1lZTY4LTQ1M2UtYjY1NS03MGU0YjgyZTllNDciLCJzdWIiOiJpY2JLakM3RS5QIn0.Y6DohYyWEeJQmRMe29v4cL3Y1APCnBlrv_-S_941au2OESuQdt2CS4C4djvESYzV5vbnbgZgyU5xtNvb4lW5Uv2HP3XUGQNVsWjpwZbazNoTXg1IX6hhWb7T6u1AhS4xnJ3jpoapKsdOkUSqeQNUMSiN3aeLNcGVA_XK1-utCYjVsHDC90M1ZYZqgd8C9IKziDI10XQVlKTqosv8hoJD0OKIu7WZMslweRSMBtQUA2lZ2QSkIhFr2bvtgPll-5aBnG7eo6Ka_WtEW6EikU2fxgpNaVVBEIdZs1tkdGU6dfBDA6j5wA1TBI0FZnuKlNW24bMZCWKy2B_AMqJW1a80I0qNDx-QHEy-pt8FzZ-eqXWyfhc_nYzwT9kr6hO9VJrrD81hboCeTl8G6EXZjwCi2lPbKHROtkQu08-Ns1Kps7R3GILeNMltW9tKApP746ek4DVxm2cKqiB1Axcb0tNjDWTthjyp8m40aSiiqOPIoQbwa43JLqbHcuhZOSBLQNb_bwzkxBSf34D2w5eVETWy9VX-lgHwM-uhT5SfZIWdnWtO7-Cxn-cqgz89twtOim-yc5j0p0ieAbrOArbjKFBXiQjP8yWkorQKlj5PTSk7vyb3X4q6p--RxP2Z5F8alCPQx3XiVcohvIJnrJiEP86myNIYcKhhJ4OB4r9iOr0qTc8
-```
-**output**
-```
-2023-04-07-01:07:49-INFO-Version not specified, going to check with controller
-2023-04-07-01:07:49-INFO-Found version 0.27.7
-2023-04-07-01:07:49-INFO-Downloading file: https://github.com/openziti/ziti/releases/download/v0.27.7/ziti-linux-amd64-0.27.7.tar.gz
-Downloading: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 115M/115M [00:01<00:00, 68.9MiB/s]
-2023-04-07-01:07:51-INFO-Successfully downloaded file
-2023-04-07-01:07:51-INFO-Starting binary install
-2023-04-07-01:07:54-INFO-Installing service unit file
-2023-04-07-01:07:55-INFO-Service ziti-router daemon-reload successful.
-2023-04-07-01:07:55-INFO-Creating config file
-2023-04-07-01:07:55-INFO-Starting Router Enrollment
-2023-04-07-01:07:57-INFO-Successfully enrolled Ziti
-2023-04-07-01:07:57-INFO-Service ziti-router.service start successful.
-2023-04-07-01:07:57-INFO-Service ziti-router.service enable successful.
-```
-### 2.4.4 Other Router creation options
-If you need to create router with difference options than the one mentioned above, please choose one of the options from this section.
-
-#### 2.4.4.1 Register the Router with link listener and tunneler
-```
-sudo ./ziti_router_auto_enroll -f -n --controllerFabricPort 8440 --controllerMgmtPort 8441 --assumePublic --disableHealthChecks --autoTunnelListener
-```
-
-#### 2.4.4.2 Register the Router with edge listener only (no link listener)
-```
-sudo ./ziti_router_auto_enroll -f -n --controllerFabricPort 8440 --controllerMgmtPort 8441 --disableHealthChecks
-```
-#### 2.4.4.3 Register the Router with edge listener and tunneler
-```
-sudo ./ziti_router_auto_enroll -f -n --controllerFabricPort 8440 --controllerMgmtPort 8441 --disableHealthChecks --autoTunnelListener
-```
-
-## 2.5 Auto start the router
-After enroll the router, a systemd service file is automatically created and enabled. To check the status of the service file, issue the following command:
-```text
-systemctl status ziti-router.service
-```
-**Output**
-```
-● ziti-router.service - Ziti-Router
- Loaded: loaded (/etc/systemd/system/ziti-router.service; enabled; vendor preset: enabled)
- Active: active (running) since Wed 2023-04-05 14:45:59 UTC; 4s ago
- Main PID: 18381 (ziti)
- Tasks: 6 (limit: 2323)
- Memory: 16.5M
- CPU: 222ms
- CGroup: /system.slice/ziti-router.service
- └─18381 ziti router run /opt/ziti/config.yaml
-```
-If the status shows **active (running)**, then the setup finished correctly.
-
-On the controller, you can check the status of the routers. Please refer to the controller guide (useful command for the Router) section for more information.
-
-## 2.6 Fix the resolver
-
-
-
-If you run router without tunneler enabled, you can skip this section.
-
-We need to remove the digital ocean resolver for tunnel resolver to work correctly.
-
-Check resolver before any changes:
-```
-# resolvectl
-Global
- Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
- resolv.conf mode: stub
-Current DNS Server: 67.207.67.2
- DNS Servers: 67.207.67.2 67.207.67.3
-...
-...
-```
-Under the Global DNS servers, it should say something like "67.207.67.2 67.207.67.3"
-
-**Now, make changes to the resolver:**
-```text
-cd /etc/systemd/resolved.conf.d/
-rm DigitalOcean.conf
-sudo ln -s /dev/null DigitalOcean.conf
-systemctl restart systemd-resolved.service
-```
-
-Check resolver again
-```
-# resolvectl
-Global
- Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
- resolv.conf mode: stub
-Current DNS Server: 146.190.120.86
- DNS Servers: 146.190.120.86
-...
-...
-```
-Now the Global DNS servers should be the IP address on your local interface.
-
-
-
-
-**Not applicable**
-
-
-
-**Not applicable**
-
-
-
-**Not applicable**
-
-
-
-**Not applicable**
-
-
-
-**Not applicable**
-
-
-
-## 2.7 Route Table
-
-
-
-
-- For any router setup as a local gateway (i.e. local-er in [test network 2](/guides/topologies/10-services.mdx#312-network-diagram-2)), you will need to setup routes in Azure.
-- First you need to create a **Route Table** from Marketplace.
-
-
-- Then go to your subnet of your VM, associate the Route Table just created to the subnet.
-
-
-- Click on the route table, then choose **Routes** from the left side menu.
-- Now you will be presented a screen like below, you can then add your route.
-- Following is an example route for intercepting traffic destine for ip: 11.11.11.11/32.
-- The **Next hop address** is local IP of our local gateway ER.
-
-
-
-The following routes are required:
-- any intercept address cidr
-- 100.64.0.0/10 (for DNS based intercept)
-
-
-
-
-- For any router setup as local gateway (i.e. local-er in [test network 2](/guides/topologies/10-services.mdx#312-network-diagram-2)), you will need to setup routes for your VPC.
-- To get to the route table, click on **Subnet** from your Instances screen
-- From the Subnet screen, click on **Router table**
-- Then you can use **Edit routes** to add routes to the table.
-- Following is an example routes for intercepting traffic destine for IP subnet: 10.10.0.0/24 and 100.64.0.1/32.
-- The Target is **Instance** (our local gateway ER).
-
-
-
-The following routes are required:
-- any intercept address CIDR
-- 100.64.0.0/10 (for DNS based intercept)
-
-
-
-
-For any router setup as local gateway (i.e. local-er in [test network 2](/guides/topologies/10-services.mdx#312-network-diagram-2)), you will need to setup routes in GCP.
-
-- Go to your VM screen, click on the **Network interfaces** name (i.e. nic0)
-- Click on **Routes** menu on the left side to bring up the Routes screen
-- Click **ROUTE MANAGEMENT** and **+ CREATE ROUTE** to bring up a dialog to create a route
-- Specify your **Network** and **Destination IP range**
-- **Next hop** is our **local-er** instance.
-- Click **CREATE** to generate the route.
-
-Following is an example route for intercepting traffic destine for ip: 11.11.11.11/32. The next hop is our local gateway ER.
-
-
-The following routes are required:
-- any intercept address CIDR
-- 100.64.0.0/10 (for DNS based intercept)
-
-
-
-
-DigitalOcean does not have route table. The routes are setup directly on the VM. The example is in the [test section](/guides/topologies/10-services.mdx#367-verify-the-connection)
-
-
-
-- For any router setup as local gateway (i.e. local-er in [test network 2](/guides/topologies/10-services.mdx#312-network-diagram-2)), you will need to setup routes in Oracle Cloud.
-- To setup your route, choose the default route table from your VCN.
-
-
-- **Add Router Rules**
-- Following is an example route for traffic destine for 100.64.0.0/10 subnet.
-- The **Target Type** is **Private IP**
-- The **Destination Type** is **CIDR Block**
-- The **Destination CIDR Block** is the example traffic (100.64.0.0/10)
-- The **Target Selection** is the IP of our local gateway ER.
-
-
-The following routes are required:
-- any intercept address CIDR
-- 100.64.0.0/10 (for DNS based intercept)
-
-
-
-
-IBM Cloud does not have route table. The routes are setup directly on the VM. The example is in the [test section](/guides/topologies/10-services.mdx#367-verify-the-connection)
-
-
-
-## 2.8 Source and Destination Check
-
-Most cloud provider checks the source and destination of the traffic to make sure it is either originated or terminated at the VM. When our ER is used as a local GW, it is neither the source or the destination of the traffic. Therefore, the source and destination check must be disabled.
-
-
-
-
-- In Azure, the "Source and Destination Check" is called **IP forwarding**
-- From your Virtual machine screen, click on the **Network Interface** of that VM.
-- On the left side menu, choose **IP configurations** (like the picture below).
-- **Enable** the **IP forwarding**
-- **Save**
-
-
-
-
-
-- From your Instance screen, Under **Networking** tab, click on the **Network Interface** of that VM.
-- Click on **Actions** on the right side to bring up a dropdown menu.
-- Select **Change source/dest. check**
-- **uncheck** Enable and then press **Save**
-
-
-
-
-
-
-
-- In GCP, the "Source and Destination Check" is named **IP forwarding**
-- During the VM creation, from the VM configuration screen, choose the **ADVANCED OPTIONS** & under the **NETWORKING** section (like the picture below). **Enable** the **IP forwarding**
-
-
-- If the **IP forwarding** was not enabled during VM creation, you can follow [this procedure](https://cloud.google.com/compute/docs/instances/update-instance-properties) to enable it.
-
-
-
-
-DigitalOcean does not have this feature.
-
-
-
-- From the Instance details screen, click on the **Attached VNICs** from the left side menu
-- On the right side menu, choose **3 dots** (like the picture below), Click **Edit VNIC**
-
-
-- Select **Skip Source/Destination Check**
-- Click **Save changes**
-
-
-
-
-IBM Cloud does not have this feature.
-
-
-
-## 2.9 Firewall
-
-
-
-
-Azure's default firewall is blocking all incoming access to the VM. You will need the following ports open for your ERs:
-
-- 443/TCP (default port for edge listener)
-- 80/TCP (default port for link listener)
-- 53/UDP (when using as local gw)
-- any intercept ports. (i.e. if you want to intercept RDP traffic, you will need to open port 3389)
-
-To open ports:
-
-- From your Virtual machine page, click on **Networking** from the left side menu.
-- Under the **Inbound port rules**, you can click on **Add inbound port rule** to allow traffic in. Like example here.
-
-
-
-
-
-AWS default firewall is blocking all incoming access to the VM. You will need the following ports open for your ERs:
-
-- 443/TCP (default port for edge listener)
-- 80/TCP (default port for link listener)
-- 53/UDP (when using as local gw)
-- any intercept ports. (i.e. if you want to intercept RDP traffic, you will need to open port 3389)
-
-Following is the firewall setting for edge router which serves as the GW for non ziti client.
-
-
-
-
-GCP default firewall is blocking all incoming access to the VM. You will need the following ports open for your ERs:
-
-- 443/TCP (default port for edge listener)
-- 80/TCP (default port for link listener)
-- 53/UDP (when using as local gw)
-- any intercept ports. (i.e. if you want to intercept RDP traffic, you will need to open port 3389)
-
-Following is example firewall configuration for public ER and local ER.
-
-
-
-
-
-DigitalOcean by default does not setup firewall for the VM.
-
-
-
-Oracle Cloud default firewall is s blocking all incoming access to the VM. You will need the following ports open for your ERs:
-- 443/TCP (default port for edge listener)
-- 80/TCP (default port for link listener)
-- 53/UDP (when using as local gw)
-- 22/TCP (SSH access, this rule by default allowed in iptable rule)
-- any intercept ports. (i.e. if you want to intercept RDP traffic, you will need to open port 3389)
-
-**To setup the security group**
-- From **Networking** category, select the **Virtual cloud networks**.
-- Select the VCN your VM is in.
-- On the left side menu, select the **Network Security Group**.
-- Select **Create Network Security Group**.
-- Name the security group and select the next.
-- Now create rules for ingress traffic (port listed above).
-- Also create a rule to allow all traffic outbound (**Egress**).
-
-
-
-**Then attach the created security group to the instance**
-- Select **Edit** under the **Network security groups** section.
-- Select the security group from the drop down and press **Save changes**.
-
-
-
----
-**NOTE 1**
-```
-Oracle Cloud also uses Security Lists (on the subnet) to marshal the traffic,
-please make sure the setting under Security Lists is not conflicting
-with your security group rules.
-```
-
----
-**NOTE 2**
-```
-It is possible that after the security group configuration, the ufw does not
-work correctly on the VM.
-```
-
-You should **Turn on ufw** and **restart the VM** after the security group configuration.
-
-- ufw must be turned on for traffic to get to the VM.
-- after ufw is enabled, setup **allow** traffic for ports:
-
-```text
-sudo ufw enable
-sudo ufw allow 80/tcp
-sudo ufw allow 443/tcp
-sudo ufw allow 53/udp
-sudo shutdown -r 0
-```
-
-- you also need to allow the intercept ports on the ufw also.
-
-
-
-
-
-If you turn on the firewall feature, you will need to config firewall rules.
-
-- Open the Instance detail screen
-- Find the **Firewall details** at the bottom right. Open it.
-
-Add the following rules.
-- 443/TCP (default port for edge listener)
-- 80/TCP (default port for link listener)
-- 53/UDP (when using as local gw)
-- 22/TCP (SSH access)
-- any intercept ports. (i.e. if you want to intercept RDP traffic, you will need to open port 3389)
-- Deny rules to deny all other traffic
-
-Make sure the firewall is active, it should display **Processing all rules** if it is active.
-
-
-
-
-
-
diff --git a/docusaurus/docs/guides/deployments/40-cloud/_category_.yml b/docusaurus/docs/guides/deployments/40-cloud/_category_.yml
deleted file mode 100644
index a0af5a3fb..000000000
--- a/docusaurus/docs/guides/deployments/40-cloud/_category_.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-label: Cloud
-link:
- type: generated-index
- title: Working with Public Clouds
- description: Run a Ziti controller or router on a Linux VM in a public cloud.
diff --git a/docusaurus/docs/guides/deployments/_category_.yml b/docusaurus/docs/guides/deployments/_category_.yml
deleted file mode 100644
index 43e9a4a7f..000000000
--- a/docusaurus/docs/guides/deployments/_category_.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-label: Deployments
-position: 15
-link:
- type: generated-index
- title: Deploying to Production
- description: Run a controller or router as a Linux service, with Docker, or deployed to Kubernetes.
diff --git a/docusaurus/docs/guides/index.md b/docusaurus/docs/guides/index.md
deleted file mode 100644
index 56655a13f..000000000
--- a/docusaurus/docs/guides/index.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Overview
-sidebar_position: 10
----
-
-This section contains operational guidance for specific tasks such as deploying a controller with Helm or as a Linux system service, backing up the controller's database, and migrating controller or router configurations.
-
-## What is a Guide?
-
-A guide is like a recipe. It's a type of documentation that is more advanced and solution-focused than other types. A guide is prescriptive and procedural. For example, "How to deploy a controller with Helm."
-
-There's lots of room in here for new guides! Want guidance before you submit? Want someone else to submit? No problem. Follow the link to create a GitHub issue, label it "how-to", and tell us what you are working on.
-
-* [Request a new guide or find guide requests](https://github.com/openziti/ziti-doc/issues?q=is%3Aissue+is%3Aopen+label%3Ahow-to+)
-* [Where in GitHub to add or edit a guide](https://github.com/openziti/ziti-doc/tree/main/docusaurus/docs/guides)
diff --git a/docusaurus/docs/guides/topologies/10-services.mdx b/docusaurus/docs/guides/topologies/10-services.mdx
index e64551949..eb94873aa 100644
--- a/docusaurus/docs/guides/topologies/10-services.mdx
+++ b/docusaurus/docs/guides/topologies/10-services.mdx
@@ -67,8 +67,8 @@ error: error listing https://161.35.108.218:8441/edge/management/v1/config-types
### 3.2.2 Router
We need two routers to complete our example in this guide.
-- Public edge router (**pub-er**) was setup in the [Router setup section](../deployments/40-cloud/20-router.mdx#23-create-and-set-up-router-directly-on-router-vm), this router provides fabric and edge connection. It does not have tunneler functionality. Make sure you also modify the [Firewall](/guides/deployments/40-cloud/20-router.mdx#29-firewall) for this router.
-- Local edge router (**local-er**). Please follow the [Router guide](../deployments/40-cloud/20-router.mdx) to setup a [Router with edge listener and tunneler](../deployments/40-cloud/20-router.mdx#2343-create-the-router-with-edge-listener-and-tunneler). For this router, you will need to setup [Resolver](/guides/deployments/40-cloud/20-router.mdx#26-fix-the-resolver), [Route Table](/guides/deployments/40-cloud/20-router.mdx#27-route-table), [Source and Destination Check](/guides/deployments/40-cloud/20-router.mdx#28-source-and-destination-check) and [Firewall](/guides/deployments/40-cloud/20-router.mdx#29-firewall).
+- Public edge router (**pub-er**) - this router provides fabric and edge connection. It does not have tunneler functionality. Make sure you also modify the firewall for this router.
+- Local edge router (**local-er**). - set up the resolver, route table, source and destination checks, and firewall.
#### 3.2.2.1 ZAC
On the ZAC **ROUTERS** screen, you can check your router and make sure it is created correctly. You can also check the identity associated with the router by clicked on **IDENTITIES**
@@ -126,7 +126,7 @@ results: 1-3 of 3
### 3.2.3 Tunnelers/Identities
-We need two tunnelers for our testing. Please follow **[Create a VM section](/guides/deployments/40-cloud/10-controller.mdx#11-create-a-vm-to-be-used-as-the-controller)** of the Controller Guide to create two VMs running Ubuntu 22.04.
+We need two tunnelers for our testing. Create two VMs running Ubuntu 22.04.
#### 3.2.3.1 Create Identity with ZAC
diff --git a/docusaurus/docs/learn/core-concepts/security/authentication/5-password-management.md b/docusaurus/docs/learn/core-concepts/security/authentication/5-password-management.md
index 24ae19f5b..18104d5c8 100644
--- a/docusaurus/docs/learn/core-concepts/security/authentication/5-password-management.md
+++ b/docusaurus/docs/learn/core-concepts/security/authentication/5-password-management.md
@@ -7,7 +7,7 @@ For identities using username password (UPDB) authenticators the following actio
## Administrative Password Reset
-Passwords may be reset via the [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx) by an administrative client.
+Passwords may be reset via the [edge management API](/reference/developer/api/02-edge-management-reference.mdx) by an administrative client.
### Ziti CLI
diff --git a/docusaurus/docs/learn/core-concepts/security/authentication/auth.md b/docusaurus/docs/learn/core-concepts/security/authentication/auth.md
index 6d8436e14..397ce6728 100644
--- a/docusaurus/docs/learn/core-concepts/security/authentication/auth.md
+++ b/docusaurus/docs/learn/core-concepts/security/authentication/auth.md
@@ -3,17 +3,17 @@ title: Authentication
---
Authentication in Ziti Edge occurs when a client wishes to interact with the Ziti Edge Controller. Authentication
-has begun when the client receives an API Session and is complete when the API Session is fully authenticated.
-API Sessions are a high level security context that represents an authenticated session with either the Ziti [edge client API](docs/reference/developer/api/01-edge-client-reference.mdx)
-or the Ziti [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx).
+has begun when the client receives and API Session and is complete when the API Session is fully authenticated.
+API Sessions are a high level security context that represents an authenticated session with either the Ziti [edge client API](/reference/developer/api/01-edge-client-reference.mdx)
+or the Ziti [edge management API](/reference/developer/api/02-edge-management-reference.mdx).
-- Clients that are powered by a Ziti SDK that access services will authenticate with the [edge client API](docs/reference/developer/api/01-edge-client-reference.mdx)
-- Clients that are managing a network will authenticate with the [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx)
+- Clients that are powered by a Ziti SDK that access services will authenticate with the [edge client API](/reference/developer/api/01-edge-client-reference.mdx)
+- Clients that are managing a network will authenticate with the [edge management API](/reference/developer/api/02-edge-management-reference.mdx)
## Authentication Flow
-Below is diagram showing initial authentication for some client. The same model is used between the [edge client API](docs/reference/developer/api/01-edge-client-reference.mdx)
-and [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx).
+Below is diagram showing initial authentication for some client. The same model is used between the [edge client API](/reference/developer/api/01-edge-client-reference.mdx)
+and [edge management API](/reference/developer/api/02-edge-management-reference.mdx).
```mermaid
graph TD
@@ -73,7 +73,7 @@ Authenticators may be listed via the CLI:
`ziti edge list authenticators`
-or via the [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx):
+or via the [edge management API](/reference/developer/api/02-edge-management-reference.mdx):
```
GET /edge/management/v1/authenticators
@@ -84,7 +84,7 @@ GET /edge/management/v1/authenticators
x509 authentication requires the client to initiate a HTTPs authentication request using a x509 client certificate that
is associated to the target Identity on an Authenticator. The client certificate can be issued by the Ziti Edge
Controller's internal PKI or an external PKI. If an external PKI is being used, it must be registered as a
-[3rd Party CA](10-third-party-cas.md) via the Ziti [edge management API](docs/reference/developer/api/02-edge-management-reference.mdx), verified, and
+[3rd Party CA](10-third-party-cas.md) via the Ziti [edge management API](/reference/developer/api/02-edge-management-reference.mdx), verified, and
have authentication enabled. The client certificate must pass signature and CA chain-of-trust validation. All client,
intermediate CA, and root CA functionality supports RSA and EC keys.
diff --git a/docusaurus/docs/learn/introduction/_components.md b/docusaurus/docs/learn/introduction/_components.md
index 83a9084c0..fd6914abe 100644
--- a/docusaurus/docs/learn/introduction/_components.md
+++ b/docusaurus/docs/learn/introduction/_components.md
@@ -31,7 +31,7 @@ store the information needed to manage the network.
The controller's TLS server employs SNI to select the correct certificate for presentation when there are multiple certificates. Ziti clients use ALPN to negotiate a connection to the control plane (`ziti-ctrl`) or the REST APIs (`h2`, `http/1.1`).
-[Controller Deployment Guide](/guides/deployments/10-linux/10-controller/10-deploy.mdx)
+[Controller Deployment Guide](/deployments/20-controller/index.mdx)
### Router
@@ -49,7 +49,7 @@ The router is the entry point to the network for client connections.
The router in combination with the controller is responsible
for authenticating and authorizing clients.
-[Router Deployment Guide](/guides/deployments/10-linux/20-router/10-deploy.mdx)
+[Router Deployment Guide](/deployments/40-router/index.mdx)
### Edge Clients
diff --git a/docusaurus/docs/learn/quickstarts/network/hosted.mdx b/docusaurus/docs/learn/quickstarts/network/hosted.mdx
index 1abf10a4d..3ad53a7a2 100644
--- a/docusaurus/docs/learn/quickstarts/network/hosted.mdx
+++ b/docusaurus/docs/learn/quickstarts/network/hosted.mdx
@@ -5,7 +5,7 @@ sidebar_position: 60
import Wizardly from '@site/src/components/Wizardly';
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/docs/category/deployments).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/20-controller/index.mdx).
:::
You can absolutely choose to host your [network](../../../learn/introduction/index.mdx) anywhere you like.
diff --git a/docusaurus/docs/learn/quickstarts/network/local-docker-compose.mdx b/docusaurus/docs/learn/quickstarts/network/local-docker-compose.mdx
index d18f0ff0b..cd2f8151f 100644
--- a/docusaurus/docs/learn/quickstarts/network/local-docker-compose.mdx
+++ b/docusaurus/docs/learn/quickstarts/network/local-docker-compose.mdx
@@ -6,7 +6,7 @@ sidebar_position: 50
import Wizardly from '@site/src/components/Wizardly';
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/docs/category/docker).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/20-controller/index.mdx).
:::
If you are not familiar with it, [Docker Compose](https://docs.docker.com/compose/) is a tool for defining and running
diff --git a/docusaurus/docs/learn/quickstarts/network/local-kubernetes.mdx b/docusaurus/docs/learn/quickstarts/network/local-kubernetes.mdx
index 6e9beff89..1be1b3dbb 100644
--- a/docusaurus/docs/learn/quickstarts/network/local-kubernetes.mdx
+++ b/docusaurus/docs/learn/quickstarts/network/local-kubernetes.mdx
@@ -10,7 +10,7 @@ import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/docs/category/kubernetes).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/20-controller/60-kubernetes.mdx).
:::
`minikube` quickly sets up a local Kubernetes cluster on macOS, Linux, or Windows (WSL). This quickstart is a great way to explore running your own controller, Router, and Console.
diff --git a/docusaurus/docs/learn/quickstarts/network/local-no-docker.mdx b/docusaurus/docs/learn/quickstarts/network/local-no-docker.mdx
index cbd537753..1b61402ee 100644
--- a/docusaurus/docs/learn/quickstarts/network/local-no-docker.mdx
+++ b/docusaurus/docs/learn/quickstarts/network/local-no-docker.mdx
@@ -6,7 +6,7 @@ sidebar_position: 30
import Wizardly from '@site/src/components/Wizardly';
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/docs/category/deployments).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/20-controller/index.mdx).
:::
This page will show you how to get your [network](../../../learn/introduction/index.mdx) up and running
diff --git a/docusaurus/docs/learn/quickstarts/network/local-with-docker.mdx b/docusaurus/docs/learn/quickstarts/network/local-with-docker.mdx
index b0b1fca17..d738e4749 100644
--- a/docusaurus/docs/learn/quickstarts/network/local-with-docker.mdx
+++ b/docusaurus/docs/learn/quickstarts/network/local-with-docker.mdx
@@ -5,7 +5,7 @@ sidebar_position: 40
import Wizardly from '@site/src/components/Wizardly';
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/docs/category/docker).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/20-controller/index.mdx).
:::
[Docker](https://www.docker.com) is a popular container engine, and many developers enjoy using solutions delivered via
@@ -18,7 +18,7 @@ containers for each component in the future but for now it's a single container.
## Starting the Controller
All [networks](../../../learn/introduction/index.mdx) require
-a [controller](../../../guides/deployments/10-linux/10-controller/10-deploy.mdx). Without a controller, edge routers won't be able to authorize new
+[a controller](/deployments/20-controller/index.mdx). Without a controller, edge routers won't be able to authorize new
connections rendering a new network useless. You must have a controller running.
### Required - Docker Named Volume
@@ -99,7 +99,7 @@ docker run \
## Edge Router
-At this point you should have a [controller](../../../guides/deployments/10-linux/10-controller/10-deploy.mdx) running. You should have created your
+At this point you should have [a controller](/deployments/20-controller/index.mdx) running. You should have created your
Docker network as well as creating the volume mount. Now it's time to connect your first edge router. The same Docker
image that runs the controller can run an edge router. To start an edge router, you will run a very similar command as
the one to start the controller with a couple of key differences.
diff --git a/docusaurus/docs/learn/quickstarts/quickstarts.md b/docusaurus/docs/learn/quickstarts/quickstarts.md
index 38312170f..ae6e174c7 100644
--- a/docusaurus/docs/learn/quickstarts/quickstarts.md
+++ b/docusaurus/docs/learn/quickstarts/quickstarts.md
@@ -13,7 +13,7 @@ Zero Trust right into your application you can still get started by using one or
[tunneling apps](/learn/core-concepts/clients/choose.mdx).
:::info
-Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see the [deployment guides](/docs/category/deployments).
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see the [deployment guides](/deployments/20-controller/index.mdx).
:::
:::tip
diff --git a/docusaurus/docs/learn/quickstarts/services/kubernetes-service.md b/docusaurus/docs/learn/quickstarts/services/kubernetes-service.md
index fe17aae8f..48976aa9f 100644
--- a/docusaurus/docs/learn/quickstarts/services/kubernetes-service.md
+++ b/docusaurus/docs/learn/quickstarts/services/kubernetes-service.md
@@ -20,7 +20,7 @@ This is a tutorial for tunneling a Kubernetes workload with OpenZiti.
ziti edge list edge-routers 'isTunnelerEnabled=true'
```
- If none of the routers shown are in your cluster, then refer to [the router deployment guide](/guides/deployments/30-kubernetes/kubernetes-router.mdx) for more information on how to deploy a router.
+ If none of the routers shown are in your cluster, then refer to [the router deployment guide](/deployments/40-router/60-kubernetes.mdx) for more information on how to deploy a router.
1. Add a role to the tunneler identity of the router you selected from the list above, e.g. "router1." This step adds a role to the router's identity that we'll use later to grant it permission to bind the service.
diff --git a/docusaurus/docs/learn/quickstarts/zac/index.mdx b/docusaurus/docs/learn/quickstarts/zac/index.mdx
index da5811273..3ba2e4451 100644
--- a/docusaurus/docs/learn/quickstarts/zac/index.mdx
+++ b/docusaurus/docs/learn/quickstarts/zac/index.mdx
@@ -4,7 +4,11 @@ sidebar_label: Console
---
import Wizardly from '@site/src/components/Wizardly';
-import ConsolePublicCertsNote from '/docs/guides/deployments/_console-public-certs-note.mdx';
+import ConsolePublicCertsNote from '/docs/deployments/60-console/_console-public-certs-note.mdx';
+
+:::info
+Quickstarts are short-lived networks that are great for learning how to use OpenZiti. For long-lived production deployments, see [the deployment guides](/deployments/60-console/index.mdx).
+:::
The Ziti Administration Console (ZAC) is a web UI provided by the OpenZiti project which will allow you to configure and
explore a [network](/learn/introduction/index.mdx).
@@ -122,7 +126,7 @@ internet search should show you how to accomplish this.
## Kubernetes
-[Kubernetes deployment guide](/docs/guides/deployments/30-kubernetes//kubernetes-console.mdx).
+[Kubernetes deployment guide](/deployments/60-console/60-kubernetes.mdx).
## Login and use ZAC
diff --git a/docusaurus/docs/reference/developer/api/index.mdx b/docusaurus/docs/reference/developer/api/index.mdx
index 7d1566f58..1de942931 100644
--- a/docusaurus/docs/reference/developer/api/index.mdx
+++ b/docusaurus/docs/reference/developer/api/index.mdx
@@ -48,7 +48,7 @@ The edge management API is used by clients that wish to configure a network and
with service for dialing (connecting) nor binding (hosting). The edge management API provides the ability to create
new identities, identities, policies, and other entities used to manage a network.
-[Explore the latest edge management API Reference](./02-edge-management-reference.mdx)
+[Explore the latest edge management API Reference](/reference/developer/api/02-edge-management-reference.mdx)
## Edge Client API
diff --git a/docusaurus/docs/reference/tunnelers/80-kubernetes/index.mdx b/docusaurus/docs/reference/tunnelers/80-kubernetes/index.mdx
index 659ffa026..dec922032 100644
--- a/docusaurus/docs/reference/tunnelers/80-kubernetes/index.mdx
+++ b/docusaurus/docs/reference/tunnelers/80-kubernetes/index.mdx
@@ -60,17 +60,17 @@ You can deploy a loopback proxy sidecar for pod egress to services. The sidecar
2. The sidecar container does not need the CAP_NET_ADMIN capability.
3. The sidecar container does not need a `dnsPolicy` or explicit nameserver.
-#### [TCP Proxy Cluster Service](/guides/deployments/30-kubernetes//kubernetes-router.mdx)
+#### [TCP Proxy Cluster Service](/deployments/40-router/60-kubernetes.mdx)
-The router can be deployed to provide a cluster-wide proxy for services, optionally exposing the services' proxy ports with an Ingress or LoadBalancer. This is accomplished by first creating the router with tunnel mode enabled, then deploying the router Helm chart with input values specifying each service for which the router's tunnel identity is authorized by a Dial Service Policy. For more information, see the [router](/guides/deployments/30-kubernetes//kubernetes-router.mdx) page.
+The router can be deployed to provide a cluster-wide proxy for services, optionally exposing the services' proxy ports with an Ingress or LoadBalancer. This is accomplished by first creating the router with tunnel mode enabled, then deploying the router Helm chart with input values specifying each service for which the router's tunnel identity is authorized by a Dial Service Policy. For more information, see the [router](/deployments/40-router/60-kubernetes.mdx) page.
### Ingress to Cluster Services
Any tunneler can be used to "host" a service. This hosting begins a few moments after a service becomes authorized for the identity in use by the SDK. This section is about different ways to deploy a tunneler to provide ingress to cluster services.
-#### [Reverse Proxy Router Pod](/guides/deployments/30-kubernetes//kubernetes-router.mdx)
+#### [Reverse Proxy Router Pod](/deployments/40-router/60-kubernetes.mdx)
-The router's built-in tunneler can reverse-proxy cluster services for Ziti clients. This is accomplished by creating the router with tunneler mode enabled, and then installing the router Helm chart with the tunneler mode set to `host` (the default). For more information, see [the router](/guides/deployments/30-kubernetes//kubernetes-router.mdx) page.
+The router's built-in tunneler can reverse-proxy cluster services for Ziti clients. This is accomplished by creating the router with tunneler mode enabled, and then installing the router Helm chart with the tunneler mode set to `host` (the default). For more information, see [the router](/deployments/40-router/60-kubernetes.mdx) page.
#### [NGINX Proxy Module](/reference/tunnelers/90-nginx.mdx)
diff --git a/docusaurus/docs/reference/tunnelers/90-nginx.mdx b/docusaurus/docs/reference/tunnelers/90-nginx.mdx
index b757b50cf..17ad23c55 100644
--- a/docusaurus/docs/reference/tunnelers/90-nginx.mdx
+++ b/docusaurus/docs/reference/tunnelers/90-nginx.mdx
@@ -30,8 +30,7 @@ We'll run the module in Kubernetes as an example, but the module works anywhere
## Create a Network
- [Local quickstart](/docs/category/network)
-- [Linux](/docs/category/linux)
-- [Docker](/docs/category/docker)
+- [Deployments](/deployments/20-controller/index.mdx)
---
diff --git a/docusaurus/docusaurus.config.ts b/docusaurus/docusaurus.config.ts
index 340c5cdb5..a27f444ea 100644
--- a/docusaurus/docusaurus.config.ts
+++ b/docusaurus/docusaurus.config.ts
@@ -60,44 +60,9 @@ const config: Config = {
'@docusaurus/plugin-client-redirects',
{
createRedirects: path => {
- if ( path.startsWith("/docs/guides/topologies/gateway/") ) {
- return [path.replace("/docs/guides/topologies/gateway/","/docs/guides/local-gateway/")];
- }
- if ( path.startsWith("/docs/guides/deployments/kubernetes/") ) {
- return [path.replace("/docs/guides/deployments/kubernetes/","/docs/guides/kubernetes/hosting/")];
- }
- if ( path.startsWith("/docs/reference/tunnelers/kubernetes/") ) {
- return [path.replace("/docs/reference/tunnelers/kubernetes/","/docs/guides/kubernetes/workload-tunneling/")];
- }
- if ( path.startsWith("/docs/guides/deployments/") ) {
- return [
- path.replace("/docs/guides/deployments/","/docs/reference/deployments/"),
- ];
- }
- if ( path.startsWith("/docs/reference/developer/api/") ) { // for each existing page
- return [
- path.replace("/docs/reference/developer/api/","/api/"), // return a "from" redirect for each old path
- path.replace("/docs/reference/developer/api/","/api/rest/"),
- path.replace("/docs/reference/developer/api/","/api/rest/edge-apis/")
- ];
- }
- if ( path.startsWith("/docs/learn/quickstarts/") ) {
- return [path.replace("/docs/learn/quickstarts/","/docs/quickstarts/")];
- }
- if ( path.startsWith("/docs/learn/core-concepts/zero-trust-models/") ) {
- return [
- path.replace("/docs/learn/core-concepts/zero-trust-models/","/docs/deployment-architecture/"),
- path.replace("/docs/learn/core-concepts/zero-trust-models/","/docs/core-concepts/zero-trust-models/")
- ];
- }
- if ( path.startsWith("/docs/learn/core-concepts/") ) {
- return [path.replace("/docs/learn/core-concepts/","/docs/core-concepts/")];
- }
- if ( path.startsWith("/docs/learn/introduction/") ) {
- return [path.replace("/docs/learn/introduction/","/docs/introduction/")];
- }
return undefined;
},
+<<<<<<< HEAD:docusaurus/docusaurus.config.ts
redirects: [
{
to: '/docs/category/deployments',
@@ -245,6 +210,10 @@ const config: Config = {
}
],
} satisfies ClientRedirectsOptions,
+=======
+ redirects: [],
+ },
+>>>>>>> 2eaaf480 (start organizing deployment docs):docusaurus/docusaurus.config.js
],
],
presets: [
diff --git a/docusaurus/sidebar-policies.ts b/docusaurus/sidebar-policies.ts
index 509173dd9..e98a10f5d 100644
--- a/docusaurus/sidebar-policies.ts
+++ b/docusaurus/sidebar-policies.ts
@@ -5,4 +5,4 @@ module.exports = {
dirName: '.',
},
],
-};
\ No newline at end of file
+};
diff --git a/docusaurus/sidebars.js b/docusaurus/sidebars.js
new file mode 100644
index 000000000..9ec66c17f
--- /dev/null
+++ b/docusaurus/sidebars.js
@@ -0,0 +1,56 @@
+/**
+ * Creating a sidebar enables you to:
+ - create an ordered group of docs
+ - render a sidebar for each doc of that group
+ - provide next/previous navigation
+
+ The sidebars can be generated from the filesystem, or explicitly defined here.
+
+ Create as many sidebars as you want.
+ */
+
+// @ts-check
+
+/** @type {import('@docusaurus/plugin-content-docs').SidebarsConfig} */
+const sidebars = {
+ docsSidebar: [
+ {
+ type: 'html',
+ value: '', // The HTML to be rendered
+ className: 'sidebar-title'
+ },
+ {
+ type: 'autogenerated',
+ dirName: 'deployments',
+ },
+ {
+ type: 'html',
+ value: '', // The HTML to be rendered
+ className: 'sidebar-title'
+ },
+ {
+ type: 'autogenerated',
+ dirName: 'learn',
+ },
+ {
+ type: 'html',
+ value: '', // The HTML to be rendered
+ className: 'sidebar-title'
+ },
+ {
+ type: 'autogenerated',
+ dirName: 'guides',
+ },
+ {
+ type: 'html',
+ value: '', // The HTML to be rendered
+ className: 'sidebar-title'
+ },
+ {
+ type: 'autogenerated',
+ dirName: 'reference',
+ },
+ ],
+};
+
+module.exports = sidebars;
diff --git a/gendoc.sh b/gendoc.sh
index 52134e9d8..33b80a4f5 100755
--- a/gendoc.sh
+++ b/gendoc.sh
@@ -85,7 +85,10 @@ if [[ "${SKIP_GIT}" == no ]]; then
if [[ "${SKIP_CLEAN}" == no ]]; then
rm -rf "${ZITI_DOC_GIT_LOC}"/ziti-*
fi
- git config --global --add safe.directory "$PWD"
+ # Only add to safe.directory if not already present
+ if ! git config --global --get-all safe.directory | grep -q "$(pwd)"; then
+ git config --global --add safe.directory "$(pwd)"
+ fi
clone_or_pull "https://github.com/openziti/ziti" "ziti-cmd" >/dev/null
clone_or_pull "https://github.com/openziti/ziti-sdk-csharp" "ziti-sdk-csharp" >/dev/null
clone_or_pull "https://github.com/openziti/ziti-sdk-c" "ziti-sdk-c" >/dev/null