Merge remote-tracking branch 'origin' into bdd/2024-reorg-andconsolidate

Author: desimone

content/docs/deploy/k8s/reference.md

@@ -107,6 +107,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
             </td>
         </tr>
 
+        <tr>
+            <td>
+                <p>
+                <code>codecType</code>&#160;&#160;
+                
+                    <strong>string</strong>&#160;
+                
+                </p>
+                <p>
+                    
+                    CodecType sets the <a href="https://www.pomerium.com/docs/reference/codec-type">Codec Type</a>.
+                </p>
+                
+            </td>
+        </tr>
+    
         <tr>
             <td>
                 <p>

content/docs/internals/connection.mdx

@@ -10,21 +10,25 @@ import LongLivedConnections from '@site/content/docs/admonitions/_long-lived-con
 
 # Connection Lifecycle
 
-Pomerium enables proxying of HTTP and TCP connections, uniformly applying [access policies](/docs/capabilities/authorization) across these connections.
+Pomerium enables proxying of HTTP, TCP, and UDP traffic, uniformly applying [access policies](/docs/capabilities/authorization) across the routed traffic.
 
 The primary focus of this document is the management of transport layer connections in Pomerium, particularly HTTP requests.
 
-## HTTP and TCP connection lifecyle
+## HTTP connection lifecyle
 
-### 1. **Downstream connection and TLS termination**
+TCP and UDP traffic is tunneled over HTTP, so let's focus on the HTTP connection lifecycle.
 
-A client, usually a web browser, initiates a connection to Pomerium.
+### 1. **Downstream connection and TLS termination**
 
-- This connection can be HTTP/1.1 or HTTP/2.
+- A client, usually a web browser, [Pomerium CLI](/docs/clients/pomerium-cli), or [Pomerium Desktop App](/docs/clients/pomerium-desktop), initiates a connection to Pomerium. This connection can be HTTP/1.1, HTTP/2, or HTTP/3.
 
 :::tip **Note**
 
-Pomerium currently does not support QUIC or HTTP/3 transports. Most modern browsers default to HTTP/2 connections for significant performance benefits. In rare circumstances, you may need to force HTTP/1.1 using the [`codec_type`](/docs/reference/codec-type) parameter.
+HTTP/2 and HTTP/1.1 are allowed by default, with most modern browsers defaulting to HTTP/2.
+
+HTTP/3 can be enabled by setting the [`codec_type`](/docs/reference/codec-type) parameter. This is recommended when proxying UDP traffic.
+
+In rare circumstances, you may need to force HTTP/1.1 using the [`codec_type`](/docs/reference/codec-type) parameter.
 
 :::
 
@@ -34,7 +38,7 @@ Pomerium currently does not support QUIC or HTTP/3 transports. Most modern brows
 
 ### 2. **Request initiation**
 
-After the transport layer connection is established, the downstream client sends an HTTP request. The proxy parses this request, matches it against the configuration, and determines the upstream service to which the request should be forwarded.
+After TLS handshakes are complete, the downstream client sends an HTTP request. The proxy parses this request, matches it against the configured routes, and determines the upstream service to which the request should be forwarded.
 
 ### 3. **Request authorization**
 

content/docs/reference/codec-type.mdx

@@ -45,7 +45,17 @@ CODEC_TYPE=http2
 </TabItem>
 <TabItem value="Kubernetes" label="Kubernetes">
 
-Kubernetes does not support `codec_type`.
+| **[Parameter name](/docs/k8s/reference#spec)** | **Type** | **Usage** | **Default** |
+| :-- | :-- | :-- | :-- |
+| `codecType` | `string` | **optional** | `auto` |
+
+### Examples
+
+```yaml
+codecType: http2
+```
+
+See [Kubernetes - Global Configuration](/docs/k8s/configure) for more information.
 
 </TabItem>
 </Tabs>

content/docs/reference/reference.json

@@ -701,6 +701,13 @@
     "services": [],
     "type": "slice of string"
   },
+  "jwt-groups-filter": {
+    "id": "jwt-groups-filter",
+    "title": "JWT Groups Filter",
+    "description": "If set, filters the set of group memberships in the Pomerium JWT and Impersonate-Group headers to this subset of groups (based on an exact string match).",
+    "services": [],
+    "type": "array of string"
+  },
   "override-certificate-name": {
     "id": "override-certificate-name",
     "title": "Override Certificate Name",

cspell.json

@@ -184,6 +184,7 @@
     "yubico",
     "yubikey",
     "zenefits",
+    "zipkin",
     "webui",
     "OLLAMA",
     "zonefile",