Move cfg entry docs to under connect from agent (#9533)

Since all config entries are currently related to service mesh it's a
much more natural place to look for them under Service Mesh than under
Agent.

website/_redirects

@@ -118,8 +118,16 @@
 /downloads_tools                                     /docs/download-tools                              301!
 /docs/k8s/ambassador                                 /docs/k8s/connect/ambassador                      301!
 /docs/k8s/installation/overview                      /docs/k8s/installation/install                    301!
-/docs/k8s/installation/muti-cluster/overview         /docs/k8s/installation/multi-cluster                    301!
+/docs/k8s/installation/multi-cluster/overview        /docs/k8s/installation/multi-cluster              301!
 /docs/partnerships                                   /docs/integrate/partnerships                      301!
+/docs/agent/config-entries/ingress-gateway           /docs/connect/config-entries/ingress-gateway      301!
+/docs/agent/config-entries/proxy-defaults            /docs/connect/config-entries/proxy-defaults       301!
+/docs/agent/config-entries/service-defaults          /docs/connect/config-entries/service-defaults     301!
+/docs/agent/config-entries/service-intentions        /docs/connect/config-entries/service-intentions   301!
+/docs/agent/config-entries/service-resolver          /docs/connect/config-entries/service-resolver     301!
+/docs/agent/config-entries/service-router            /docs/connect/config-entries/service-router       301!
+/docs/agent/config-entries/service-splitter          /docs/connect/config-entries/service-splitter     301!
+/docs/agent/config-entries/terminating-gateway       /docs/connect/config-entries/terminating-gateway  301!
 
 # CLI redirects
 /docs/commands                                       /commands                                         301!

website/content/api-docs/connect/intentions.mdx

@@ -14,7 +14,7 @@ The `/connect/intentions` endpoint provide tools for managing
 
 -> **1.9.0 and later:** Reading and writing intentions has been
 migrated to the
-[`service-intentions`](/docs/agent/config-entries/service-intentions)
+[`service-intentions`](/docs/connect/config-entries/service-intentions)
 config entry kind.
 
 ## Upsert Intention by Name ((#upsert-intention-by-name))
@@ -87,7 +87,7 @@ The table below shows this endpoint's support for
   the `Permissions` field.
 
 - `Permissions` `(array<IntentionPermission>)` - The list of all [additional L7
-  attributes](/docs/agent/config-entries/service-intentions#intentionpermission)
+  attributes](/docs/connect/config-entries/service-intentions#intentionpermission)
   that extend the intention match criteria.
 
   Permission precedence is applied top to bottom. For any given request the
@@ -131,7 +131,7 @@ true
 
 -> **Deprecated** - This endpoint is deprecated in Consul 1.9.0 in favor of
 [upserting by name](#upsert-intention-by-name) or editing the
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry for the destination.
 
 This endpoint creates a new intention and returns its ID if it was created
@@ -234,7 +234,7 @@ $ curl \
 
 -> **Deprecated** - This endpoint is deprecated in Consul 1.9.0 in favor of
 [upserting by name](#upsert-intention-by-name) or editing the
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry for the destination.
 
 This endpoint updates an intention with the given values.
@@ -363,7 +363,7 @@ $ curl \
 
 -> **Deprecated** - This endpoint is deprecated in Consul 1.9.0 in favor of
 [reading by name](#read-specific-intention-by-name) or by viewing the
-[`service-intentions`](/docs/agent/config-entries/service-intentions)
+[`service-intentions`](/docs/connect/config-entries/service-intentions)
 config entry for the destination.
 
 This endpoint reads a specific intention.
@@ -570,7 +570,7 @@ $ curl \
 
 -> **Deprecated** - This endpoint is deprecated in Consul 1.9.0 in favor of
 [deleting by name](#delete-intention-by-name) or editing the
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry for the destination.
 
 This endpoint deletes a specific intention.

website/content/api-docs/discovery-chain.mdx

@@ -65,7 +65,7 @@ The table below shows this endpoint's support for
 ### POST Body Parameters
 
 - `OverrideConnectTimeout` `(duration: 0s)` - Overrides the final [connect
-  timeout](/docs/agent/config-entries/service-resolver#connecttimeout) for
+  timeout](/docs/connect/config-entries/service-resolver#connecttimeout) for
   any service resolved in the compiled chain.
 
   This value comes from the `connect_timeout_ms` key in an [upstream
@@ -75,7 +75,7 @@ The table below shows this endpoint's support for
   parameter.
 
 - `OverrideProtocol` `(string: "")` - Overrides the final
-  [protocol](/docs/agent/config-entries/service-defaults#protocol) used in
+  [protocol](/docs/connect/config-entries/service-defaults#protocol) used in
   the compiled discovery chain.
 
   If the chain ordinarily would be TCP and an L7 protocol is passed here the

website/content/commands/intention/create.mdx

@@ -9,7 +9,7 @@ sidebar_title: create
 -> **Deprecated** - This command is deprecated in Consul 1.9.0 in favor of
 using the [config entry CLI command](/commands/config/write). To create an
 intention, create or modify a
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry for the destination.
 
 Command: `consul intention create`

website/content/commands/intention/delete.mdx

@@ -12,7 +12,7 @@ The `intention delete` command deletes a matching intention.
 
 -> **Deprecated** - The one argument form of this command is deprecated in
 Consul 1.9.0. Intentions no longer need IDs when represented as
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries.
 
 ## Usage

website/content/commands/intention/get.mdx

@@ -12,7 +12,7 @@ The `intention get` command shows a single intention.
 
 -> **Deprecated** - The one argument form of this command is deprecated in
 Consul 1.9.0. Intentions no longer need IDs when represented as
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries.
 
 ## Usage

website/content/commands/intention/index.mdx

@@ -14,7 +14,7 @@ creating, updating, reading, deleting, checking, and managing intentions.
 This command is available in Consul 1.2 and later.
 
 Intentions are managed primarily via
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries after Consul 1.9. Intentions may also be managed via the [HTTP
 API](/api/connect/intentions).
 

website/content/docs/agent/config-entries.mdx

@@ -1,6 +1,6 @@
 ---
 layout: docs
-page_title: Configuration Entry Definitions
+page_title: Configuration Entries
 sidebar_title: Configuration Entries
 description: >-
   Consul allows storing configuration entries centrally to be used as defaults
@@ -38,46 +38,10 @@ metadata:
   name: <name of entry>
 ```
 
-The supported `Kind`/`kind` names for configuration entries are:
+## Supported Config Entries
 
-- [`ingress-gateway`](/docs/agent/config-entries/ingress-gateway) - defines the
+See [Service Mesh - Config Entries](/docs/connect/config-entries) for the list
-  configuration for an ingress gateway
+of supported config entries.
-
-  - Kubernetes kind: [`IngressGateway`](/docs/agent/config-entries/ingress-gateway)
-
-- [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults) - controls
-  proxy configuration
-
-  - Kubernetes kind: [`ProxyDefaults`](/docs/agent/config-entries/proxy-defaults)
-
-- [`service-defaults`](/docs/agent/config-entries/service-defaults) - configures
-  defaults for all the instances of a given service
-
-  - Kubernetes kind: [`ServiceDefaults`](/docs/agent/config-entries/service-defaults)
-
-- [`service-intentions`](/docs/agent/config-entries/service-intentions) - defines
-  the [intentions](/docs/connect/intentions) for a destination service
-
-  - Kubernetes kind: [`ServiceIntentions`](/docs/agent/config-entries/service-intentions)
-
-- [`service-resolver`](/docs/agent/config-entries/service-resolver) - matches
-  service instances with a specific Connect upstream discovery requests
-
-  - Kubernetes kind: [`ServiceResolver`](/docs/agent/config-entries/service-resolver)
-
-- [`service-router`](/docs/agent/config-entries/service-router) - defines
-  where to send layer 7 traffic based on the HTTP route
-
-  - Kubernetes kind: [`ServiceRouter`](/docs/agent/config-entries/service-router)
-
-- [`service-splitter`](/docs/agent/config-entries/service-splitter) - defines
-  how to divide requests for a single HTTP route based on percentages
-
-  - Kubernetes kind: [`ServiceSplitter`](/docs/agent/config-entries/service-splitter)
-
-- [`terminating-gateway`](/docs/agent/config-entries/terminating-gateway) - defines the
-  services associated with terminating gateway
-  - Kubernetes kind: [`TerminatingGateway`](/docs/agent/config-entries/terminating-gateway)
 
 ## Managing Configuration Entries In Kubernetes
 
@@ -194,13 +158,3 @@ server gains leadership, it will attempt to initialize the configuration entries
 If a configuration entry does not already exist outside of the servers
 configuration, then it will create it. If a configuration entry does exist, that
 matches both `kind` and `name`, then the server will do nothing.
-
-## Using Configuration Entries For Service Defaults
-
-Outside of Kubernetes, when the agent is
-[configured](/docs/agent/options#enable_central_service_config) to enable
-central service configurations, it will look for service configuration defaults
-that match a registering service instance. If it finds any, the agent will merge
-those defaults with the service instance configuration. This allows for things
-like service protocol or proxy configuration to be defined globally and
-inherited by any affected service registrations.

website/content/docs/connect/config-entries/index.mdx

@@ -0,0 +1,52 @@
+---
+layout: docs
+page_title: Configuration Entry Definitions
+sidebar_title: Configuration Entries
+description: >-
+  Consul allows storing configuration entries centrally to be used as defaults
+  for configuring other aspects of Consul.
+---
+
+# Configuration Entries
+
+Configuration entries can be used to configure the behavior of Consul Connect.
+
+The following configuration entries are supported:
+
+- [Ingress Gateway](/docs/connect/config-entries/ingress-gateway) - defines the
+  configuration for an ingress gateway
+
+- [Proxy Defaults](/docs/connect/config-entries/proxy-defaults) - controls
+  proxy configuration
+
+- [Service Defaults](/docs/connect/config-entries/service-defaults) - configures
+  defaults for all the instances of a given service
+
+- [Service Intentions](/docs/connect/config-entries/service-intentions) - defines
+  the [intentions](/docs/connect/intentions) for a destination service
+
+- [Service Resolver](/docs/connect/config-entries/service-resolver) - matches
+  service instances with a specific Connect upstream discovery requests
+
+- [Service Router](/docs/connect/config-entries/service-router) - defines
+  where to send layer 7 traffic based on the HTTP route
+
+- [Service Splitter](/docs/connect/config-entries/service-splitter) - defines
+  how to divide requests for a single HTTP route based on percentages
+
+- [Terminating Gateway](/docs/connect/config-entries/terminating-gateway) - defines the
+  services associated with terminating gateway
+
+## Managing Configuration Entries
+
+See [Agent - Config Entries](/docs/agent/config-entries).
+
+## Using Configuration Entries For Service Defaults
+
+Outside of Kubernetes, when the agent is
+[configured](/docs/agent/options#enable_central_service_config) to enable
+central service configurations, it will look for service configuration defaults
+that match a registering service instance. If it finds any, the agent will merge
+those defaults with the service instance configuration. This allows for things
+like service protocol or proxy configuration to be defined globally and
+inherited by any affected service registrations.

website/content/docs/connect/config-entries/ingress-gateway.mdx

@@ -35,7 +35,7 @@ A wildcard specifier provides the following properties for an ingress
 gateway:
 
 - All services with the same
-  [protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
+  [protocol](/docs/connect/config-entries/ingress-gateway#protocol) as the
   listener will be routable.
 - The ingress gateway will route traffic based on the host/authority header,
   expecting a value matching `<service-name>.ingress.*`, or if using namespaces,

website/content/docs/connect/config-entries/service-defaults.mdx

@@ -104,10 +104,10 @@ spec:
       type: `string: "tcp"`,
       description: `Sets the protocol of the service. This is used
                       by Connect proxies for things like observability features and to unlock usage
-                      of the [\`service-splitter\`](/docs/agent/config-entries/service-splitter) and
+                      of the [\`service-splitter\`](/docs/connect/config-entries/service-splitter) and
-                      [\`service-router\`](/docs/agent/config-entries/service-router) config entries
+                      [\`service-router\`](/docs/connect/config-entries/service-router) config entries
                       for a service. It also unlocks the ability to define L7 intentions via
-                      [\`service-intentions\`](/docs/agent/config-entries/service-intentions).
+                      [\`service-intentions\`](/docs/connect/config-entries/service-intentions).
                       Supported values are one of \`tcp\`, \`http\`, \`http2\`, or \`grpc\`.`,
     },
     {

website/content/docs/connect/config-entries/service-intentions.mdx

@@ -30,8 +30,8 @@ global setting) by defining a low precedence intention for that destination.
 
 L7 intentions within a config entry are restricted to only destination services
 that define their protocol as HTTP-based via a corresponding
-[`service-defaults`](/docs/agent/config-entries/service-defaults) config entry
+[`service-defaults`](/docs/connect/config-entries/service-defaults) config entry
-or globally via [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults) .
+or globally via [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) .
 
 ## Sample Config Entries
 

website/content/docs/connect/config-entries/service-router.mdx

@@ -26,16 +26,16 @@ service of the same name.
 
 - Service router config entries are restricted to only services that define
   their protocol as HTTP-based via a corresponding
-  [`service-defaults`](/docs/agent/config-entries/service-defaults) config
+  [`service-defaults`](/docs/connect/config-entries/service-defaults) config
   entry or globally via
-  [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults) .
+  [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) .
 
 - Any route destination that omits the `ServiceSubset` field is eligible for
   splitting via a
-  [`service-splitter`](/docs/agent/config-entries/service-splitter) should
+  [`service-splitter`](/docs/connect/config-entries/service-splitter) should
   one be configured for that service, otherwise resolution proceeds according
   to any configured
-  [`service-resolver`](/docs/agent/config-entries/service-resolver).
+  [`service-resolver`](/docs/connect/config-entries/service-resolver).
 
 ## Sample Config Entries
 

website/content/docs/connect/config-entries/service-splitter.mdx

@@ -30,15 +30,15 @@ resolution stage.
 
 - Service splitter config entries are restricted to only services that define
   their protocol as http-based via a corresponding
-  [`service-defaults`](/docs/agent/config-entries/service-defaults) config
+  [`service-defaults`](/docs/connect/config-entries/service-defaults) config
   entry or globally via
-  [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults) .
+  [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) .
 
 - Any split destination that specifies a different `Service` field and omits
   the `ServiceSubset` field is eligible for further splitting should a splitter
   be configured for that other service, otherwise resolution proceeds according
   to any configured
-  [`service-resolver`](/docs/agent/config-entries/service-resolver).
+  [`service-resolver`](/docs/connect/config-entries/service-resolver).
 
 ## Sample Config Entries
 

website/content/docs/connect/config-entries/terminating-gateway.mdx

@@ -25,10 +25,10 @@ See [Terminating Gateway](/docs/connect/terminating-gateway) for more informatio
 
 ## TLS Origination
 
-By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
+By specifying a path to a [CA file](/docs/connect/config-entries/terminating-gateway#cafile) connections
 from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
-[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
+[client certificate](/docs/connect/config-entries/terminating-gateway#certfile)
-and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
+and [private key](/docs/connect/config-entries/terminating-gateway#keyfile) are also specified connections
 from the terminating gateway will be encrypted using mutual TLS authentication.
 
 If none of these are provided, Consul will **only** encrypt connections to the gateway and not

website/content/docs/connect/gateways/ingress-gateway.mdx

@@ -18,22 +18,22 @@ a type of proxy and must be registered as a service in Consul, with the
 [kind](/api/agent/service#kind) set to "ingress-gateway". They are an
 entrypoint for outside traffic and allow you to define what services should be
 exposed and on what port. You configure an ingress gateway by defining a set of
-[listeners](/docs/agent/config-entries/ingress-gateway#listeners) that each map
+[listeners](/docs/connect/config-entries/ingress-gateway#listeners) that each map
 to a set of backing
-[services](/docs/agent/config-entries/ingress-gateway#services).
+[services](/docs/connect/config-entries/ingress-gateway#services).
 
 To enable easier service discovery, a new Consul [DNS
 subdomain](/docs/discovery/dns#ingress-service-lookups) is provided, on
 `<service>.ingress.<domain>`.
 
 For listeners with a
-[protocol](/docs/agent/config-entries/ingress-gateway#protocol) other than
+[protocol](/docs/connect/config-entries/ingress-gateway#protocol) other than
 `tcp`, multiple services can be specified for a single listener. In this
 case, the ingress gateway relies on host/authority headers to decide the
 service that should receive the traffic. The host used to match traffic
 defaults to the [Consul DNS ingress
 subdomain](/docs/discovery/dns#ingress-service-lookups), but can be changed using
-the [hosts](/docs/agent/config-entries/ingress-gateway#hosts) field.
+the [hosts](/docs/connect/config-entries/ingress-gateway#hosts) field.
 
 ![Ingress Gateway Architecture](/img/ingress-gateways.png)
 

website/content/docs/connect/gateways/terminating-gateway.mdx

@@ -33,10 +33,10 @@ hold certificates to decrypt Consul Connect traffic directed at them and may be
 to linked services. Connections over the WAN or open internet should flow through [mesh gateways](/docs/connect/mesh-gateway)
 whenever possible since they are not capable of decrypting traffic or connecting directly to services.
 
-By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
+By specifying a path to a [CA file](/docs/connect/config-entries/terminating-gateway#cafile) connections
 from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
-[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
+[client certificate](/docs/connect/config-entries/terminating-gateway#certfile)
-and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
+and [private key](/docs/connect/config-entries/terminating-gateway#keyfile) are also specified connections
 from the terminating gateway will be encrypted using mutual TLS authentication.
 
 If none of these are provided, Consul will **only** encrypt connections to the gateway and not
@@ -98,7 +98,7 @@ If the Consul client agent on the gateway's node is not configured to use the de
 must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
 
 Linking services to a terminating gateway is done with a `terminating-gateway`
-[configuration entry](/docs/agent/config-entries/terminating-gateway). This config entry can be applied via the
+[configuration entry](/docs/connect/config-entries/terminating-gateway). This config entry can be applied via the
 [CLI](/commands/config/write) or [API](/api/config#apply-configuration).
 
 Gateways with the same name in Consul's service catalog are configured with a single configuration entry.

website/content/docs/connect/intentions.mdx

@@ -35,7 +35,7 @@ intentions to control Connect traffic authorization either at networking layer
 
 - **Application-aware** - Some intentions may additionally enforce access based
   on [L7 request
-  attributes](/docs/agent/config-entries/service-intentions#permissions) in
+  attributes](/docs/connect/config-entries/service-intentions#permissions) in
   addition to connection identity. These may only be defined for services with
   a [protocol] that is HTTP-based. These can also be thought of as **L7
   intentions**.
@@ -59,16 +59,16 @@ denied by default.
 ## Intention Basics
 
 Intentions are managed primarily via
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries or the UI. Some simpler tasks can also be achieved with the older
 [API](/api-docs/connect/intentions) or [CLI](/commands/intention). Please see
 the respective documentation for each for full details on options, flags, etc.
 
 Below is an example of a basic
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry representing two simple intentions. The full data model complete with
 more examples can be found in the
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entry documentation.
 
 ```hcl
@@ -160,7 +160,7 @@ top to bottom, with larger numbers being evaluated first.
 | `*`              | `*`         | `*`                   | `*`              | 1          |
 
 The precedence value can be read from a
-[field](/docs/agent/config-entries/service-intentions#precedence) on the
+[field](/docs/connect/config-entries/service-intentions#precedence) on the
 `service-intentions` config entry after it is modified. Precedence cannot be
 manually overridden today.
 
@@ -240,6 +240,6 @@ connection authorization continues to work indefinitely. Changes to intentions
 will not be picked up until the partition heals, but will then automatically
 take effect when connectivity is restored.
 
-[protocol]: /docs/agent/config-entries/service-defaults#protocol
+[protocol]: /docs/connect/config-entries/service-defaults#protocol
 [proxies]: /docs/connect/proxies
 [envoy]: /docs/connect/proxies/envoy

website/content/docs/connect/l7-traffic/discovery-chain.mdx

@@ -32,34 +32,34 @@ The configuration entries used in the discovery chain are designed to be simple
 to read and modify for narrowly tailored changes, but at discovery-time the
 various configuration entries interact in more complex ways. For example:
 
-- If a [`service-resolver`](/docs/agent/config-entries/service-resolver)
+- If a [`service-resolver`](/docs/connect/config-entries/service-resolver)
   is created with a [service
-  redirect](/docs/agent/config-entries/service-resolver#service) defined,
+  redirect](/docs/connect/config-entries/service-resolver#service) defined,
   then all references made to the original service in any other configuration
   entry is replaced with the redirect destination.
 
-- If a [`service-resolver`](/docs/agent/config-entries/service-resolver)
+- If a [`service-resolver`](/docs/connect/config-entries/service-resolver)
   is created with a [default
-  subset](/docs/agent/config-entries/service-resolver#defaultsubset)
+  subset](/docs/connect/config-entries/service-resolver#defaultsubset)
   defined then all references made to the original service in any other
   configuration entry that did not specify a subset will be replaced with the
   default.
 
-- If a [`service-splitter`](/docs/agent/config-entries/service-splitter)
+- If a [`service-splitter`](/docs/connect/config-entries/service-splitter)
   is created with a [service
-  split](/docs/agent/config-entries/service-splitter#splits), and the target service has its
+  split](/docs/connect/config-entries/service-splitter#splits), and the target service has its
   own `service-splitter` then the overall effect is flattened and only a single
   aggregate traffic split is ultimately configured in the proxy.
 
-- [`service-resolver`](/docs/agent/config-entries/service-resolver)
+- [`service-resolver`](/docs/connect/config-entries/service-resolver)
   redirect loops must be rejected as invalid.
 
-- [`service-router`](/docs/agent/config-entries/service-router) and
+- [`service-router`](/docs/connect/config-entries/service-router) and
-  [`service-splitter`](/docs/agent/config-entries/service-splitter)
+  [`service-splitter`](/docs/connect/config-entries/service-splitter)
   configuration entries require an L7 compatible protocol be set for the
   service via either a
-  [`service-defaults`](/docs/agent/config-entries/service-defaults) or
+  [`service-defaults`](/docs/connect/config-entries/service-defaults) or
-  [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults) config
+  [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) config
   entry. Violations must be rejected as invalid.
 
 - If an [upstream
@@ -153,7 +153,7 @@ A single node in the compiled discovery chain.
 
   - `Definition` `(ServiceRoute)` - Relevant portion of underlying
     `service-router`
-    [route](/docs/agent/config-entries/service-router#routes).
+    [route](/docs/connect/config-entries/service-router#routes).
 
   - `NextNode` `(string)` - The name of the next node in the chain in [`Nodes`](#nodes).
 
@@ -161,7 +161,7 @@ A single node in the compiled discovery chain.
   splits.
 
   - `Weight` `(float32)` - Copy of underlying `service-splitter`
-    [`weight`](/docs/agent/config-entries/service-splitter#weight) field.
+    [`weight`](/docs/connect/config-entries/service-splitter#weight) field.
 
   - `NextNode` `(string)` - The name of the next node in the chain in [`Nodes`](#nodes).
 
@@ -172,21 +172,21 @@ A single node in the compiled discovery chain.
     defined for this node and the default was synthesized.
 
   - `ConnectTimeout` `(duration)` - Copy of the underlying `service-resolver`
-    [`ConnectTimeout`](/docs/agent/config-entries/service-resolver#connecttimeout)
+    [`ConnectTimeout`](/docs/connect/config-entries/service-resolver#connecttimeout)
     field. If one is not defined the default of `5s` is returned.
 
   - `Target` `(string)` - The name of the target to use found in [`Targets`](#targets).
 
   - `Failover` `(DiscoveryFailover: <optional>)` - Compiled form of the
     underlying `service-resolver`
-    [`Failover`](/docs/agent/config-entries/service-resolver#failover)
+    [`Failover`](/docs/connect/config-entries/service-resolver#failover)
     definition to use for this request.
 
     - `Targets` `(array<string>)` - List of targets found in
       [`Targets`](#targets) to failover to in order of preference.
 
   - `LoadBalancer` `(LoadBalancer: <optional>`) - Copy of the underlying `service-resolver`
-    [`LoadBalancer`](/docs/agent/config-entries/service-resolver#loadbalancer) field.
+    [`LoadBalancer`](/docs/connect/config-entries/service-resolver#loadbalancer) field.
 
     If a `service-splitter` splits between services with differing `LoadBalancer` configuration
     the first hash-based load balancing policy is copied.
@@ -198,7 +198,7 @@ A single node in the compiled discovery chain.
 - `Service` `(string)` - The service to query when resolving a list of service instances.
 
 - `ServiceSubset` `(string: <optional>)` - The
-  [subset](/docs/agent/config-entries/service-resolver#service-subsets) of
+  [subset](/docs/connect/config-entries/service-resolver#service-subsets) of
   the service to resolve.
 
 - `Namespace` `(string)` - The namespace to use when resolving a list of service instances.
@@ -207,7 +207,7 @@ A single node in the compiled discovery chain.
 
 - `Subset` `(ServiceResolverSubset)` - Copy of the underlying
   `service-resolver`
-  [`Subsets`](/docs/agent/config-entries/service-resolver#subsets)
+  [`Subsets`](/docs/connect/config-entries/service-resolver#subsets)
   definition for this target.
 
   - `Filter` `(string: "")` - The
@@ -236,4 +236,4 @@ A single node in the compiled discovery chain.
 - `Name` `(string)` - The unique name for this target for use when generating
   load balancer objects. This has a structure similar to [SNI](#sni), but will
   not be affected by SNI customizations such as
-  [`ExternalSNI`](/docs/agent/config-entries/service-defaults#externalsni).
+  [`ExternalSNI`](/docs/connect/config-entries/service-defaults#externalsni).

website/content/docs/connect/l7-traffic/index.mdx

@@ -13,7 +13,7 @@ description: >-
 
 Layer 7 traffic management allows operators to divide L7 traffic between
 different
-[subsets](/docs/agent/config-entries/service-resolver#service-subsets) of
+[subsets](/docs/connect/config-entries/service-resolver#service-subsets) of
 service instances when using Connect.
 
 There are many ways you may wish to carve up a single datacenter's pool of
@@ -42,7 +42,7 @@ entry is missing, that stage will fall back on reasonable default behavior.
 
 ### Routing
 
-A [`service-router`](/docs/agent/config-entries/service-router) config
+A [`service-router`](/docs/connect/config-entries/service-router) config
 entry kind is the first configurable stage.
 
 A router config entry allows for a user to intercept traffic using L7 criteria
@@ -52,12 +52,12 @@ traffic to a different service or service subset.
 These config entries may only reference `service-splitter` or
 `service-resolver` entries.
 
-[Examples](/docs/agent/config-entries/service-router#sample-config-entries)
+[Examples](/docs/connect/config-entries/service-router#sample-config-entries)
 can be found in the `service-router` documentation.
 
 ### Splitting
 
-A [`service-splitter`](/docs/agent/config-entries/service-splitter) config
+A [`service-splitter`](/docs/connect/config-entries/service-splitter) config
 entry kind is the next stage after routing.
 
 A splitter config entry allows for a user to choose to split incoming requests
@@ -77,12 +77,12 @@ union. For instance:
     ---------------------
     splitter[effective_B]: A_v1=25%, A_v2=25%, B=50%
 
-[Examples](/docs/agent/config-entries/service-splitter#sample-config-entries)
+[Examples](/docs/connect/config-entries/service-splitter#sample-config-entries)
 can be found in the `service-splitter` documentation.
 
 ### Resolution
 
-A [`service-resolver`](/docs/agent/config-entries/service-resolver) config
+A [`service-resolver`](/docs/connect/config-entries/service-resolver) config
 entry kind is the last stage.
 
 A resolver config entry allows for a user to define which instances of a
@@ -114,7 +114,7 @@ not intended to be a drop-in replacement currently.
 
 These config entries may only reference other `service-resolver` entries.
 
-[Examples](/docs/agent/config-entries/service-resolver#sample-config-entries)
+[Examples](/docs/connect/config-entries/service-resolver#sample-config-entries)
 can be found in the `service-resolver` documentation.
 
 -> **Note:** `service-resolver` config entries kinds function at L4 (unlike

website/content/docs/connect/observability/index.mdx

@@ -46,7 +46,7 @@ Find other possible metrics syncs in the [Connect Envoy documentation](/docs/con
 
 ### Service Protocol
 
-You can specify the [service protocol](/docs/agent/config-entries/service-defaults#protocol)
+You can specify the [service protocol](/docs/connect/config-entries/service-defaults#protocol)
 in the `service-defaults` configuration entry. You can override it in the
 [service registration](/docs/agent/services). By default, proxies only give
 you L4 metrics. This protocol allows proxies to handle requests at the right L7

website/content/docs/connect/proxies/envoy.mdx

@@ -115,7 +115,7 @@ the ability to control some parts of the bootstrap config via proxy
 configuration options.
 
 Users can add the following configuration items to the [global `proxy-defaults`
-configuration entry](/docs/agent/config-entries/proxy-defaults) or override them directly in the `proxy.config` field
+configuration entry](/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` field
 of a [proxy service
 definition](/docs/connect/registration/service-registration) or
 [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
@@ -124,7 +124,7 @@ definition](/docs/connect/registration/service-registration) or
   StatsD listener that Envoy should deliver metrics to. For example, this may be
   `udp://127.0.0.1:8125` if every host has a local StatsD listener. In this case
   users can configure this property once in the [global `proxy-defaults`
-  configuration entry](/docs/agent/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported.
+  configuration entry](/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported.
 
   ~> **Note:** currently the url **must use an ip address** not a dns name due
   to the way Envoy is setup for StatsD.
@@ -135,7 +135,7 @@ definition](/docs/connect/registration/service-registration) or
   pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD
   when the Envoy instance is bootstrapped while still allowing global
   configuration of all proxies to use StatsD in the [global `proxy-defaults`
-  configuration entry](/docs/agent/config-entries/proxy-defaults). The env variable must contain a full valid URL
+  configuration entry](/docs/connect/config-entries/proxy-defaults). The env variable must contain a full valid URL
   value as specified above and nothing else. It is not currently possible to use
   environment variables as only part of the URL.
 
@@ -179,7 +179,7 @@ to configure appropriate proxy settings for that service's proxies and also for
 the upstream listeners of any downstream service.
 
 One example is how users can define a service's protocol in a [`service-defaults` configuration
-entry](/docs/agent/config-entries/service-defaults). Agents with
+entry](/docs/connect/config-entries/service-defaults). Agents with
 [`enable_central_service_config`](/docs/agent/options#enable_central_service_config)
 set to true will automatically discover the protocol when configuring a proxy
 for a service. The proxy will discover the main protocol of the service it
@@ -200,7 +200,7 @@ To learn about other options that can be configured centrally see the
 These fields may also be overridden explicitly in the [proxy service
 definition](/docs/connect/registration/service-registration), or defined in
 the [global `proxy-defaults` configuration
-entry](/docs/agent/config-entries/proxy-defaults) to act as
+entry](/docs/connect/config-entries/proxy-defaults) to act as
 defaults that are inherited by all services.
 
 - `protocol` - The protocol the service speaks. Connect's Envoy integration
@@ -227,9 +227,9 @@ defaults that are inherited by all services.
     metrics with `gRPC-status` trailer codes.
 
     ~> **Note:** The protocol of a service should ideally be configured via the
-    [`protocol`](/docs/agent/config-entries/service-defaults#protocol)
+    [`protocol`](/docs/connect/config-entries/service-defaults#protocol)
     field of a
-    [`service-defaults`](/docs/agent/config-entries/service-defaults)
+    [`service-defaults`](/docs/connect/config-entries/service-defaults)
     config entry for the service. Configuring it in a
     proxy config will not fully enable some [L7
     features](/docs/connect/l7-traffic-management).
@@ -256,9 +256,9 @@ definition](/docs/connect/registration/service-registration) or
   the upstream.
 
   ~> **Note:** The protocol of a service should ideally be configured via the
-  [`protocol`](/docs/agent/config-entries/service-defaults#protocol)
+  [`protocol`](/docs/connect/config-entries/service-defaults#protocol)
   field of a
-  [`service-defaults`](/docs/agent/config-entries/service-defaults)
+  [`service-defaults`](/docs/connect/config-entries/service-defaults)
   config entry for the upstream destination service. Configuring it in a
   proxy upstream config will not fully enable some [L7
   features](/docs/connect/l7-traffic-management).
@@ -270,9 +270,9 @@ definition](/docs/connect/registration/service-registration) or
 
   ~> **Note:** The connection timeout for a service should ideally be
   configured via the
-  [`connect_timeout`](/docs/agent/config-entries/service-resolver#connecttimeout)
+  [`connect_timeout`](/docs/connect/config-entries/service-resolver#connecttimeout)
   field of a
-  [`service-resolver`](/docs/agent/config-entries/service-resolver)
+  [`service-resolver`](/docs/connect/config-entries/service-resolver)
   config entry for the upstream destination service. Configuring it in a
   proxy upstream config will override any values defined in config entries.
   It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
@@ -307,7 +307,7 @@ definition](/docs/connect/registration/service-registration) or
 These fields may also be overridden explicitly in the [proxy service
 definition](/docs/connect/registration/service-registration), or defined in
 the [global `proxy-defaults` configuration
-entry](/docs/agent/config-entries/proxy-defaults) to act as
+entry](/docs/connect/config-entries/proxy-defaults) to act as
 defaults that are inherited by all services.
 
 Prior to 1.8.0 these settings were specific to Mesh Gateways. The deprecated
@@ -317,7 +317,7 @@ will continue to be supported.
 - `connect_timeout_ms` - The number of milliseconds to allow when making upstream
   connections before timing out. Defaults to 5000 (5 seconds). If the upstream
   service has the configuration option
-  [`connect_timeout_ms`](/docs/agent/config-entries/service-resolver#connecttimeout)
+  [`connect_timeout_ms`](/docs/connect/config-entries/service-resolver#connecttimeout)
   set for the `service-resolver`, that timeout value will take precedence over
   this gateway option.
 
@@ -430,7 +430,7 @@ EOF
 
 Users may add the following configuration items to the [global `proxy-defaults`
 configuration
-entry](/docs/agent/config-entries/proxy-defaults) or
+entry](/docs/connect/config-entries/proxy-defaults) or
 override them directly in the `proxy.config` field of a [proxy service
 definition](/docs/connect/registration/service-registration) or
 [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
@@ -466,7 +466,7 @@ definition](/docs/connect/registration/service-registration) or
 
 Users may add the following configuration items to the [global `proxy-defaults`
 configuration
-entry](/docs/agent/config-entries/proxy-defaults) or
+entry](/docs/connect/config-entries/proxy-defaults) or
 override them directly in the `proxy.config` field of a [proxy service
 definition](/docs/connect/registration/service-registration) or
 [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
@@ -504,9 +504,9 @@ definition](/docs/connect/registration/service-registration) or
 [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
 
 ~> **Note:** - When a
-[`service-router`](/docs/agent/config-entries/service-router),
+[`service-router`](/docs/connect/config-entries/service-router),
-[`service-splitter`](/docs/agent/config-entries/service-splitter), or
+[`service-splitter`](/docs/connect/config-entries/service-splitter), or
-[`service-resolver`](/docs/agent/config-entries/service-resolver) config
+[`service-resolver`](/docs/connect/config-entries/service-resolver) config
 entry exists for a service the below escape hatches are ignored and will log a
 warning.
 
@@ -525,6 +525,6 @@ warning.
   customization of timeouts, circuit breaking, rate limits, load balancing
   strategy etc.
 
-[protocol]: /docs/agent/config-entries/service-defaults#protocol
+[protocol]: /docs/connect/config-entries/service-defaults#protocol
 [intentions]: /docs/connect/intentions
 [intentions]: /docs/connect/intentions

website/content/docs/connect/proxies/integrate.mdx

@@ -203,7 +203,7 @@ populate endpoints in memory will need to poll the endpoint at a suitable and
 ideally configurable frequency.
 
 -> **Note:** Long-term the [`service-resolver` config
-entries](/docs/agent/config-entries/service-resolver) are intended to replace
+entries](/docs/connect/config-entries/service-resolver) are intended to replace
 Prepared Queries in Consul entirely, but for now these are still used in some
 configurations.
 
@@ -240,4 +240,4 @@ ID for the name specified in `-sidecar-for`.
 [`consul/connect/tls.go`]: https://github.com/hashicorp/consul/blob/v1.8.3/connect/tls.go#L232-L237
 [discovery chain]: /docs/connect/l7-traffic/discovery-chain
 [`usecache`]: https://github.com/hashicorp/consul/blob/v1.8.3/api/api.go#L99-L102
-[protocol]: /docs/agent/config-entries/service-defaults#protocol
+[protocol]: /docs/connect/config-entries/service-defaults#protocol

website/content/docs/guides/connect-gateways.mdx

@@ -234,7 +234,7 @@ $ consul connect envoy -mesh-gateway -register \
 ### Configure Sidecar Proxies to use Gateways
 
 Next, create a [centralized
-configuration](/docs/agent/config-entries/proxy-defaults)
+configuration](/docs/connect/config-entries/proxy-defaults)
 file for all the sidecar proxies in both datacenters called
 `proxy-defaults.json`. This file will instruct the sidecar proxies to send all
 their inter-datacenter traffic through the gateways. It should contain the

website/content/docs/guides/consul-splitting.mdx

@@ -183,7 +183,7 @@ $ consul config write l7_config/api_service_defaults.json
 ```
 
 Find more information on `service-defaults` configuration entries in the
-[documentation](/docs/agent/config-entries/service-defaults).
+[documentation](/docs/connect/config-entries/service-defaults).
 
 -> **Automation Tip:** To automate interactions with configuration entries, use
 the HTTP API endpoint [`http://localhost:8500/v1/config`](/api/config).
@@ -232,7 +232,7 @@ $ consul config write l7_config/api_service_resolver.json
 ```
 
 Find more information about service resolvers in the
-[documentation](/docs/agent/config-entries/service-resolver).
+[documentation](/docs/connect/config-entries/service-resolver).
 
 ### Configure Service Splitting - 100% of traffic to Version 1
 

website/content/docs/k8s/connect/terminating-gateways.mdx

@@ -170,7 +170,7 @@ Policies:
 
 ### Create the configuration entry for the terminating gateway
 
-Once the tokens have been updated, create the [TerminatingGateway](/docs/agent/config-entries/terminating-gateway)
+Once the tokens have been updated, create the [TerminatingGateway](/docs/connect/config-entries/terminating-gateway)
 resource to configure the terminating gateway:
 
 ```hcl

website/content/docs/k8s/crds/index.mdx

@@ -18,14 +18,14 @@ cluster-wide defaults for the service mesh.
 
 We currently support the follow configuration entry kinds:
 
-- [`ProxyDefaults`](/docs/agent/config-entries/proxy-defaults)
+- [`ProxyDefaults`](/docs/connect/config-entries/proxy-defaults)
-- [`ServiceDefaults`](/docs/agent/config-entries/service-defaults)
+- [`ServiceDefaults`](/docs/connect/config-entries/service-defaults)
-- [`ServiceSplitter`](/docs/agent/config-entries/service-splitter)
+- [`ServiceSplitter`](/docs/connect/config-entries/service-splitter)
-- [`ServiceRouter`](/docs/agent/config-entries/service-router)
+- [`ServiceRouter`](/docs/connect/config-entries/service-router)
-- [`ServiceResolver`](/docs/agent/config-entries/service-resolver)
+- [`ServiceResolver`](/docs/connect/config-entries/service-resolver)
-- [`ServiceIntentions`](/docs/agent/config-entries/service-intentions) (requires Consul >= 1.9.0)
+- [`ServiceIntentions`](/docs/connect/config-entries/service-intentions) (requires Consul >= 1.9.0)
-- [`IngressGateway`](/docs/agent/config-entries/ingress-gateway)
+- [`IngressGateway`](/docs/connect/config-entries/ingress-gateway)
-- [`TerminatingGateway`](/docs/agent/config-entries/terminating-gateway)
+- [`TerminatingGateway`](/docs/connect/config-entries/terminating-gateway)
 
 ## Installation
 

website/content/docs/upgrading/upgrade-specific.mdx

@@ -45,7 +45,7 @@ namespace with a query parameter of `?ns=*`.
 
 Upgrading to Consul 1.9.0 will trigger a one-time background migration of
 [intentions](/docs/connect/intentions) into an equivalent set of
-[`service-intentions`](/docs/agent/config-entries/service-intentions) config
+[`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries. This process will wait until all of the Consul servers in the primary
 datacenter are running Consul 1.9.0+.
 
@@ -73,22 +73,22 @@ re-created via the old endpoints. Fields that are being removed or changing
 behavior:
 
 - `Intention.ID` after migration is stored in the
-  [`LegacyID`](/docs/agent/config-entries/service-intentions#legacyid) field.
+  [`LegacyID`](/docs/connect/config-entries/service-intentions#legacyid) field.
   After transitioning this field is cleared.
 
 - `Intention.CreatedAt` after migration is stored in the
-  [`LegacyCreateTime`](/docs/agent/config-entries/service-intentions#legacycreatetime)
+  [`LegacyCreateTime`](/docs/connect/config-entries/service-intentions#legacycreatetime)
   field. After transitioning this field is cleared.
 
 - `Intention.UpdatedAt` after migration is stored in the
-  [`LegacyUpdateTime`](/docs/agent/config-entries/service-intentions#legacyupdatetime)
+  [`LegacyUpdateTime`](/docs/connect/config-entries/service-intentions#legacyupdatetime)
   field. After transitioning this field is cleared.
 
 - `Intention.Meta` after migration is stored in the
-  [`LegacyMeta`](/docs/agent/config-entries/service-intentions#legacymeta)
+  [`LegacyMeta`](/docs/connect/config-entries/service-intentions#legacymeta)
   field. To complete the transition, this field **must be cleared manually**
   and the metadata moved up to the enclosing config entry's
-  [`Meta`](/docs/agent/config-entries/service-intentions#meta) field. This is
+  [`Meta`](/docs/connect/config-entries/service-intentions#meta) field. This is
   not done automatically since it is potentially a lossy operation.
 
 ## Consul 1.8.0

website/data/docs-navigation.js

@@ -56,6 +56,19 @@ export default [
     content: [
       'connect-internals',
       'configuration',
+      {
+        category: 'config-entries',
+        content: [
+          'ingress-gateway',
+          'proxy-defaults',
+          'service-defaults',
+          'service-intentions',
+          'service-resolver',
+          'service-router',
+          'service-splitter',
+          'terminating-gateway',
+        ],
+      },
       {
         category: 'proxies',
         content: ['envoy', 'built-in', 'integrate'],
@@ -207,23 +220,7 @@ export default [
   },
   {
     category: 'agent',
-    content: [
+    content: ['options', 'config-entries', 'telemetry'],
-      'options',
-      {
-        category: 'config-entries',
-        content: [
-          'ingress-gateway',
-          'proxy-defaults',
-          'service-defaults',
-          'service-intentions',
-          'service-resolver',
-          'service-router',
-          'service-splitter',
-          'terminating-gateway',
-        ],
-      },
-      'telemetry',
-    ],
   },
   {
     category: 'security',
@@ -241,10 +238,7 @@ export default [
       'encryption',
       {
         category: 'security-models',
-        content: [
+        content: ['core', 'nia'],
-          'core',
-          'nia',
-        ],
       },
     ],
   },