gravitational · ptgott · Apr 19, 2023 · Feb 17, 2023 · Apr 5, 2023 · Apr 6, 2023
diff --git a/docs/config.json b/docs/config.json
@@ -461,13 +461,38 @@
       	  "slug": "/management/introduction/"
 	},
         {
-          "title": "Admin Guides",
-          "slug": "/management/admin/",
+          "title": "Joining Teleport Services",
+          "slug": "/management/join-services-to-your-cluster/",
           "entries": [
             {
-              "title": "Adding Nodes",
-              "slug": "/management/admin/adding-nodes/"
+              "title": "Via AWS EC2",
+              "slug": "/management/join-services-to-your-cluster/aws-ec2/",
+              "forScopes": ["oss", "enterprise"]
+            },
+            {
+              "title": "Via AWS IAM",
+              "slug": "/management/join-services-to-your-cluster/aws-iam/"
+            },
+            {
+              "title": "Via Azure",
+              "slug": "/management/join-services-to-your-cluster/azure/"
+            },            
+            {
+              "title": "Joining Services via Kubernetes ServiceAccount",
+              "slug": "/management/join-services-to-your-cluster/kubernetes/",
+              "forScopes": ["oss", "enterprise"]
             },
+
+            {
+              "title": "Via a Join Token",
+              "slug": "/management/join-services-to-your-cluster/join-token/"
+            }
+          ]
+        },
+        {
+          "title": "Admin Guides",
+          "slug": "/management/admin/",
+          "entries": [
             {
               "title": "Trusted Clusters",
               "slug": "/management/admin/trustedclusters/"
@@ -567,24 +592,6 @@
               "title": "EC2 Tags",
               "slug": "/management/guides/ec2-tags/"
             },
-            {
-              "title": "Joining Nodes via AWS IAM",
-              "slug": "/management/guides/joining-nodes-aws-iam/"
-            },
-            {
-              "title": "Joining Nodes via AWS EC2",
-              "slug": "/management/guides/joining-nodes-aws-ec2/",
-              "forScopes": ["oss", "enterprise"]
-            },
-            {
-              "title": "Joining Nodes via Azure",
-              "slug": "/management/guides/joining-nodes-azure/"
-            },
-            {
-              "title": "Joining Services via Kubernetes ServiceAccount",
-              "slug": "/management/guides/joining-services-kubernetes-serviceaccount/",
-              "forScopes": ["oss", "enterprise"]
-            },
             {
               "title": "Using Teleport's CA with GitHub",
               "slug": "/management/guides/ssh-key-extensions/"
@@ -1695,7 +1702,7 @@
     },
     {
       "source": "/setup/guides/joining-nodes-aws/",
-      "destination": "/management/guides/joining-nodes-aws-iam/",
+      "destination": "/management/join-services-to-your-cluster/aws-iam/",
       "permanent": true
     },
     {
@@ -2045,7 +2052,7 @@
     },
     {
       "source": "/setup/admin/adding-nodes/",
-      "destination": "/management/admin/adding-nodes/",
+      "destination": "/management/join-services-to-your-cluster/join-token/",
       "permanent": true
     },
     {
@@ -2100,12 +2107,12 @@
     },
     {
       "source": "/setup/guides/joining-nodes-aws-ec2/",
-      "destination": "/management/guides/joining-nodes-aws-ec2/",
+      "destination": "/management/join-services-to-your-cluster/aws-ec2/",
       "permanent": true
     },
     {
       "source": "/setup/guides/joining-nodes-aws-iam/",
-      "destination": "/management/guides/joining-nodes-aws-iam/",
+      "destination": "/management/join-services-to-your-cluster/aws-iam/",
       "permanent": true
     },
     {
@@ -2442,6 +2449,31 @@
       "source": "/contributing/",
       "destination": "/contributing/documentation/",
       "permanent": true
+    },
+    {
+      "source": "/management/guides/joining-nodes-aws-ec2/",
+      "destination": "/management/join-services-to-your-cluster/aws-ec2/",
+      "permanent": true
+    },
+    {
+      "source": "/management/guides/joining-nodes-aws-iam/",
+      "destination": "/management/join-services-to-your-cluster/aws-iam/",
+      "permanent": true
+    },
+    {
+      "source": "/management/admin/adding-nodes/",
+      "destination": "/management/join-services-to-your-cluster/join-token/",
+      "permanent": true
+    },
+    {
+      "source": "/management/guides/joining-nodes-azure/",
+      "destination": "/management/join-services-to-your-cluster/azure/",
+      "permanent": true
+    },
+    {
+      "source": "/management/guides/joining-services-kubernetes-serviceaccount/",
+      "destination": "/management/join-services-to-your-cluster/kubernetes/",
+      "permanent": true
     }
   ]
 }
diff --git a/docs/pages/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/access-controls/compliance-frameworks/soc2.mdx
@@ -56,7 +56,7 @@ Each principle has many “Points of Focus” which will apply differently to di
 | CC6.1 - Manages Points of Access | Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. | [Label Nodes to inventory and create rules](../../management/admin/labels.mdx) <br/><br/> [Create Labels from AWS Tags](../../management/guides/ec2-tags.mdx) <br/><br/>Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |
 | CC6.1 - Restricts Access to Information Assets | Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. | [Teleport uses Certificates to grant access and create access control rules](../../core-concepts.mdx) | 
 | CC6.1 - Manages Identification and Authentication | Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. | Teleport makes setting policies for SSH requirements easy since it works in the cloud and on premise with the same authentication security standards. | 
-| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../management/admin/adding-nodes.mdx) | 
+| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../management/join-services-to-your-cluster/join-token.mdx) | 
 | CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. | 
 | CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically  | 
 | CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system&#39;s asset owner or authorized custodian. | [Request Approval from the command line](../../reference/cli.mdx#tctl-request-approve) <br/><br/> [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) <br/><br/> [Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx) |

diff --git a/docs/pages/architecture/authentication.mdx b/docs/pages/architecture/authentication.mdx
@@ -143,7 +143,7 @@ services and rotates SSH and X.509 certificates.
 
 Teleport internal services - Auth, Proxy and Nodes use certificates to identify themselves
 within a cluster. To join proxies and nodes to the cluster and receive certificates, admins should use
-[short-lived tokens or cloud identity services](../management/admin/adding-nodes.mdx).
+[short-lived tokens or cloud identity services](../management/join-services-to-your-cluster/join-token.mdx).
 
 Unlike users and services, internal services receive long-lived certificates.
 

diff --git a/docs/pages/choose-an-edition/teleport-cloud/faq.mdx b/docs/pages/choose-an-edition/teleport-cloud/faq.mdx
@@ -48,8 +48,8 @@ See our documentation on [data retention](./architecture.mdx#data-retention).
 
 ## How do I add Nodes to Teleport Enterprise Cloud?
 
-You can connect servers, Kubernetes clusters, databases and applications
-using [reverse tunnels](../../management/admin/adding-nodes.mdx).
+You can connect servers, Kubernetes clusters, databases and applications using
+[reverse tunnels](../../management/join-services-to-your-cluster.mdx).
 
 There is no need to open any ports on your infrastructure for inbound traffic.
 
@@ -122,7 +122,7 @@ $ tctl tokens add --type=node
 ## Are dynamic node tokens available?
 
 After [connecting](#how-can-i-access-the-tctl-admin-tool) `tctl` to Teleport Enterprise Cloud, users can generate
-[dynamic tokens](../../management/admin/adding-nodes.mdx):
+[dynamic tokens](../../management/join-services-to-your-cluster/join-token.mdx):
 
 ```code
 $ tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

diff --git a/docs/pages/database-access/guides/aws-dynamodb.mdx b/docs/pages/database-access/guides/aws-dynamodb.mdx
@@ -159,8 +159,9 @@ many instances, consider alternative methods for joining new EC2 instances runni
 Teleport:
 
 - [Configure Teleport to Automatically Enroll EC2 instances (Preview)](../../server-access/guides/ec2-discovery.mdx)
-- [Joining Nodes via AWS IAM Role](../../management/guides/joining-nodes-aws-iam.mdx)
-- [Joining Nodes via AWS EC2 Identity Document](../../management/guides/joining-nodes-aws-ec2.mdx)
+- [Joining Nodes via AWS IAM
+  Role](../../management/join-services-to-your-cluster/aws-iam.mdx)
+- [Joining Nodes via AWS EC2 Identity Document](../../management/join-services-to-your-cluster/aws-ec2.mdx)
 
 </Details>
 

diff --git a/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx b/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx
@@ -730,7 +730,8 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to:
 - [Install the Teleport binary on the Server](../../installation.mdx)
 - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx)
 - [Set the correct settings in /etc/teleport.yaml](../../reference/config.mdx)
-- [Add Nodes to the Teleport cluster](../../management/admin/adding-nodes.mdx)
+- [Add Nodes to the Teleport
+  cluster](../../management/join-services-to-your-cluster.mdx)
 
 ### Getting the CA pin hash
 
@@ -752,7 +753,7 @@ $ aws ssm get-parameter --region ${TF_VAR_region} --name "/teleport/${TF_VAR_clu
 # 992a9725-0a64-428d-8e5e-308e6877743d
 ```
 
-You can also generate a Node join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../../management/admin/adding-nodes.mdx).
+You can also generate a Node join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../../management/join-services-to-your-cluster/join-token.mdx).
 
 ### Joining Nodes via the Teleport Auth Service
 
@@ -773,7 +774,7 @@ auth_server: example-cluster-auth-c5b0fc2764ee015b.elb.us-east-1.amazonaws.com:3
 ### Joining Nodes via Teleport IoT/Node tunneling
 
 To join Teleport Nodes from outside the same VPC, you will either need to investigate VPC peering/gateways (out of scope
-for this document) or join your nodes using [Teleport's node tunneling](../../management/admin/adding-nodes.mdx) functionality.
+for this document) or join your nodes using [Teleport's node tunneling](../../management/join-services-to-your-cluster/join-token.mdx) functionality.
 
 With this method, you can join the nodes using the public facing proxy address - `teleport.example.com:443` for our
 example.

diff --git a/docs/pages/faq.mdx b/docs/pages/faq.mdx
@@ -53,7 +53,8 @@ behind-firewall clusters refer to our
 Yes. When running a Teleport agent, use the `--auth-server` flag to point to the
 Proxy Service address (this would be `public_addr` and `web_listen_addr` in your
 file configuration). For more information, see
-[Adding Nodes to the Cluster](./management/admin/adding-nodes.mdx).
+[Adding Nodes to the
+Cluster](./management/join-services-to-your-cluster/join-token.mdx).
 
 ## Can Nodes use a single port for reverse tunnels?
 

diff --git a/docs/pages/management/admin.mdx b/docs/pages/management/admin.mdx
@@ -21,8 +21,6 @@ environment without configuring TLS certificates.
 
 ## Manage users and resources
 
-- [GitHub SSO](../access-controls/sso/github-sso.mdx): Set up single sign-on with GitHub.
-- [Adding Nodes](./admin/adding-nodes.mdx): Add Nodes to your Teleport cluster.
 - [Trusted Clusters](./admin/trustedclusters.mdx): Connect multiple Teleport clusters using Trusted Clusters.
 - [Labels](./admin/labels.mdx): Manage resource metadata with labels.
 - [Local Users](./admin/users.mdx): Manage local user accounts.