Upgrade notes for 1.6 (#7275)

* Upgrade notes for 1.6

* Updates

* Update content/en/news/releases/1.6.x/index.md

Co-authored-by: John Howard <howardjohn@google.com>

* Updated to fix linter issues

* Addressed comments

* Move upgrade notes to proper location

* fix links

* Updates to make linter happy

* Remove spaces

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Thanks.

Co-authored-by: Lin Sun <linsun@us.ibm.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Brian Avery <bavery@redhat.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

* Added 23718

* Removed space

* Make linter happy

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: jacob-delgado <38300436+jacob-delgado@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: jacob-delgado <38300436+jacob-delgado@users.noreply.github.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

* Cleaned up wording

* Make linter happy

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

* Make linter happy

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Address comments

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Update content/en/news/releases/1.6.x/announcing-1.6.x/upgrade-notes/index.md

Co-authored-by: Rigs Caballero <grca@google.com>

* Code review comments

* Squashing of release note changes

Highly unedited version of the release notes for 1.6

Update content/en/news/releases/1.6.x/announcing-1.6/index.md

Co-authored-by: John Howard <howardjohn@google.com>

Update content/en/news/releases/1.6.x/announcing-1.6/index.md

Co-authored-by: John Howard <howardjohn@google.com>

Update content/en/news/releases/1.6.x/announcing-1.6/index.md

Co-authored-by: John Howard <howardjohn@google.com>

Move to appropriate directory; add hyperlinks from google doc

Lint issue

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Add recommended bulleted items from Doug

Reorder based on Louis' suggestion

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Update formatting

Review comments

Linting issues

Put upgrades as a separate item; mention in-place upgrades

Add periods to all lines

Add links to issues resolved

Review comments

Change back to 1.5 release note structure

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Martin Ostrowski <mostrowski@google.com>

Fix linting issue

Remove TODO statement for networking apis

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Lin Sun <linsun@us.ibm.com>

Fix wording; fix lint

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Lin Sun <linsun@us.ibm.com>

WASM is uppercased

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Neeraj Poddar <nrjpoddar@gmail.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Preview profile clarity

clarify gw port change

Clarify gateway ports

Review comments

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Oliver Liu <yonggangl@google.com>

Fix misspelling

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Oliver Liu <yonggangl@google.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Oliver Liu <yonggangl@google.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>

Update content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

* First draft of an announcement post for Istio 1.6

* fixing lint errors

* Taking Shriram's advice...

* addressing sdake & frankbu's comments

* Addressing howardjohn's comment

* Addressing smawson and brian-avery's comments

* Addressing craigbox. I have a lint error related to a change notes file that doesn't exist yet...

* Addressing craigbox, sven and Frank's comments

* Better link for Kubernetes APIs

* Move upgrade notes

* Fix linter errors

* Updated weight

* Clarified that changes were require

* Updated as per conversation

Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Lin Sun <linsun@us.ibm.com>
Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>
Co-authored-by: jacob-delgado <38300436+jacob-delgado@users.noreply.github.com>
Co-authored-by: Rigs Caballero <grca@google.com>
Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: oaktowner <ciruli@gmail.com>

content/en/news/releases/1.6.x/_index.md

@@ -0,0 +1,8 @@
+---
+title: 1.6.x Releases
+description: Announcements for the 1.6 release and its associated patch releases.
+weight: 23
+list_by_publishdate: true
+layout: release-grid
+decoration: dot
+---

content/en/news/releases/1.6.x/announcing-1.6/_index.md

@@ -0,0 +1,114 @@
+---
+title: Announcing Istio 1.6
+linktitle: 1.6
+subtitle: Major Update
+description: Istio 1.6 release announcement.
+publishdate: 2020-05-21
+release: 1.6.0
+skip_list: true
+aliases:
+    - /news/announcing-1.6.0
+    - /news/announcing-1.6
+---
+
+We are pleased to announce the release of Istio 1.6!
+
+{{< relnote >}}
+
+With this release, we continue the path we charted earlier this year in
+our [roadmap post](/blog/2020/tradewinds-2020/), sailing toward more
+simplicity, a better installation experience, and we have added other goodies as
+well.
+
+Here’s some of what’s coming to you in today's release:
+
+## Simplify, simplify, simplify
+
+Last release, we introduced **Istiod**, a new module that reduced the number of
+components in an Istio installation by combining the functionality of several
+services. In Istio 1.6, we have completed this transition and have fully
+moved functionality into Istiod. This has allowed us to remove the separate
+deployments for Citadel, the sidecar injector, and Galley.
+
+Great news! We've got a simplified experience for developers who are taking
+advantage of a new alpha feature in Kubernetes. If you
+use the new `appProtocol` field  (which is Alpha in 1.18) in the Kubernetes
+[`EndpointPort`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#endpointport-v1beta1-discovery-k8s-io)
+or
+[`ServicePort`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#serviceport-v1-core)
+API, you will no longer need to append the name field
+in your `Service` to denote the protocol.
+
+## Better lifecycle
+
+We continue to make installing and upgrading Istio a better experience. Our
+command line tool `istioctl` gives better diagnostic information, has a simpler
+install command, and even gives status in color!
+
+Upgrading Istio has been improved as well, in several powerful ways. First, we
+now support canarying of the Istio control plane itself. That means you can
+install a new version of the control plane alongside the existing version and
+selectively have proxies use the new one. Check out this
+[blog post](/blog/2020/multiple-control-planes/) for more details on that.
+
+We also have an `istioctl upgrade` command that will perform an in-place
+upgrade in your clusters (still giving you the control over updating the proxies
+themselves).
+
+Check out the [documentation](/docs/setup/upgrade/) for all of the details on
+the new upgrade experience.
+
+## Observe this
+
+Many companies adopt Istio solely to get better observability of distributed
+applications, so we continue to invest there. There are too many changes to list
+them all here, so please see the [release notes](/news/releases/1.6.x/announcing-1.6/change-notes/)
+for the full details. Some
+highlights: you'll see more configurability, better
+ability to control your trace sampling rates, and updated Grafana dashboards
+(and we're even publishing them on [Grafana](https://grafana.com) on the
+[Istio org page](https://grafana.com/orgs/istio)).
+
+## Better Virtual Machine support
+
+Expanding our support for workloads not running in Kubernetes was one of the
+our major areas of investment for 2020, and we're excited to announce some
+great progress here.
+
+For those of you who are adding non-Kubernetes workloads to meshes (for
+example, workloads deployed on VMs), the new
+[`WorkloadEntry`](/docs/reference/config/networking/workload-entry/) resource
+makes that easier than ever. We created this API to give non-Kubernetes
+workloads first-class representation in Istio. It elevates a VM or bare metal
+workload to the same level as a Kubernetes `Pod`, instead of just an endpoint
+with an IP address. You now even have the ability to define a Service that is
+backed by both Pods and VMs. Why is that useful? Well, you now have the
+ability to have a heterogeneous mix of deployments (VMs and Pods) for the same
+service, providing a great way to migrate VM workloads to a Kubernetes
+cluster without disrupting traffic to and from it.
+
+VM-based workloads remain a high priority for us, and you can expect to see more
+in this area over the coming releases.
+
+## Networking improvements
+
+Networking is at the heart of a service mesh, so we have put in some great
+traffic management features as well. Istio has improved
+handling of secrets, which provides better support for Kubernetes Ingress.
+We are also have enabled Gateway SDS by default for a more secure experience.
+And we have added experimental support for the (also experimental)
+Kubernetes Service APIs.
+
+## Join the Istio community
+
+As always, there is a lot happening in the
+[Community Meeting](https://github.com/istio/community#community-meeting);
+join us every other Thursday at 11 AM Pacific. We'd love to have you join the
+conversation at [Istio Discuss](https://discuss.istio.io), and you can also join
+our [Slack channel](https://istio.slack.com).
+
+We were very proud to be called out as one of the top five
+[fastest growing](https://octoverse.github.com/#top-and-trending-projects)
+open source projects in all of GitHub. Want to get involved? Join one of our
+[Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md)
+and help us make Istio even better.

content/en/news/releases/1.6.x/announcing-1.6/change-notes/index.md

@@ -0,0 +1,59 @@
+---
+title: Change Notes
+description: Istio 1.6 release notes.
+weight: 10
+---
+
+## Traffic Management
+
+- ***Added*** the new [Workload Entry](/docs/reference/config/networking/workload-entry/) resource. This allows easier configuration for non-Kubernetes workloads to join the mesh.
+- ***Added*** configuration for gateway topology. This addresses providing correct [X-Forwarded-For headers](https://github.com/istio/istio/issues/7679) and X-Forwarded-Client-Cert headers based on gateway deployment topology .
+- ***Added*** experimental support for the [Kubernetes Service APIs](https://github.com/kubernetes-sigs/service-apis/).
+- ***Added*** support for using `appProtocol` to select the [protocol for a port](/docs/ops/configuration/traffic-management/protocol-selection/) introduced in Kubernetes 1.18.
+- ***Changed*** Gateway SDS to be enabled by default. File mounted gateway continues to be available to help users to transition to secure gateway SDS.
+- ***Added*** support for reading certificates from Secrets, `pathType`, and `IngressClass`, which provides better support for [Kubernetes ingress](/docs/tasks/traffic-management/ingress/kubernetes-ingress/).
+- ***Added*** a new `proxy.istio.io/config` annotation to override proxy configuration per pod.
+- ***Removed*** most configuration flags and environment variables for the proxy. These now read directly from the mesh configuration.
+- ***Changed*** the proxy readiness probe to port 15021.
+- ***Fixed*** a [bug](https://github.com/istio/istio/issues/16458), which blocked external HTTPS/TCP traffic in some cases.
+
+## Security
+
+- ***Added*** [JSON Web Token (JWT) caching](https://github.com/istio/istio/pull/22789) to the Istio-agent, which provides better Istio Agent SDS performance.
+- ***Fixed*** the Istio Agent certificate provisioning [grace period calculation](https://github.com/istio/istio/pull/22617).
+- ***Removed*** Security alpha API. Security beta API, which was introduced in Istio 1.5, is the only supported security API in Istio 1.6.
+
+## Telemetry
+
+- ***Added*** experimental support for [request classification](/docs/tasks/observability/metrics/classify-metrics/) filters. This enables operators to configure new attributes for use in telemetry, based on request information. A primary use case for this feature is labeling of traffic by API method.
+- ***Added*** an experimental [mesh-wide tracing configuration API](/docs/tasks/observability/distributed-tracing/configurability/). This API provides control of trace sampling rates, the [maximum tag lengths](https://github.com/istio/istio/issues/14563) for URL tags, and [custom tags extraction](https://github.com/istio/istio/issues/13018) for all traces within the mesh.
+- ***Added*** standard Prometheus scrape annotations to proxies and the control plane workloads, which improves the Prometheus integration experience. This removes the need for specialized configuration to discover and consume Istio metrics. More details are available in the [operations guide for Prometheus](/docs/ops/integrations/prometheus#option-2-metrics-merging/).
+- ***Added*** the ability for mesh operators to add and remove labels used in Istio metrics, based on expressions over the set of available request and response attributes. This improves Istio's support for [customizing v2 metrics generation](/docs/tasks/observability/metrics/customize-metrics/).
+- ***Updated*** default telemetry v2 configuration to avoid using host header to extract destination service name at the gateway. This prevents unbound cardinality due to an untrusted host header, and implies that destination service labels are going to be omitted for requests that hit `blackhole` and `passthrough` at the gateway.
+- ***Added*** automated publishing of Grafana dashboards to `grafana.com` as part of the Istio release process. Please see the [Istio org page](https://grafana.com/orgs/istio) for more information.
+- ***Updated*** Grafana dashboards to adapt to the new Istiod deployment model.
+
+## Installation
+
+- ***Added*** support for Istio in-place upgrades. See the [Upgrade guide](/docs/setup/upgrade/) for more information.
+- ***Removed*** the legacy Helm charts. For migration from them please see the [Upgrade guide](/docs/setup/upgrade/).
+- ***Added*** the ability for users to add a custom hostname for istiod.
+- ***Changed*** gateway readiness port used from 15020 to 15021. If you check health on your Istio `ingressgateway` from your Kubernetes network load balancer you will need to update the port.
+- ***Added*** functionality to save installation state in a `CustomResource` in the cluster.
+- ***Changed*** the Istio installation to no longer manage the installation namespace, allowing more flexibility.
+- ***Removed*** the separate Citadel, Sidecar Injector, and Galley deployments. These were disabled by default in 1.5, and all functionality has moved into Istiod.
+- ***Removed*** the legacy `istio-pilot` configurations, such as Service.
+- ***Removed*** ports 15029-15032 from the default `ingressgateway`. It is recommended to expose telemetry addons by [host routing](/docs/tasks/observability/gateways/) instead.
+- ***Removed*** built in Istio configurations from the installation, including the Gateway, `VirtualServices`, and mTLS settings.
+- ***Added*** a new profile, called `preview`, allowing users to try out new experimental features that include WASM enabled telemetry v2.
+- ***Added*** `istioctl install` command as a replacement for `istioctl manifest apply`.
+
+## istioctl
+
+- ***Added*** better display characteristics for the istioctl command.
+- ***Added*** support for key:value list selection when using --set flag paths.
+- ***Added*** support for deletes and setting non-scalar values when using the Kubernetes overlays patching mechanism.
+
+## Documentation changes
+
+- ***Added*** new and improved Istio documentation. For more information, see [Website content changes](/about/log/).

content/en/news/releases/1.6.x/announcing-1.6/upgrade-notes/index.md

@@ -0,0 +1,132 @@
+---
+title: Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.6.
+weight: 20
+---
+
+When you upgrade from Istio 1.5.x to Istio 1.6.x, you need to consider the changes on this page.
+These notes detail the changes which purposefully break backwards compatibility with Istio 1.5.x.
+The notes also mention changes which preserve backwards compatibility while introducing new behavior.
+Changes are only included if the new behavior would be unexpected to a user of Istio 1.5.x.
+
+Currently, Istio doesn't support skip-level upgrades. If you are using Istio 1.4, you must upgrade to Istio 1.5 first, and then upgrade to Istio 1.6. If you upgrade from versions earlier than Istio 1.4, you should first disable Galley's configuration validation.
+
+Update the Galley deployment using the following steps:
+
+1. To edit the Galley deployment configuration, run the following command:
+
+    {{< text bash >}}
+    $ kubectl edit deployment -n istio-system istio-galley
+    {{< /text >}}
+
+1. Add the `--enable-validation=false` option to the `command:` section as shown below:
+
+    {{< text yaml >}}
+    apiVersion: extensions/v1beta1
+    kind: Deployment
+    ...
+    spec:
+    ...
+      template:
+        ...
+        spec:
+          ...
+          containers:
+          - command:
+            ...
+            - --log_output_level=default:info
+            - --enable-validation=false
+    {{< /text >}}
+
+1. Save and quit the editor to update the deployment configuration in the cluster.
+
+Remove the `ValidatingWebhookConfiguration` Custom Resource (CR) with the following command:
+
+{{< text bash >}}
+$ kubectl delete ValidatingWebhookConfiguration istio-galley -n istio-system
+{{< /text >}}
+
+## Change the readiness port of gateways
+
+If you are using the `15020` port to check the health of your Istio ingress gateway with your Kubernetes network load balancer, change the port from `15020` to `15021`.
+
+## Removal of legacy Helm charts
+
+Istio 1.4 introduced a [new way to install Istio](/blog/2019/introducing-istio-operator/) using the in-cluster Operator or `istioctl install` command. Part of this change meant deprecating the old Helm charts in 1.5. Many new Istio features rely on the new installation method. As a result, Istio 1.6 doesn't include the old Helm installation charts.
+
+Go to the [Istio 1.5 Upgrade Notes](/news/releases/1.5.x/announcing-1.5/upgrade-notes/#control-plane-restructuring) before you continue because Istio 1.5 introduced several changes not present in the legacy installation method, such as Istiod and telemetry v2.
+
+To safely upgrade from the legacy installation method that uses Helm charts, perform a [control plane revision](/blog/2020/multiple-control-planes/). Upgrading in-place is not supported. Upgrading could result in downtime unless you perform a [canary upgrade](/docs/setup/upgrade/#canary-upgrades).
+
+## Support ended for `v1alpha1` security policy
+
+Istio 1.6 no longer supports the following security policy APIs:
+
+- [`v1alpha1` authentication policy](https://archive.istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/)
+- [`v1alpha1` RBAC policy](https://archive.istio.io/v1.4/docs/reference/config/security/istio.rbac.v1alpha1/)
+
+Starting in Istio 1.6, Istio ignores these `v1alpha1` security policy APIs.
+
+Istio 1.6 replaced the `v1alpha1` authentication policy with the following APIs:
+
+- The [`v1beta1` request authentication policy](/docs/reference/config/security/request_authentication)
+- The [`v1beta1` peer authentication policy](/docs/reference/config/security/peer_authentication)
+
+Istio 1.6 replaces the `v1alpha1` RBAC policy APIs  with the [`v1beta1` authorization policy APIs](/docs/reference/config/security/authorization-policy/).
+
+Verify that there are no `v1alpha1` security policies in your clusters the following commands:
+
+{{< text bash >}}
+$ kubectl get policies.authentication.istio.io --all-namespaces
+$ kubectl get meshpolicies.authentication.istio.io --all-namespaces
+$ kubectl get rbacconfigs.rbac.istio.io --all-namespaces
+$ kubectl get clusterrbacconfigs.rbac.istio.io --all-namespaces
+$ kubectl get serviceroles.rbac.istio.io --all-namespaces
+$ kubectl get servicerolebindings.rbac.istio.io --all-namespaces
+{{< /text >}}
+
+If there are any `v1alpha1` security policies in your clusters, migrate to the new APIs before upgrading.
+
+To ensure that `v1alpha1` security policies aren't applied in the future, delete the Custom Resource Definitions (CRDs) using the `v1alpha1` security policy APIs with the following commands:
+
+{{< text bash >}}
+$ kubectl delete crd policies.authentication.istio.io
+$ kubectl delete crd meshpolicies.authentication.istio.io
+$ kubectl delete crd rbacconfigs.rbac.istio.io
+$ kubectl delete crd clusterrbacconfigs.rbac.istio.io
+$ kubectl delete crd serviceroles.rbac.istio.io
+$ kubectl delete crd servicerolebindings.rbac.istio.io
+{{< /text >}}
+
+## Istio configuration during installation
+
+Past Istio releases deployed configuration objects during installation. The presence of those objects caused the following issues:
+
+- Problems with upgrades
+- A confusing user experience
+- A less flexible installation
+
+To address these issues, Istio 1.6 minimized the configuration objects deployed during installation.
+
+The following configurations are impacted:
+
+- `global.mtls.enabled`: Configuration removed to avoid confusion. Configure a peer authentication policy to enable [strict mTLS](/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode) instead.
+- No default `Gateway` and associated `Certificate` custom resources are deployed during installation. Go to the [Ingress task](/docs/tasks/traffic-management/ingress/) to configure a gateway for your mesh.
+- Istio no longer creates `Ingress` custom resources  for telemetry addons. Visit [remotely accessing telemetry addons](/docs/tasks/observability/gateways/) to learn how to reach the addons externally.
+- The default sidecar configuration is no longer defined through the automatically generated `Sidecar` custom resource. The default configuration is implemented internally and the change should have no impact on deployments.
+
+## Reach Istiod through external workloads
+
+In Istio 1.6, Istiod is configured to be `cluster-local` by default.  With `cluster-local` enabled, only workloads running on the same cluster can reach Istiod. Workloads on another cluster can only access the Istiod instance through the Istio gateway. This configuration prevents the ingress gateway of the master cluster from incorrectly forwarding service discovery requests to Istiod instances in remote clusters. The Istio team is actively investigating alternatives to no longer require `cluster-local`.
+
+To override the default `cluster-local` behavior, modify the configuration in the `MeshConfig` section as shown below:
+
+{{< text yaml >}}
+values:
+  meshConfig:
+    serviceSettings:
+      - settings:
+          clusterLocal: false
+        hosts:
+          - "istiod.istio-system.svc.cluster.local"
+{{< /text >}}