Site improvements. (#4015)

- Substantially simplify logic that deals with releases & release notes.

- Make it easier to add a new release to the site. THere are fewer things to
change as the site infra can figure more stuff out on its own.

- Make it so release notes can be added in one language without require them
to be added in the other language.

- Replace the ugly "a new version is available" callout on older release note
pages with a popup that only shows up when you click on the download button.

(cherry picked from commit d458423cf4)

content/about/contribute/creating-and-editing-pages/index.md

@@ -131,7 +131,7 @@ The available front matter fields are:
 |`skip_seealso`     | Set this to true to prevent the page from having a "See also" section generated for it
 |`force_inline_toc` | Set this to true to force the generated table of contents to be inserted inline in the text instead of in a sidebar
 |`simple_list`      | Set this to true to force a generated section page to use a simple list layout rather that a gallery layout
-|`content_above`    | Set this to true to force the content portion of a section index to be rendered above the auto-generated content
+|`content_above`    | Set this to true to force the content portion of a section index to be rendered above the auto-generated part
 
 There are a few more front matter fields available specifically for blog posts:
 

content/about/notes/1.0.1/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.1
 publishdate: 2018-08-29
 icon: notes
-layout: release-note
+release: 1.0.1
 ---
 
 This release addresses some critical issues found by the community when using Istio 1.0. This release note describes what's different between Istio 1.0 and Istio 1.0.1.
+
+{{< relnote >}}

content/about/notes/1.0.2/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.0.2
 publishdate: 2018-09-06
 icon: notes
-layout: release-note
+release: 1.0.2
 ---
 
 This release addresses some critical issues found by the community when using Istio 1.0.1. This release note describes what's different between Istio 1.0.1 and
 Istio 1.0.2.
+
+{{< relnote >}}

content/about/notes/1.0.3/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.0.3
 publishdate: 2018-10-30
 icon: notes
-layout: release-note
+release: 1.0.3
 ---
 
 This release addresses some critical issues found by the community when using Istio 1.0.2.
 This release note describes what's different between Istio 1.0.2 and Istio 1.0.3.
+
+{{< relnote >}}

content/about/notes/1.0.4/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.0.4
 publishdate: 2018-11-21
 icon: notes
-layout: release-note
+release: 1.0.4
 ---
 
 This release addresses some critical issues found by the community when using Istio 1.0.3.
 This release note describes what's different between Istio 1.0.3 and Istio 1.0.4.
+
+{{< relnote >}}

content/about/notes/1.0.5/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.0.5
 publishdate: 2018-12-20
 icon: notes
-layout: release-note
+release: 1.0.5
 ---
 
 This release addresses some critical issues found by the community in prior releases.
 This release note describes what's different between Istio 1.0.4 and Istio 1.0.5.
+
+{{< relnote >}}

content/about/notes/1.0.6/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.0.6
 publishdate: 2019-02-12
 icon: notes
-layout: release-note
+release: 1.0.6
 ---
 
 This release includes security vulnerability fixes and improvements to robustness.
 This release note describes what's different between Istio 1.0.5 and Istio 1.0.6.
+
+{{< relnote >}}

content/about/notes/1.0.7/index.md

@@ -2,8 +2,9 @@
 title: Istio 1.0.7
 publishdate: 2019-04-05
 icon: notes
-layout: release-note
+release: 1.0.7
 ---
 
 This release includes an important security update. All customers using prior versions of Istio are advised to upgrade immediately.
-Please refer to the [announcement blog post](/blog/2019/announcing-1.1.2) for a description of the security issue.
+
+{{< relnote >}}

content/about/notes/1.0/index.md

@@ -2,7 +2,7 @@
 title: Istio 1.0
 publishdate: 2018-07-31
 icon: notes
-layout: release-note
+release: 1.0.0
 ---
 
 We're proud to release Istio 1.0! Istio has been in development for nearly two years, and the 1.0 release represents a substantial
@@ -10,3 +10,5 @@ milestone for us. All of our [core features](/about/feature-stages/) are now rea
 
 These release notes describe what's different between Istio 0.8 and Istio 1.0. Istio 1.0 only has a few new features
 relative to 0.8 as most of the effort for this release went into fixing bugs and improving performance.
+
+{{< relnote >}}

content/about/notes/1.1.1/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.1.1
 publishdate: 2019-03-25
 icon: notes
-layout: release-note
+release: 1.1.1
 ---
 
 This release includes security vulnerability fixes and improvements to robustness.  This release note describes what's different between Istio 1.1 and Istio 1.1.1.
+
+{{< relnote >}}

content/about/notes/1.1.2/index.md

@@ -2,8 +2,9 @@
 title: Istio 1.1.2
 publishdate: 2019-04-05
 icon: notes
-layout: release-note
+release: 1.1.2
 ---
 
 This release includes an important security update. All customers using prior versions of Istio are advised to upgrade immediately.
-Please refer to the [announcement blog post](/blog/2019/announcing-1.1.2) for a description of the security issue.
+
+{{< relnote >}}

content/about/notes/1.1.3/index.md

@@ -2,8 +2,9 @@
 title: Istio 1.1.3
 publishdate: 2019-04-15
 icon: notes
-layout: release-note
+release: 1.1.3
 ---
 
 This release includes several bug fixes and improvements to robustness.  This release note describes what's different between Istio 1.1.2 and Istio 1.1.3.
 
+{{< relnote >}}

content/about/notes/1.1/index.md

@@ -2,7 +2,7 @@
 title: Istio 1.1
 publishdate: 2019-03-19
 icon: notes
-layout: release-note
+release: 1.1.0
 ---
 
 We're proud to release Istio 1.1!
@@ -14,3 +14,5 @@ few. Special thanks to all of our end-users for providing feedback, feature
 requests, and testing the release candidates at various scales.
 
 These release notes describe what's different between Istio 1.0.6 and Istio 1.1.
+
+{{< relnote >}}

content/about/notes/_index.md

@@ -12,6 +12,3 @@ simple_list: true
 ---
 
 Check out our [release page](https://github.com/istio/istio/releases) to download Istio binaries.
-
-If you're on the lookout for info on ancient Istio releases, head straight for
-our [archive of the earlier releases' documentation](https://archive.istio.io/).

content/about/notes/older/0.1/index.md

@@ -5,7 +5,9 @@ aliases:
     - /docs/welcome/notes/0.1.html
     - /about/notes/0.1/index.html
 icon: notes
-layout: release-note
+release: 0.1.0
 ---
 
 Istio 0.1 is the initial [release](https://github.com/istio/istio/releases) of Istio. It works in a single Kubernetes cluster and supports the following features:
+
+{{< relnote >}}

content/about/notes/older/0.2/index.md

@@ -5,5 +5,7 @@ aliases:
     - /docs/welcome/notes/0.2.html
     - /about/notes/0.2/index.html
 icon: notes
-layout: release-note
+release: 0.2.0
 ---
+
+{{< relnote >}}

content/about/notes/older/0.3/index.md

@@ -5,5 +5,7 @@ aliases:
     - /docs/welcome/notes/0.3.html
     - /about/notes/0.3/index.html
 icon: notes
-layout: release-note
+release: 0.3.0
 ---
+
+{{< relnote >}}

content/about/notes/older/0.4/index.md

@@ -5,9 +5,11 @@ aliases:
     - /docs/welcome/notes/0.4.html
     - /about/notes/0.4/index.html
 icon: notes
-layout: release-note
+release: 0.4.0
 ---
 
 This release has only got a few weeks' worth of changes, as we stabilize our monthly release process.
 In addition to the usual pile of bug fixes and performance improvements, this release includes the items
 below.
+
+{{< relnote >}}

content/about/notes/older/0.5/index.md

@@ -4,8 +4,10 @@ publishdate: 2018-02-02
 icon: notes
 aliases:
     - /about/notes/0.5/index.html
-layout: release-note
+release: 0.5.0
 ---
 
 In addition to the usual pile of bug fixes and performance improvements, this release includes the new or
 updated features detailed below.
+
+{{< relnote >}}

content/about/notes/older/0.6/index.md

@@ -4,8 +4,10 @@ publishdate: 2018-03-08
 icon: notes
 aliases:
     - /about/notes/0.6/index.html
-layout: release-note
+release: 0.6.0
 ---
 
 In addition to the usual pile of bug fixes and performance improvements, this release includes the new or
 updated features detailed below.
+
+{{< relnote >}}

content/about/notes/older/0.7/index.md

@@ -4,8 +4,10 @@ publishdate: 2018-03-28
 icon: notes
 aliases:
     - /about/notes/0.7/index.html
-layout: release-note
+release: 0.7.0
 ---
 
 For this release, we focused on improving our build and test infrastructures and increasing the
 quality of our tests. As a result, there are no new features for this month.
+
+{{< relnote >}}

content/about/notes/older/0.8/index.md

@@ -4,7 +4,9 @@ publishdate: 2018-06-01
 icon: notes
 aliases:
     - /about/notes/0.8/index.html
-layout: release-note
+release: 0.8.0
 ---
 
 This is a major release for Istio on the road to 1.0. There are a great many new features and architectural improvements in addition to the usual pile of bug fixes and performance improvements.
+
+{{< relnote >}}

content/blog/2018/announcing-1.0.1/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.1
 description: Istio 1.0.1 patch release.
 publishdate: 2018-08-29
 attribution: The Istio Team
+release: 1.0.1
 ---
 
 We're pleased to announce the availability of Istio 1.0.1. Please see below for what's changed.
 
-{{< announcement_links "1.0.1" >}}
-
-{{< boilerplate "notes/1.0.1" >}}
+{{< relnote >}}

content/blog/2018/announcing-1.0.2/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.2
 description: Istio 1.0.2 patch release.
 publishdate: 2018-09-06
 attribution: The Istio Team
+release: 1.0.2
 ---
 
 We're pleased to announce the availability of Istio 1.0.2. Please see below for what's changed.
 
-{{< announcement_links "1.0.2" >}}
-
-{{< boilerplate "notes/1.0.2" >}}
+{{< relnote >}}

content/blog/2018/announcing-1.0.3/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.3
 description: Istio 1.0.3 patch release.
 publishdate: 2018-10-30
 attribution: The Istio Team
+release: 1.0.3
 ---
 
 We're pleased to announce the availability of Istio 1.0.3. Please see below for what's changed.
 
-{{< announcement_links "1.0.3" >}}
-
-{{< boilerplate "notes/1.0.3" >}}
+{{< relnote >}}

content/blog/2018/announcing-1.0.4/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.4
 description: Istio 1.0.4 patch release.
 publishdate: 2018-11-21
 attribution: The Istio Team
+release: 1.0.4
 ---
 
 We're pleased to announce the availability of Istio 1.0.4. Please see below for what's changed.
 
-{{< announcement_links "1.0.4" >}}
-
-{{< boilerplate "notes/1.0.4" >}}
+{{< relnote >}}

content/blog/2018/announcing-1.0.5/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.5
 description: Istio 1.0.5 patch release.
 publishdate: 2018-12-20
 attribution: The Istio Team
+release: 1.0.5
 ---
 
 We're pleased to announce the availability of Istio 1.0.5. Please see below for what's changed.
 
-{{< announcement_links "1.0.5" >}}
-
-{{< boilerplate "notes/1.0.5" >}}
+{{< relnote >}}

content/blog/2018/announcing-1.0/index.md

@@ -4,11 +4,12 @@ subtitle: The production ready service mesh
 description: Istio is ready for production use with its 1.0 release.
 publishdate: 2018-07-31
 attribution: The Istio Team
+release: 1.0.0
 ---
 
 Today, we’re excited to announce [Istio 1.0](/about/notes/1.0). It’s been a little over a year since our initial 0.1 release. Since then, Istio has evolved significantly with the help of a thriving and growing community of contributors and users. We’ve now reached the point where many companies have successfully adopted Istio in production and have gotten real value from the insight and control it provides over their deployments. We’ve helped large enterprises and fast-moving startups like [eBay](https://www.ebay.com/), [Auto Trader UK](https://www.autotrader.co.uk/), [Descartes Labs](http://www.descarteslabs.com/), [HP FitStation](https://www.fitstation.com/), [JUSPAY](https://juspay.in), [Namely](https://www.namely.com/), [PubNub](https://www.pubnub.com/) and [Trulia](https://www.trulia.com/) use Istio to connect, manage and secure their services from the ground up. Shipping this release as 1.0 is recognition that we’ve built a core set of functionality that our users can rely on for production use.
 
-{{< announcement_links "1.0.0" true >}}
+{{< relnote linktonote="true" >}}
 
 ## Ecosystem
 

content/blog/2019/announcing-1.0.6/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.0.6
 description: Istio 1.0.6 patch release.
 publishdate: 2019-02-12
 attribution: The Istio Team
+release: 1.0.6
 ---
 
 We're pleased to announce the availability of Istio 1.0.6. Please see below for what's changed.
 
-{{< announcement_links "1.0.6" >}}
-
-{{< boilerplate "notes/1.0.6" >}}
+{{< relnote >}}

content/blog/2019/announcing-1.0.7/index.md

@@ -0,0 +1,12 @@
+---
+title: Announcing Istio 1.0.7 with Important Security Update
+subtitle: Important Security Update
+description: Istio 1.0.7 patch releases.
+publishdate: 2019-04-05
+attribution: The Istio Team
+release: 1.0.7
+---
+
+We're announcing immediate availability of Istio 1.0.7 which contains some important security updates. Please see below for details.
+
+{{< relnote >}}

content/blog/2019/announcing-1.1.1/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.1.1
 description: Istio 1.1.1 patch release.
 publishdate: 2019-03-25
 attribution: The Istio Team
+release: 1.1.1
 ---
 
 We're pleased to announce the availability of Istio 1.1.1. Please see below for what's changed.
 
-{{< announcement_links "1.1.1" >}}
-
-{{< boilerplate "notes/1.1.1" >}}
+{{< relnote >}}

content/blog/2019/announcing-1.1.2/index.md

@@ -1,80 +1,12 @@
 ---
-title: Announcing Istio 1.1.2 and 1.0.7 with Important Security Update
+title: Announcing Istio 1.1.2 with Important Security Update
 subtitle: Important Security Update
-description: Istio 1.1.2 and 1.0.7 patch releases.
+description: Istio 1.1.2 patch release.
 publishdate: 2019-04-05
 attribution: The Istio Team
+release: 1.1.2
 ---
 
-We're announcing immediate availability of Istio 1.1.2 and Istio 1.0.7 which contain some important security updates. Please see below for details.
+We're announcing immediate availability of Istio 1.1.2 which contains some important security updates. Please see below for details.
 
-{{< announcement_links "1.1.2" >}}
-
-{{< announcement_links "1.0.7" >}}
-
-## Security update
-
-Two security vulnerabilities have recently been identified in the Envoy proxy
-([CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)). The
-vulnerabilities have now been patched in Envoy version 1.9.1, and correspondingly in the Envoy builds
-embedded in Istio 1.1.2 and Istio 1.0.7. Since Envoy is an integral part of Istio, users are advised to update Istio
-immediately to mitigate security risks arising from these vulnerabilities.
-
-The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These
-vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.
-
-## Affected Istio releases
-
-The following Istio releases are vulnerable:
-
-- 1.1, 1.1.1
-    - These releases can be patched to Istio 1.1.2.
-    - 1.1.2 is built from the same source as 1.1.1 with the addition of Envoy patches minimally sufficient to address the CVEs.
-
-- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
-    - These releases can be patched to Istio 1.0.7
-    - 1.0.7 is built from the same source as 1.0.6 with the addition of Envoy patches minimally sufficient to address the CVEs.
-
-- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
-    - These releases are no longer supported and will not be patched. Please upgrade to a supported release with the necessary fixes.
-
-## Vulnerability impact
-
-[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)
-allow remote attackers access to unauthorized resources by using specially crafted request URI paths (9901) and NUL bytes in
-HTTP/1.1 headers (9900), potentially circumventing DoS prevention systems such as rate limiting, or routing to a unexposed upstream system. Refer to
-[issue 6434](https://github.com/envoyproxy/envoy/issues/6434)
-and [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) for more information.
-
-As Istio is based on Envoy, Istio customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio
-policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization
-policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.
-
-## Mitigation
-
-Eliminating the vulnerabilities requires updating to a corrected version of Envoy. We’ve incorporated the necessary updates in the latest Istio patch releases.
-
-For Istio 1.1.x deployments: update to a minimum of [Istio 1.1.2](/about/notes/1.1.2)
-
-For Istio 1.0.x deployments: update to a minimum of [Istio 1.0.7](/about/notes/1.0.7)
-
-While Envoy 1.9.1 requires opting in to path normalization to address CVE 2019-9901, the version of Envoy embedded in Istio 1.1.2 and 1.0.7 enables path
-normalization by default.
-
-## Detection of NUL header exploit
-
-Based on current information, this only affects HTTP/1.1 traffic. If this is not structurally possible in your network or configuration, then it is unlikely
-that this vulnerability applies.
-
-File-based access logging uses the `c_str()` representation for header values, as does gRPC access logging, so there will be no trivial detection via
-Envoy’s access logs by scanning for NUL. Instead, operators might look for inconsistencies in logs between the routing that Envoy performs and the logic
-intended in the `RouteConfiguration`.
-
-External authorization and rate limit services can check for NULs in headers. Backend servers might have sufficient logging to detect NULs or unintended
-access; it’s likely that many will simply reject NULs in this scenario via 400 Bad Request, as per RFC 7230.
-
-## Detection of path traversal exploit
-
-Envoy’s access logs (whether file-based or gRPC) will contain the unnormalized path, so it is possible to examine these logs to detect suspicious patterns and
-requests that are incongruous with the intended operator configuration intent. In addition, unnormalized paths are available at `ext_authz`, rate limiting
-and backend servers for log inspection.
+{{< relnote >}}

content/blog/2019/announcing-1.1.3/index.md

@@ -3,10 +3,9 @@ title: Announcing Istio 1.1.3
 description: Istio 1.1.3 patch release.
 publishdate: 2019-04-15
 attribution: The Istio Team
+release: 1.1.3
 ---
 
 We're pleased to announce the availability of Istio 1.1.3. Please see below for what's changed.
 
-{{< announcement_links "1.1.3" >}}
-
-{{< boilerplate "notes/1.1.3" >}}
+{{< relnote >}}

content/blog/2019/announcing-1.1/index.md

@@ -4,11 +4,12 @@ subtitle: Major Update
 description: Istio 1.1 release announcement.
 publishdate: 2019-03-19
 attribution: The Istio Team
+release: 1.1.0
 ---
 
 We are pleased to announce the release of Istio 1.1!
 
-{{< announcement_links "1.1.0" true >}}
+{{< relnote linktonote="true" >}}
 
 Since we released 1.0 back in July, we’ve done a lot of work to help people get
 into production. Not surprisingly, we had to do some [patch releases](/about/notes)

content/boilerplates/notes/1.0.7.md

@@ -0,0 +1,66 @@
+## Security update
+
+Two security vulnerabilities have recently been identified in the Envoy proxy
+([CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)). The
+vulnerabilities have now been patched in Envoy version 1.9.1, and correspondingly in the Envoy builds
+embedded in Istio 1.1.2 and Istio 1.0.7. Since Envoy is an integral part of Istio, users are advised to update Istio
+immediately to mitigate security risks arising from these vulnerabilities.
+
+The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These
+vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.
+
+## Affected Istio releases
+
+The following Istio releases are vulnerable:
+
+- 1.1, 1.1.1
+    - These releases can be patched to Istio 1.1.2.
+    - 1.1.2 is built from the same source as 1.1.1 with the addition of Envoy patches minimally sufficient to address the CVEs.
+
+- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
+    - These releases can be patched to Istio 1.0.7
+    - 1.0.7 is built from the same source as 1.0.6 with the addition of Envoy patches minimally sufficient to address the CVEs.
+
+- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
+    - These releases are no longer supported and will not be patched. Please upgrade to a supported release with the necessary fixes.
+
+## Vulnerability impact
+
+[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)
+allow remote attackers access to unauthorized resources by using specially crafted request URI paths (9901) and NUL bytes in
+HTTP/1.1 headers (9900), potentially circumventing DoS prevention systems such as rate limiting, or routing to a unexposed upstream system. Refer to
+[issue 6434](https://github.com/envoyproxy/envoy/issues/6434)
+and [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) for more information.
+
+As Istio is based on Envoy, Istio customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio
+policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization
+policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.
+
+## Mitigation
+
+Eliminating the vulnerabilities requires updating to a corrected version of Envoy. We’ve incorporated the necessary updates in the latest Istio patch releases.
+
+For Istio 1.1.x deployments: update to a minimum of [Istio 1.1.2](/about/notes/1.1.2)
+
+For Istio 1.0.x deployments: update to a minimum of [Istio 1.0.7](/about/notes/1.0.7)
+
+While Envoy 1.9.1 requires opting in to path normalization to address CVE 2019-9901, the version of Envoy embedded in Istio 1.1.2 and 1.0.7 enables path
+normalization by default.
+
+## Detection of NUL header exploit
+
+Based on current information, this only affects HTTP/1.1 traffic. If this is not structurally possible in your network or configuration, then it is unlikely
+that this vulnerability applies.
+
+File-based access logging uses the `c_str()` representation for header values, as does gRPC access logging, so there will be no trivial detection via
+Envoy’s access logs by scanning for NUL. Instead, operators might look for inconsistencies in logs between the routing that Envoy performs and the logic
+intended in the `RouteConfiguration`.
+
+External authorization and rate limit services can check for NULs in headers. Backend servers might have sufficient logging to detect NULs or unintended
+access; it’s likely that many will simply reject NULs in this scenario via 400 Bad Request, as per RFC 7230.
+
+## Detection of path traversal exploit
+
+Envoy’s access logs (whether file-based or gRPC) will contain the unnormalized path, so it is possible to examine these logs to detect suspicious patterns and
+requests that are incongruous with the intended operator configuration intent. In addition, unnormalized paths are available at `ext_authz`, rate limiting
+and backend servers for log inspection.

content/boilerplates/notes/1.1.2.md

@@ -0,0 +1,66 @@
+## Security update
+
+Two security vulnerabilities have recently been identified in the Envoy proxy
+([CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)). The
+vulnerabilities have now been patched in Envoy version 1.9.1, and correspondingly in the Envoy builds
+embedded in Istio 1.1.2 and Istio 1.0.7. Since Envoy is an integral part of Istio, users are advised to update Istio
+immediately to mitigate security risks arising from these vulnerabilities.
+
+The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These
+vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.
+
+## Affected Istio releases
+
+The following Istio releases are vulnerable:
+
+- 1.1, 1.1.1
+    - These releases can be patched to Istio 1.1.2.
+    - 1.1.2 is built from the same source as 1.1.1 with the addition of Envoy patches minimally sufficient to address the CVEs.
+
+- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
+    - These releases can be patched to Istio 1.0.7
+    - 1.0.7 is built from the same source as 1.0.6 with the addition of Envoy patches minimally sufficient to address the CVEs.
+
+- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
+    - These releases are no longer supported and will not be patched. Please upgrade to a supported release with the necessary fixes.
+
+## Vulnerability impact
+
+[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) and [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)
+allow remote attackers access to unauthorized resources by using specially crafted request URI paths (9901) and NUL bytes in
+HTTP/1.1 headers (9900), potentially circumventing DoS prevention systems such as rate limiting, or routing to a unexposed upstream system. Refer to
+[issue 6434](https://github.com/envoyproxy/envoy/issues/6434)
+and [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) for more information.
+
+As Istio is based on Envoy, Istio customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio
+policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization
+policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.
+
+## Mitigation
+
+Eliminating the vulnerabilities requires updating to a corrected version of Envoy. We’ve incorporated the necessary updates in the latest Istio patch releases.
+
+For Istio 1.1.x deployments: update to a minimum of [Istio 1.1.2](/about/notes/1.1.2)
+
+For Istio 1.0.x deployments: update to a minimum of [Istio 1.0.7](/about/notes/1.0.7)
+
+While Envoy 1.9.1 requires opting in to path normalization to address CVE 2019-9901, the version of Envoy embedded in Istio 1.1.2 and 1.0.7 enables path
+normalization by default.
+
+## Detection of NUL header exploit
+
+Based on current information, this only affects HTTP/1.1 traffic. If this is not structurally possible in your network or configuration, then it is unlikely
+that this vulnerability applies.
+
+File-based access logging uses the `c_str()` representation for header values, as does gRPC access logging, so there will be no trivial detection via
+Envoy’s access logs by scanning for NUL. Instead, operators might look for inconsistencies in logs between the routing that Envoy performs and the logic
+intended in the `RouteConfiguration`.
+
+External authorization and rate limit services can check for NULs in headers. Backend servers might have sufficient logging to detect NULs or unintended
+access; it’s likely that many will simply reject NULs in this scenario via 400 Bad Request, as per RFC 7230.
+
+## Detection of path traversal exploit
+
+Envoy’s access logs (whether file-based or gRPC) will contain the unnormalized path, so it is possible to examine these logs to detect suspicious patterns and
+requests that are incongruous with the intended operator configuration intent. In addition, unnormalized paths are available at `ext_authz`, rate limiting
+and backend servers for log inspection.

content_zh/about/notes/1.0.1/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.1
 publishdate: 2018-08-29
 icon: notes
-layout: release-note
+release: 1.0.1
 ---
 
 本次发布解决了一些社区在使用 Istio 1.0 过程中发现的关键问题。本发布声明描述了 Istio 1.0 和 Istio 1.0.1 之间的区别。
+
+{{< relnote >}}

content_zh/about/notes/1.0.2/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.2
 publishdate: 2018-09-06
 icon: notes
-layout: release-note
+release: 1.0.2
 ---
 
 此版本解决了社区在使用 Istio 1.0.1 过程中发现的一些关键问题。本文描述了 Istio 1.0.1 和 Istio 1.0.2 之间的差异。
+
+{{< relnote >}}

content_zh/about/notes/1.0.3/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.3
 publishdate: 2018-10-30
 icon: notes
-layout: release-note
+release: 1.0.3
 ---
 
 本次发布中针对社区在使用 Istio 1.0.2 的过程中发现的严重问题进行了修补。下文将陈述 Istio 1.0.2 和 Istio 1.0.3 之间的差异。
+
+{{< relnote >}}

content_zh/about/notes/1.0.4/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.4
 publishdate: 2018-11-21
 icon: notes
-layout: release-note
+release: 1.0.4
 ---
 
 社区在 Istio 1.0.3 的使用过程中发现了一些严重问题，本次发布对这些问题进行了处理。本文对 Istio 1.0.3 和 1.0.4 两个版本之间的差异进行了描述。
+
+{{< relnote >}}

content_zh/about/notes/1.0.5/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.5
 publishdate: 2018-12-20
 icon: notes
-layout: release-note
+release: 1.0.5
 ---
 
 社区在 Istio 1.0.4 的使用过程中发现了一些严重问题，本次发布对这些问题进行了处理。本文对 Istio 1.0.4 和 1.0.5 两个版本之间的差异进行了描述。
+
+{{< relnote >}}

content_zh/about/notes/1.0.6/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.6
 publishdate: 2019-02-12
 icon: notes
-layout: release-note
+release: 1.0.6
 ---
 
 本次发布中包含了安全缺陷的修复，并增强了系统的健壮性。发行声明中包含了 Istio 1.0.5 和 1.0.6 之间的差别。
+
+{{< relnote >}}

content_zh/about/notes/1.0.7/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.0.7
 publishdate: 2019-04-05
 icon: notes
-layout: release-note
+release: 1.0.7
 ---
 
 这一版本包含了重要的安全更新。建议所有使用 Istio 较旧版本的用户立即更新。请参考[更新通知](/blog/2019/announcing-1.1.2)获取更多关于这一安全问题的相关信息。
+
+{{< relnote >}}

content_zh/about/notes/1.0/index.md

@@ -2,9 +2,11 @@
 title: Istio 1.0
 publishdate: 2018-07-31
 icon: notes
-layout: release-note
+release: 1.0.0
 ---
 
 我们很自豪地发布了 Istio 1.0！Istio 至今已经开发了近两年，1.0 版本对我们来说是一个重要的里程碑。我们所有的[核心功能](/zh/about/feature-stages/)现在都已经可以用于生产环境。
 
 本文描述了 Istio 1.0 与 Istio 0.8 之间的不同之处。 此版本的大部分工作都用于修复错误和提高性能，因此相对于 0.8 来说，Istio 1.0 只提供了很少的新功能。
+
+{{< relnote >}}

content_zh/about/notes/1.1.1/index.md

@@ -2,6 +2,9 @@
 title: Istio 1.1.1
 publishdate: 2018-03-25
 icon: notes
+release: 1.1.1
 ---
 
 TBD
+
+{{< relnote >}}

content_zh/about/notes/1.1.2/index.md

@@ -2,8 +2,10 @@
 title: Istio 1.1.2
 publishdate: 2019-04-05
 icon: notes
-layout: release-note
+release: 1.1.2
 ---
 
 本次发布中包含了一个重要的安全更新。建议所有使用以前版本 Istio 的用户立即升级。
 请参考[发布声明](/blog/2019/announcing-1.1.2)获取关于这一安全问题的描述。
+
+{{< relnote >}}

content_zh/about/notes/1.1.3/index.md

@@ -2,7 +2,9 @@
 title: Istio 1.1.3
 publishdate: 2019-04-15
 icon: notes
-layout: release-note
+release: 1.1.3
 ---
 
 这个版本中修复了大量问题，并提高了健壮性。下面列出了 Istio 1.1.2 和 Istio 1.1.3 之间的差别。
+
+{{< relnote >}}

content_zh/about/notes/1.1/index.md

@@ -2,7 +2,7 @@
 title: Istio 1.1
 publishdate: 2018-03-01
 icon: notes
-layout: release-note
+release: 1.1.0
 ---
 
 自豪地宣布，Istio 1.1 发布了！
@@ -10,3 +10,5 @@ layout: release-note
 我们用了 8 个月的时间，对整个产品做出众多改进，其中包括了来自 Google、IBM、VMware、Huawei、RedHat、Cisco、SAP、Salesforce、Pivotal、SUSE、Datadog 以及 LightStep 等众多厂商和个人的贡献。特别感谢所有的终端用户提供的反馈、功能需求以及在各种规模环境中做出的各种测试。
 
 本文描述了 Istio 1.0.6 以及 Istio 1.1 之间的差异。
+
+{{< relnote >}}

content_zh/about/notes/older/0.1/index.md

@@ -2,8 +2,7 @@
 title: Istio 0.1
 publishdate: 2017-05-24
 icon: notes
+release: 0.1.0
 ---
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.1" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.2/index.md

@@ -2,8 +2,7 @@
 title: Istio 0.2
 publishdate: 2017-10-10
 icon: notes
+release: 0.2.0
 ---
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.2" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.3/index.md

@@ -2,8 +2,7 @@
 title: Istio 0.3
 publishdate: 2017-11-29
 icon: notes
+release: 0.3.0
 ---
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.3" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.4/index.md

@@ -2,10 +2,9 @@
 title: Istio 0.4
 publishdate: 2017-12-18
 icon: notes
+release: 0.4.0
 ---
 
 我们稳定了月度发布流程，因此这一版本只有几个星期的工作量。在平淡无奇的问题修复和性能增强之外，这个版本中包括如下内容。
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.4" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.5/index.md

@@ -2,10 +2,9 @@
 title: Istio 0.5
 publishdate: 2018-02-02
 icon: notes
+release: 0.5.0
 ---
 
 在平淡无奇的问题修复和性能增强之外，这一版本包含了部分全新的功能，以及对现有功能的改进，具体包括以下内容。
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.5" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.6/index.md

@@ -2,10 +2,9 @@
 title: Istio 0.6
 publishdate: 2018-03-08
 icon: notes
+release: 0.6.0
 ---
 
 在平淡无奇的问题修复和性能增强之外，这一版本包含了部分全新的功能，以及对现有功能的改进，具体包括以下内容。
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.6" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.7/index.md

@@ -2,10 +2,9 @@
 title: Istio 0.7
 publishdate: 2018-03-28
 icon: notes
+release: 0.7.0
 ---
 
 本次发布，我们专注于提升我们的构建和测试基础设施并且提高了测试的质量。因此，这个月没有新的特性发布。
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.7" >}}
+{{< relnote >}}

content_zh/about/notes/older/0.8/index.md

@@ -2,10 +2,9 @@
 title: Istio 0.8
 publishdate: 2018-06-01
 icon: notes
+release: 0.8.0
 ---
 
 这是 Istio 1.0 路上的一次重要发布，除了通常的问题修复和性能增强之外，其中包含了很多新功能，架构方面也做出了很多改进。
 
-{{< relnote_links >}}
-
-{{< boilerplate "notes/0.8" >}}
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0.1/index.md

@@ -3,6 +3,9 @@ title: Istio 1.0.1 发布
 description: Istio 1.0.1 补丁版本。
 publishdate: 2018-08-29
 attribution: The Istio Team
+release: 1.0.1
 ---
 
 我们高兴地发布了 Istio 1.0.1。请查看[发行说明](/zh/about/notes/1.0.1/) 来了解和下载更新。
+
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0.2/index.md

@@ -3,6 +3,9 @@ title: Istio 1.0.2 发布
 description: Istio 1.0.2 补丁版本.
 publishdate: 2018-09-06
 attribution: The Istio Team
+release: 1.0.2
 ---
 
 我们很高兴地发布了 Istio 1.0.2。请查看[发行说明](/zh/about/notes/1.0.2/)以了解更多信息并下载此更新。
+
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0.3/index.md

@@ -3,6 +3,9 @@ title: 宣布 Istio 1.0.3
 description: Istio 1.0.3 修补版本。
 publishdate: 2018-10-30
 attribution: Istio 团队
+release: 1.0.3
 ---
 
 Istio 1.0.3 已经发布。[发行说明](/zh/about/notes/1.0.3/)中列举了这一版本的更新内容并提供了下载。
+
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0.4/index.md

@@ -3,6 +3,9 @@ title: Istio 1.0.4 发布
 description: Istio 1.0.4 补丁版本发布。
 publishdate: 2018-11-21
 attribution: Istio 团队
+release: 1.0.4
 ---
 
 很高兴宣布 Istio 1.0.4 已经可用。请参阅 [Istio 1.0.4 发布通知](/zh/about/notes/1.0.4/)，更多的了解和下载这次更新。
+
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0.5/index.md

@@ -3,6 +3,9 @@ title: Istio 1.0.5 发布
 description: Istio 1.0.5 补丁版本发布。
 publishdate: 2018-12-20
 attribution: Istio 团队
+release: 1.0.5
 ---
 
 很高兴宣布 Istio 1.0.5 已经可用。请参阅 [Istio 1.0.5 发布通知](/zh/about/notes/1.0.5/)，详细了解和下载这次更新。
+
+{{< relnote >}}

content_zh/blog/2018/announcing-1.0/index.md

@@ -4,6 +4,7 @@ subtitle: 生产就绪的服务网格
 description: Istio 1.0 已生产就绪。
 publishdate: 2018-07-31
 attribution: The Istio Team
+release: 1.0.0
 ---
 
 今天，我们很高兴地宣布 [Istio 1.0](/zh/about/notes/1.0)。这距离最初的 0.1 版本发布以来已经过了一年多时间了。从 0.1 起，Istio 就在蓬勃发展的社区、贡献者和用户的帮助下迅速发展。现在已经有许多公司成功将 Istio 应用于生产，并通过 Istio 提供的洞察力和控制力获得了真正的价值。我们帮助大型企业和快速发展的创业公司，如 [eBay](https://www.ebay.com/)、[Auto Trader UK](https://www.autotrader.co.uk/)、[Descartes Labs](http://www.descarteslabs.com/)、[HP FitStation](https://www.fitstation.com/)、[Namely](https://www.namely.com/)、[JUSPAY](https://juspay.in)、[PubNub](https://www.pubnub.com/) 和 [Trulia](https://www.trulia.com/) 使用 Istio 从头开始连接、管理和保护他们的服务。将此版本作为 1.0 发布是对我们构建了一组核心功能的认可，用户们可以依赖这些功能进行生产。

content_zh/blog/2019/announcing-1.0.6/index.md

@@ -3,7 +3,9 @@ title: Istio 1.0.6 发布
 description: Istio 1.0.6 补丁版本。
 publishdate: 2019-02-12
 attribution: The Istio Team
-weight: 77
+release: 1.0.6
 ---
 
 很高兴地宣布，Istio 1.0.6 已经发布。请参阅[发行声明](/zh/about/notes/1.0.6/)，获知更多相关内容并下载这一更新。
+
+{{< relnote >}}

content_zh/blog/2019/announcing-1.0.7/index.md

@@ -0,0 +1,12 @@
+---
+title: 安全更新：发布 Istio 1.0.7
+subtitle: 重要安全更新
+description: Istio 1.0.7 的补丁版本。
+publishdate: 2019-04-05
+attribution: The Istio Team
+release: 1.0.7
+---
+
+第一时间发布 1.0.7，其中包含了重要的安全更新。请参看下方详情链接。
+
+{{< relnote >}}

content_zh/blog/2019/announcing-1.1.2/index.md

@@ -1,62 +1,12 @@
 ---
-title: 安全更新：发布 Istio 1.1.2 以及 1.0.7
+title: 安全更新：发布 Istio 1.1.2
 subtitle: 重要安全更新
-description: Istio 1.1.2 和 1.0.7 的补丁版本。
+description: Istio 1.1.2 的补丁版本。
 publishdate: 2019-04-05
 attribution: The Istio Team
+release: 1.1.2
 ---
 
-第一时间发布 Istio 1.1.2 以及 1.0.7，其中包含了重要的安全更新。请参看下方详情链接。
+第一时间发布 Istio 1.1.2，其中包含了重要的安全更新。请参看下方详情链接。
 
-{{< announcement_links "1.1.2" >}}
-
-{{< announcement_links "1.0.7" >}}
-
-## 安全更新
-
-最近发现了两个 Envoy 的安全威胁，分别是 [CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 和 [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)。Envoy 1.9.1 中已经包含了应对这两个问题的安全补丁，对应的 Istio 中的集成版本分别是 Istio 1.1.2 和 Istio 1.0.7。Envoy 是 Istio 的重要组件，我们建议立刻更新 Istio 加以防范。
-
-这一安全问题的根本原因是 Envoy 没有对 HTTP URI 路径进行常规化，没有完整的对 HTTP/1.1 Header 进行校验。会影响到 Istio 依赖 Envoy 的一些功能，例如认证、路由以及速率限制。
-
-## 受影响的 Istio 版本
-
-下列 Istio 版本受到影响：
-
-- 1.1, 1.1.1
-    - 这些版本可以升级为 Istio 1.1.2。
-    - 1.1.2 和 1.1.1 的源码一致，加入了 Envoy 补丁用于应对 CVE。
-
-- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
-    - 这些版本可以升级到 Istio 1.0.7
-    - 1.0.7 和 1.0.6 的源码一致，加入了 Envoy 补丁用于应对 CVE。
-
-- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
-    - 这些版本已经不再支持，不会加入补丁。请升级到一个有支持的版本。
-
-## 影响范围
-
-[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 以及[CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901) 允许远程攻击者能够使用特定构造的请求 URI 路径来访问未经授权的资源（9901），HTTP/1.1 中的 NUL 字节能够部分的回避 DoS 防御系统（例如速率限制），或者路由到一个未开放的上游系统（9900）。可以参考 [issue 6434](https://github.com/envoyproxy/envoy/issues/6434) 和 [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) 中的具体信息。
-
-Istio 构建在 Envoy 的基础之上，如果用户在使用 Istio 的过程中，在路由或者策略中遇到了上文提到的路径或者 Header 方面的问题，就会受到影响，需要更新来解决。如果路径前缀符合规则的匹配条件，并且用于 Mixer 或者 Istio 授权策略或者路由规则，攻击者可以藉由这些隐患来访问特定 HTTP 后端的未授权服务的路径。
-
-## 防范
-
-要防范这些问题需要更新到 Envoy 的特定版本。我们已经在 Istio 的补丁版本中加入了必要的更新内容。
-
-Istio 1.1.x 版本，至少应更新到 [Istio 1.1.2](/zh/about/notes/1.1.2)
-
-Istio 1.0.x 版本，至少应更新到 [Istio 1.0.7](/zh/about/notes/1.0.7)
-
-Envoy 1.0.1 需要打开路径常规化的选项来应对 CVE 2019-9901，Istio 1.1.2 和 1.0.7 中内置的 Envoy 缺省启用了这一功能。
-
-## 检测 NUL Header 入侵
-
-根据目前的已知信息，这一问题仅对 HTTP/1.1 有影响。如果你的网络或者配置中不允许这种行为，应该不会受到这一威胁。
-
-基于文件的访问日志使用 `c_str()` 来处理 Header，gRPC 访问日志也是这样的，所以这种情况不会检查 Envoy 访问日志中的 NUL。运维人员可以查看 Envoy 路由和 `RouteConfiguration` 之间的差异。
-
-外部授权和速率限制服务会检查 Header 中的 NUL。后端服务器会检查 NUL 或者被禁止的访问；很多情况下会根据 RFC 7230，简单的使用 400 错误码来拒绝 NULS。
-
-## 检测路径遍历入侵
-
-Envoy 的访问日志（不论是文件的还是 gRPC 的）会包含未经常规化的路径，所以可以根据这些日志来检查可以的访问请求，从中发掘不符合配置规定的访问行为。另外未经常规化的路径在 `ext_auzhz`、速率限制以及日志后端服务器都是可能发现的。
+{{< relnote >}}

content_zh/blog/2019/announcing-1.1.3/index.md

@@ -4,8 +4,7 @@ subtitle: 重要安全更新
 description: Istio 1.1.3。
 publishdate: 2019-04-15
 attribution: The Istio Team
+release: 1.1.3
 ---
 
-{{< announcement_links "1.1.3" >}}
-
-{{< boilerplate "notes/1.1.3" >}}
+{{< relnote >}}

content_zh/blog/2019/announcing-1.1/index.md

@@ -3,11 +3,12 @@ title: 宣布 Istio 1.1 发布
 description: Istio 1.1 发布声明。
 publishdate: 2019-03-19
 attribution: The Istio Team
+release: 1.1.0
 ---
 
 我们很高兴地宣布，Istio 1.1 发布！
 
-{{< announcement_links "1.1.0" >}}
+{{< relnote linktonote="true" >}}
 
 自从去年 7 月份 1.0 发布以来，为了帮助人们将 Istio 投入生产我们做了很多工作。意料之中，我们发布了很多补丁（到目前为止已经发布了 6 个补丁！），但我们也在努力为产品添加新功能。
 

content_zh/boilerplates/notes/1.0.7.md

@@ -0,0 +1,48 @@
+## 安全更新
+
+最近发现了两个 Envoy 的安全威胁，分别是 [CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 和 [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)。Envoy 1.9.1 中已经包含了应对这两个问题的安全补丁，对应的 Istio 中的集成版本分别是 Istio 1.1.2 和 Istio 1.0.7。Envoy 是 Istio 的重要组件，我们建议立刻更新 Istio 加以防范。
+
+这一安全问题的根本原因是 Envoy 没有对 HTTP URI 路径进行常规化，没有完整的对 HTTP/1.1 Header 进行校验。会影响到 Istio 依赖 Envoy 的一些功能，例如认证、路由以及速率限制。
+
+## 受影响的 Istio 版本
+
+下列 Istio 版本受到影响：
+
+- 1.1, 1.1.1
+    - 这些版本可以升级为 Istio 1.1.2。
+    - 1.1.2 和 1.1.1 的源码一致，加入了 Envoy 补丁用于应对 CVE。
+
+- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
+    - 这些版本可以升级到 Istio 1.0.7
+    - 1.0.7 和 1.0.6 的源码一致，加入了 Envoy 补丁用于应对 CVE。
+
+- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
+    - 这些版本已经不再支持，不会加入补丁。请升级到一个有支持的版本。
+
+## 影响范围
+
+[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 以及[CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901) 允许远程攻击者能够使用特定构造的请求 URI 路径来访问未经授权的资源（9901），HTTP/1.1 中的 NUL 字节能够部分的回避 DoS 防御系统（例如速率限制），或者路由到一个未开放的上游系统（9900）。可以参考 [issue 6434](https://github.com/envoyproxy/envoy/issues/6434) 和 [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) 中的具体信息。
+
+Istio 构建在 Envoy 的基础之上，如果用户在使用 Istio 的过程中，在路由或者策略中遇到了上文提到的路径或者 Header 方面的问题，就会受到影响，需要更新来解决。如果路径前缀符合规则的匹配条件，并且用于 Mixer 或者 Istio 授权策略或者路由规则，攻击者可以藉由这些隐患来访问特定 HTTP 后端的未授权服务的路径。
+
+## 防范
+
+要防范这些问题需要更新到 Envoy 的特定版本。我们已经在 Istio 的补丁版本中加入了必要的更新内容。
+
+Istio 1.1.x 版本，至少应更新到 [Istio 1.1.2](/zh/about/notes/1.1.2)
+
+Istio 1.0.x 版本，至少应更新到 [Istio 1.0.7](/zh/about/notes/1.0.7)
+
+Envoy 1.0.1 需要打开路径常规化的选项来应对 CVE 2019-9901，Istio 1.1.2 和 1.0.7 中内置的 Envoy 缺省启用了这一功能。
+
+## 检测 NUL Header 入侵
+
+根据目前的已知信息，这一问题仅对 HTTP/1.1 有影响。如果你的网络或者配置中不允许这种行为，应该不会受到这一威胁。
+
+基于文件的访问日志使用 `c_str()` 来处理 Header，gRPC 访问日志也是这样的，所以这种情况不会检查 Envoy 访问日志中的 NUL。运维人员可以查看 Envoy 路由和 `RouteConfiguration` 之间的差异。
+
+外部授权和速率限制服务会检查 Header 中的 NUL。后端服务器会检查 NUL 或者被禁止的访问；很多情况下会根据 RFC 7230，简单的使用 400 错误码来拒绝 NULS。
+
+## 检测路径遍历入侵
+
+Envoy 的访问日志（不论是文件的还是 gRPC 的）会包含未经常规化的路径，所以可以根据这些日志来检查可以的访问请求，从中发掘不符合配置规定的访问行为。另外未经常规化的路径在 `ext_auzhz`、速率限制以及日志后端服务器都是可能发现的。

content_zh/boilerplates/notes/1.1.2.md

@@ -0,0 +1,48 @@
+## 安全更新
+
+最近发现了两个 Envoy 的安全威胁，分别是 [CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 和 [CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901)。Envoy 1.9.1 中已经包含了应对这两个问题的安全补丁，对应的 Istio 中的集成版本分别是 Istio 1.1.2 和 Istio 1.0.7。Envoy 是 Istio 的重要组件，我们建议立刻更新 Istio 加以防范。
+
+这一安全问题的根本原因是 Envoy 没有对 HTTP URI 路径进行常规化，没有完整的对 HTTP/1.1 Header 进行校验。会影响到 Istio 依赖 Envoy 的一些功能，例如认证、路由以及速率限制。
+
+## 受影响的 Istio 版本
+
+下列 Istio 版本受到影响：
+
+- 1.1, 1.1.1
+    - 这些版本可以升级为 Istio 1.1.2。
+    - 1.1.2 和 1.1.1 的源码一致，加入了 Envoy 补丁用于应对 CVE。
+
+- 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
+    - 这些版本可以升级到 Istio 1.0.7
+    - 1.0.7 和 1.0.6 的源码一致，加入了 Envoy 补丁用于应对 CVE。
+
+- 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8
+    - 这些版本已经不再支持，不会加入补丁。请升级到一个有支持的版本。
+
+## 影响范围
+
+[CVE 2019-9900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900) 以及[CVE 2019-9901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901) 允许远程攻击者能够使用特定构造的请求 URI 路径来访问未经授权的资源（9901），HTTP/1.1 中的 NUL 字节能够部分的回避 DoS 防御系统（例如速率限制），或者路由到一个未开放的上游系统（9900）。可以参考 [issue 6434](https://github.com/envoyproxy/envoy/issues/6434) 和 [issue 6435](https://github.com/envoyproxy/envoy/issues/6435) 中的具体信息。
+
+Istio 构建在 Envoy 的基础之上，如果用户在使用 Istio 的过程中，在路由或者策略中遇到了上文提到的路径或者 Header 方面的问题，就会受到影响，需要更新来解决。如果路径前缀符合规则的匹配条件，并且用于 Mixer 或者 Istio 授权策略或者路由规则，攻击者可以藉由这些隐患来访问特定 HTTP 后端的未授权服务的路径。
+
+## 防范
+
+要防范这些问题需要更新到 Envoy 的特定版本。我们已经在 Istio 的补丁版本中加入了必要的更新内容。
+
+Istio 1.1.x 版本，至少应更新到 [Istio 1.1.2](/zh/about/notes/1.1.2)
+
+Istio 1.0.x 版本，至少应更新到 [Istio 1.0.7](/zh/about/notes/1.0.7)
+
+Envoy 1.0.1 需要打开路径常规化的选项来应对 CVE 2019-9901，Istio 1.1.2 和 1.0.7 中内置的 Envoy 缺省启用了这一功能。
+
+## 检测 NUL Header 入侵
+
+根据目前的已知信息，这一问题仅对 HTTP/1.1 有影响。如果你的网络或者配置中不允许这种行为，应该不会受到这一威胁。
+
+基于文件的访问日志使用 `c_str()` 来处理 Header，gRPC 访问日志也是这样的，所以这种情况不会检查 Envoy 访问日志中的 NUL。运维人员可以查看 Envoy 路由和 `RouteConfiguration` 之间的差异。
+
+外部授权和速率限制服务会检查 Header 中的 NUL。后端服务器会检查 NUL 或者被禁止的访问；很多情况下会根据 RFC 7230，简单的使用 400 错误码来拒绝 NULS。
+
+## 检测路径遍历入侵
+
+Envoy 的访问日志（不论是文件的还是 gRPC 的）会包含未经常规化的路径，所以可以根据这些日志来检查可以的访问请求，从中发掘不符合配置规定的访问行为。另外未经常规化的路径在 `ext_auzhz`、速率限制以及日志后端服务器都是可能发现的。

content_zh/help/faq/general/what-deployment-environment.md

@@ -3,4 +3,4 @@ title: 支持哪些部署环境？
 weight: 60
 ---
 
-Istio 的设计和构建与平台无关。对于我们 {{<istio_version>}} 发布，Istio 支持运行容器编排平台环境，如 Kubernetes（v1.9 或更高版本）和 Nomad（使用 Consul）。
+Istio 的设计和构建与平台无关。对于我们 {{< istio_version >}} 发布，Istio 支持运行容器编排平台环境，如 Kubernetes（v1.9 或更高版本）和 Nomad（使用 Consul）。

data/args.yml

@@ -26,6 +26,9 @@ doc_branch_name: release-1.1
 # The list of supported versions described by the docs
 supported_kubernetes_versions: ["1.11", "1.12", "1.13"]
 
+# The version of Istio currently in istio.io
+main_version: "1.1"
+
 ####### Static values
 
 # we use different search engines for each incarnation of the site

data/releases.yml

@@ -2,10 +2,8 @@
   url: https://preliminary.istio.io
 - name: "1.1"
   url: https://istio.io
-  latest_patch: 1.1.3
 - name: "1.0"
   url: https://archive.istio.io/v1.0
-  latest_patch: 1.0.7
 - name: "0.8"
   url: https://archive.istio.io/v0.8
 - name: "0.7"

i18n/en.toml

@@ -112,6 +112,9 @@ other = "Before you download %s, you should know that there's a newer patch rele
 [relnote_update_button]
 other = "LEARN ABOUT ISTIO %s"
 
+[relnote_update_notice]
+other = "Update Notice"
+
 [page_attribution]
 other = "By "
 
@@ -190,8 +193,5 @@ other = "-"
 [syntax_coloring]
 other = "Color Examples"
 
-[announcement_download]
-other = "DOWNLOAD %s"
-
 [announcement_relnotes]
 other = "%s RELEASE NOTES"

i18n/zh.toml

@@ -110,7 +110,10 @@ other = "%s 文档"
 other = "Before you download %s, you should know that there's a newer patch release with the latest bug fixes and perf improvements."
 
 [relnote_update_button]
-other = "LEARN ABOUT ISITO %s"
+other = "LEARN ABOUT ISTIO %s"
+
+[relnote_update_notice]
+other = "Update Notice"
 
 [page_attribution]
 other = "作者 "
@@ -190,8 +193,5 @@ other = "中文内容由 ServiceMesher 社区维护，部分文档可能稍微
 [syntax_coloring]
 other = "代码高亮"
 
-[announcement_download]
-other = "下载 %s"
-
 [announcement_relnotes]
 other = "%s 发布说明"

layouts/_default/release-note.html

@@ -1,130 +0,0 @@
-{{ define "main" }}
-{{ partial "primary_top.html" . }}
-{{ .Content }}
-
-{{- $home := .Site.GetPage "home" -}}
-{{- $lang := $home.Lang -}}
-{{- if eq $lang "en" -}}
-    {{- $lang = "" -}}
-{{- else -}}
-    {{- $lang = "/zh" -}}
-{{- end -}}
-
-{{ $release_name := path.Base .Dir }}
-{{ $parts := split $release_name "." }}
-
-{{ $version := $release_name }}
-{{ $full_version := printf "%s.0" $release_name }}
-{{ $old_full_version := $full_version }}
-{{ $patch := false }}
-
-{{ if ne (len $parts) 2 }}
-    {{ $version = printf "%s.%s" (index $parts 0) (index $parts 1) }}
-    {{ $full_version = printf "%s.%s.%s" (index $parts 0) (index $parts 1) (index $parts 2) }}
-    {{ $old_full_version = printf "%s.%s.%d" (index $parts 0) (index $parts 1) (sub (int (index $parts 2)) 1) }}
-    {{ $patch = true }}
-{{ end }}
-
-{{ $first := index .Site.Data.releases 0 }}
-{{ $second := index .Site.Data.releases 1 }}
-
-{{ $type_of_note := "current" }}
-{{ if eq $version $first.name }}
-    {{ $type_of_note = "prelim" }}
-{{ else if eq $version $second.name }}
-    {{ $type_of_note = "current" }}
-{{ else }}
-    {{ $type_of_note = "archive" }}
-{{ end }}
-
-<script>
-    document.addEventListener("DOMContentLoaded", () => {
-        window.setTimeout(() => {
-            document.querySelectorAll(".call-to-action").forEach(el => {
-                el.style.opacity = "1";
-            });
-        }, 250);
-    });
-</script>
-
-{{/* latest patch for the given short version */}}
-
-{{ $latest_patch := $full_version }}
-{{ range $rel_info := .Site.Data.releases }}
-    {{ if eq $rel_info.name $version }}
-        {{ if $rel_info.latest_patch }}
-            {{ $latest_patch = $rel_info.latest_patch }}
-        {{ end }}
-    {{ end }}
-{{ end }}
-
-{{ if ne $latest_patch $full_version }}
-    <aside class="callout warning">
-        <div class="type">
-            {{ partial "large_icon.html" "callout-warning" }}
-        </div>
-        <div class="content">
-            {{ printf (i18n "relnote_update_advice") $release_name }}
-            <br/><br>
-            <a class="btn" href="{{ $lang }}/about/notes/{{ $latest_patch }}">{{ printf (i18n "relnote_update_button") $latest_patch }}</a>
-        </div>
-    </aside>
-{{ end }}
-
-<div class="call-to-action">
-    {{ if .Site.Data.args.preliminary }}
-        {{ if eq $type_of_note "prelim" }}
-            <span class="btn">{{ printf (i18n "relnote_download") $release_name }}</span>
-
-            {{ if eq $type_of_note "archive" }}
-                <span class="btn">{{ printf (i18n "relnote_docs") $release_name }}</span>
-            {{ else }}
-                <span class="btn">{{ printf (i18n "relnote_docs") $release_name }}</span>
-            {{ end }}
-
-            {{ if $patch }}
-                <span class="btn">{{ printf (i18n "relnote_changes") $release_name }}</span>
-            {{ end }}
-        {{ else }}
-            <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $release_name }}</a>
-
-            {{ if eq $type_of_note "archive" }}
-                <a class="btn" href="https://archive.istio.io/v{{ $version }}">{{ printf (i18n "relnote_docs") $release_name }}</a>
-            {{ else }}
-                <a class="btn" href="https://istio.io{{ $lang }}/docs">{{ printf (i18n "relnote_docs") $release_name }}</a>
-            {{ end }}
-
-            {{ if $patch }}
-                <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $release_name }}</a>
-            {{ end }}
-        {{ end }}
-    {{ else }}
-        <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $release_name }}</a>
-
-        {{ if (ne .Site.Data.args.version $version) }}
-            <a class="btn" href="https://archive.istio.io/v{{ $version }}{{ $lang }}/docs">{{ printf (i18n "relnote_docs") $release_name }}</a>
-        {{ else }}
-            <a class="btn" href="https://istio.io{{ $lang }}/docs">{{ printf (i18n "relnote_docs") $release_name }}</a>
-        {{ end }}
-
-        {{ if $patch }}
-            <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $release_name }}</a>
-        {{ end }}
-    {{ end }}
-</div>
-
-{{- $bundle := .Page.GetPage "/boilerplates" -}}
-{{- with $bundle -}}
-    {{- $name := printf "notes/%v.md*" $release_name -}}
-    {{- $resource := $bundle.Resources.GetMatch $name -}}
-    {{- with $resource -}}
-        {{- .Content | markdownify -}}
-    {{- else -}}
-        {{- errorf "Could not find release note boilerplate for %v" $version -}}
-    {{- end -}}
-{{- else -}}
-    {{- errorf "Could not find release note boilerplate for %v" $version -}}
-{{- end -}}
-
-{{ partial "primary_bottom.html" . }}
-{{ end }}

layouts/shortcodes/announcement_links.html

@@ -1,61 +0,0 @@
-{{ $full_version := .Get 0 }}
-{{ $include_relnote_button := .Get 1 }}
-
-{{ $parts := split $full_version "." }}
-{{ $version := printf "%s.%s" (index $parts 0) (index $parts 1) }}
-{{ $release_name := $version }}
-{{ if ne (index $parts 2) "0" }}
-    {{ $release_name = $full_version }}
-{{ end }}
-
-{{- $home := .Site.GetPage "home" -}}
-{{- $lang := $home.Lang -}}
-{{- if eq $lang "en" -}}
-    {{- $lang = "" -}}
-{{- else -}}
-    {{- $lang = "/zh" -}}
-{{- end -}}
-
-{{/* latest patch for the given short version */}}
-
-{{ $latest_patch := "" }}
-{{ range $rel_info := .Site.Data.releases }}
-    {{ if eq $rel_info.name $version }}
-        {{ $latest_patch = $rel_info.latest_patch -}}
-    {{ end }}
-{{ end }}
-
-<script>
-    document.addEventListener("DOMContentLoaded", () => {
-        window.setTimeout(() => {
-            document.querySelectorAll(".call-to-action").forEach(el => {
-                el.style.opacity = "1";
-            });
-        }, 250);
-    });
-</script>
-
-{{ if ne $latest_patch $full_version }}
-    <aside class="callout warning">
-        <div class="type">
-            {{ partial "large_icon.html" "callout-warning" }}
-        </div>
-        <div class="content">
-            {{ printf (i18n "relnote_update_advice") $release_name }}
-            <br/><br>
-            <a class="btn" href="{{ $lang }}/about/notes/{{ $latest_patch }}">{{ printf (i18n "relnote_update_button") $latest_patch }}</a>
-        </div>
-    </aside>
-{{ end }}
-
-<div class="call-to-action">
-    {{ if .Site.Data.args.preliminary }}
-        <span class="btn">{{ printf (i18n "announcement_download") $release_name }}</span>
-    {{ else }}
-        <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "announcement_download") $release_name }}</a>
-    {{ end }}
-
-    {{ if $include_relnote_button }}
-       <a class="btn" href="{{ $lang }}/about/notes/{{ $release_name }}/">{{ printf (i18n "announcement_relnotes") $release_name }}</a>
-    {{ end }}
-</div>

layouts/shortcodes/relnote.html

@@ -0,0 +1,94 @@
+{{ $link_to_note := .Get "linktonote" }}
+{{ $full_version := .Page.Params.release }}
+
+{{ $parts := split $full_version "." }}
+{{ $version := printf "%s.%s" (index $parts 0) (index $parts 1) }}
+{{ $patch := int (index $parts 2) }}
+{{ $release_name := strings.TrimSuffix ".0" $full_version }}
+
+{{ $home := .Site.GetPage "home" }}
+{{ $lang := $home.Lang }}
+{{ if eq $lang "en" }}
+    {{ $lang = "" }}
+{{ else }}
+    {{ $lang = "/zh" }}
+{{ end }}
+
+{{/* establish latest corresponding patch release */}}
+{{ $latest_patch := 0 }}
+{{ range $page := .Site.RegularPages }}
+    {{ if hasPrefix $page.Dir "about/notes" }}
+        {{ $release := $page.Params.release }}
+        {{ if $release }}
+            {{ $parts := split $release "." }}
+            {{ $v := printf "%s.%s" (index $parts 0) (index $parts 1) }}
+            {{ $p := int (index $parts 2) }}
+            {{ if eq $version $v }}
+                {{ if gt $p $latest_patch }}
+                    {{ $latest_patch = $p }}
+                {{ end }}
+            {{ end }}
+        {{ end }}
+    {{ end }}
+{{ end }}
+
+{{ $latest_full_version := printf "%s.%d" $version $latest_patch }}
+
+{{ $release_location := "archive" }}
+{{ if and .Site.Data.args.preliminary (eq $version .Site.Data.args.version) }}
+    {{ $release_location = "preliminary" }}
+{{ else if eq $version .Site.Data.args.main_version }}
+    {{ $release_location = "main" }}
+{{ end }}
+
+<div class="call-to-action">
+    {{ if eq $release_location "prelim" }}
+        <span class="btn">{{ printf (i18n "relnote_download") $release_name }}</span>
+        <span class="btn">{{ printf (i18n "relnote_docs") $release_name }}</span>
+
+        {{ if $patch }}
+            <span class="btn">{{ printf (i18n "relnote_changes") $release_name }}</span>
+        {{ end }}
+    {{ else }}
+        {{ if ne $latest_full_version $full_version }}
+            {{ .Page.Scratch.Set "needPopper" true }}
+            <button class="btn update-notice"
+                    data-title='{{ i18n "relnote_update_notice" }}'
+                    data-downloadhref="https://github.com/istio/istio/releases/tag/{{ $full_version }}"
+                    data-updateadvice='{{ printf (i18n "relnote_update_advice") $release_name }}'
+                    data-updatebutton='{{ printf (i18n "relnote_update_button") $latest_full_version }}'
+                    data-updatehref="{{ $lang }}/about/notes/{{ $latest_full_version }}">
+                {{ printf (i18n "relnote_download") $release_name }}
+            </button>
+        {{ else }}
+            <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $release_name }}</a>
+        {{ end }}
+
+        {{ if eq $release_location "archive" }}
+            <a class="btn" href="https://archive.istio.io/v{{ $version }}">{{ printf (i18n "relnote_docs") $release_name }}</a>
+        {{ else }}
+            <a class="btn" href="https://istio.io{{ $lang }}/docs">{{ printf (i18n "relnote_docs") $release_name }}</a>
+        {{ end }}
+
+        {{ if $patch }}
+            {{ $old_full_version := printf "%v.%d" $version (sub $patch 1) }}
+            <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $release_name }}</a>
+        {{ end }}
+    {{ end }}
+
+    {{ if $link_to_note }}
+        <a class="btn" href="{{ $lang }}/about/notes/{{ $release_name }}/">{{ printf (i18n "announcement_relnotes") $release_name }}</a>
+    {{ end }}
+</div>
+
+{{ if not $link_to_note }}
+    {{ $bundle := .Page.GetPage "/boilerplates" }}
+    {{ with $bundle }}
+        {{ $name := printf "notes/%s.md" $release_name }}
+        {{ $pattern := printf "%s*" $name }}
+        {{ $resource := $bundle.Resources.GetMatch $pattern }}
+        {{ with $resource }}
+            {{ .Content | markdownify }}
+        {{ end }}
+    {{ end }}
+{{ end }}

layouts/shortcodes/relnote_links.html

@@ -1,76 +0,0 @@
-{{ $dir_name := path.Base .Page.Dir }}
-{{ $parts := split $dir_name "." }}
-
-{{ $short_version := $dir_name }}
-{{ $full_version := printf "%s.0" $dir_name }}
-{{ $old_full_version := $full_version }}
-{{ $patch := false }}
-
-{{ if ne (len $parts) 2 }}
-    {{ $short_version = printf "%s.%s" (index $parts 0) (index $parts 1) }}
-    {{ $full_version = printf "%s.%s.%s" (index $parts 0) (index $parts 1) (index $parts 2) }}
-    {{ $old_full_version = printf "%s.%s.%d" (index $parts 0) (index $parts 1) (sub (int (index $parts 2)) 1) }}
-    {{ $patch = true }}
-{{ end }}
-
-{{ $first := index .Site.Data.releases 0 }}
-{{ $second := index .Site.Data.releases 1 }}
-
-{{ $type_of_note := "current" }}
-{{ if eq $short_version $first.name }}
-    {{ $type_of_note = "prelim" }}
-{{ else if eq $short_version $second.name }}
-    {{ $type_of_note = "current" }}
-{{ else }}
-    {{ $type_of_note = "archive" }}
-{{ end }}
-
-<script>
-    document.addEventListener("DOMContentLoaded", () => {
-        window.setTimeout(() => {
-            document.querySelectorAll(".call-to-action").forEach(el => {
-                el.style.opacity = "1";
-            });
-        }, 250);
-    });
-</script>
-
-<div class="call-to-action">
-    {{ if .Site.Data.args.preliminary }}
-        {{ if eq $type_of_note "prelim" }}
-            <span class="btn">{{ printf (i18n "relnote_download") $dir_name }}</span>
-
-            {{ if eq $type_of_note "archive" }}
-                <span class="btn">{{ printf (i18n "relnote_docs") $dir_name }}</span>
-            {{ else }}
-                <span class="btn">{{ printf (i18n "relnote_docs") $dir_name }}</span>
-            {{ end }}
-
-            {{ if $patch }}
-                <span class="btn">{{ printf (i18n "relnote_changes") $dir_name }}</span>
-            {{ end }}
-        {{ else }}
-            <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $dir_name }}</a>
-
-            {{ if eq $type_of_note "archive" }}
-                <a class="btn" href="https://archive.istio.io/v{{ $short_version }}">{{ printf (i18n "relnote_docs") $dir_name }}</a>
-            {{ else }}
-                <a class="btn" href="https://istio.io">{{ printf (i18n "relnote_docs") $dir_name }}</a>
-            {{ end }}
-
-            {{ if $patch }}
-                <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $dir_name }}</a>
-            {{ end }}
-        {{ end }}
-    {{ else }}
-        <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $dir_name }}</a>
-
-        {{ if (ne .Site.Data.args.version $short_version) }}
-            <a class="btn" href="https://archive.istio.io/v{{ $short_version }}">{{ printf (i18n "relnote_docs") $dir_name }}</a>
-        {{ end }}
-
-        {{ if $patch }}
-            <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $dir_name }}</a>
-        {{ end }}
-    {{ end }}
-</div>

scripts/build_site.sh

@@ -6,6 +6,6 @@ mkdir -p generated/css generated/js generated/img tmp/js
 npx sass src/sass/_all.scss all.css -s compressed
 mv all.css* generated/css
 npx tsc
-npx babel tmp/js/constants.js tmp/js/utils.js tmp/js/kbdnav.js tmp/js/themes.js tmp/js/menu.js tmp/js/header.js tmp/js/sidebar.js tmp/js/tabset.js tmp/js/prism.js tmp/js/codeBlocks.js tmp/js/links.js tmp/js/scroll.js tmp/js/overlays.js tmp/js/lang.js --out-file generated/js/all.min.js --source-maps --minified --no-comments --presets minify
+npx babel tmp/js/constants.js tmp/js/utils.js tmp/js/kbdnav.js tmp/js/themes.js tmp/js/menu.js tmp/js/header.js tmp/js/sidebar.js tmp/js/tabset.js tmp/js/prism.js tmp/js/codeBlocks.js tmp/js/links.js tmp/js/scroll.js tmp/js/overlays.js tmp/js/lang.js tmp/js/callToAction.js --out-file generated/js/all.min.js --source-maps --minified --no-comments --presets minify
 npx babel tmp/js/themes_init.js --out-file generated/js/themes_init.min.js --source-maps --minified --no-comments --presets minify
 npx svgstore -o generated/img/icons.svg src/icons/**/*.svg

src/sass/misc/_call-to-action.scss

@@ -16,6 +16,18 @@
         }
     }
 
+    .wide {
+        width: 20rem;
+    }
+
+    button.btn {
+        outline: 0;
+
+        &:focus {
+            text-decoration: underline;
+        }
+    }
+
     span.btn {
         cursor: not-allowed;
 

src/ts/callToAction.ts

@@ -0,0 +1,25 @@
+// Copyright 2019 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const callToActionDelayMs = 250;
+
+function handleCallToAction(): void {
+    window.setTimeout(() => {
+        document.querySelectorAll<HTMLElement>(".call-to-action").forEach(el => {
+            el.style.opacity = "1";
+        });
+    }, callToActionDelayMs);
+}
+
+handleCallToAction();

src/ts/overlays.ts

@@ -126,6 +126,58 @@ function handleOverlays(): void {
         });
     });
 
+    // Expand download buttons that need an update notice into appropriate popup markup
+    document.querySelectorAll<HTMLAnchorElement>(".update-notice").forEach(downloadButton => {
+        const i = document.createElement("i");
+        i.innerHTML = "<svg class='icon'><use xlink:href='" + iconFile + "#callout-tip'/></svg>";
+
+        const span = document.createElement("span");
+        span.innerText = " " + downloadButton.dataset.title;
+
+        const title = document.createElement("div");
+        title.className = "title";
+        title.appendChild(i);
+        title.appendChild(span);
+
+        const body = document.createElement("div");
+        body.className = "body";
+        body.innerHTML =
+            "<p>" + downloadButton.dataset.updateadvice + "</p>" +
+            "<a class='btn wide' href='" + downloadButton.dataset.updatehref + "'>" + downloadButton.dataset.updatebutton + "</a>" +
+            "<a class='btn wide' target='_blank' rel='noopener' href='" + downloadButton.dataset.downloadhref + "'>" + downloadButton.innerText + "</a>";
+
+        const arrow = document.createElement("div");
+        arrow.className = "arrow";
+        arrow.setAttribute("x-arrow", "");
+
+        const div = document.createElement("div");
+        div.className = "popover";
+        div.appendChild(title);
+        div.appendChild(body);
+        div.appendChild(arrow);
+        div.setAttribute("aria-hidden", "true");
+        listen(div, click, e => {
+            e.cancelBubble = true;
+        });
+
+        const parent = downloadButton.parentElement;
+        if (parent) {
+            parent.insertBefore(div, downloadButton.nextElementSibling);
+        }
+
+        downloadButton.removeAttribute("data-title");
+        downloadButton.removeAttribute("data-downloadhref");
+        downloadButton.removeAttribute("data-updatehref");
+        downloadButton.removeAttribute("data-updateadvice");
+        downloadButton.removeAttribute("data-updatebutton");
+
+        listen(downloadButton, click, e => {
+            e.cancelBubble = true;
+            toggleOverlay(div);
+            attachPopper(downloadButton, div);
+        });
+    });
+
     listen(window, click, closeActiveOverlay);
     listen(window, "resize", closeActiveOverlay);
 }