Consolidate release-specific material into the news section. (#5138)

2019-10-15 09:27:11 -07:00 · 2019-10-15 09:27:11 -07:00 · f7dd8c6613
parent 2b9ecdf461
commit f7dd8c6613
49 changed files with 1341 additions and 356 deletions
--- a/content/en/about/contribute/creating-and-editing-pages/index.md
+++ b/content/en/about/contribute/creating-and-editing-pages/index.md
@ -136,8 +136,15 @@ The available front matter fields are:
 |`skip_byline`      | Set this to true to prevent the page from having a byline under the main title
 |`skip_seealso`     | Set this to true to prevent the page from having a "See also" section generated for it
 |`force_inline_toc` | Set this to true to force the generated table of contents to be inserted inline in the text instead of in a sidebar
-|`simple_list`      | Set this to true to force a generated section page to use a simple list layout rather that a gallery layout
-|`content_above`    | Set this to true to force the content portion of a section index to be rendered above the auto-generated part
+
+A few front-matter fields are specific to section pages (i.e. for files names `_index.md`):
+
+|Field                 | Description
+|----------------------|------------
+|`skip_list`           | Set this to true to prevent the auto-generated content on a section page
+|`simple_list`         | Set this to true to use a simple list layout rather than gallery layout for the auto-generated content of a section page
+|`list_below`          | Set this to true to insert the auto-generated content on a section page below the manually-written content
+|`list_by_publishdate` | Set this to true to sort the generated content on the page in order in publication date, rather than by page weight

 There are a few more front matter fields available specifically for blog posts:

@ -519,7 +526,7 @@ which renders as:

 ## Glossary terms

-When first introducing a specialized Istio term in a page, it is desirable to annotate the terms as being in the glossary. This
+When first introducing a specialized Istio term in a page, it is desirable to annotate the term as being in the glossary. This
 will produce special rendering inviting the user to click on the term in order to get a pop-up with the definition.

 {{< text markdown >}}
--- a/content/en/blog/2017/_index.md
+++ b/content/en/blog/2017/_index.md
@ -3,4 +3,5 @@ title: 2017 Posts
 description: Blog posts for 2017.
 weight: 20
 icon: blog
+list_by_publishdate: true
 ---
--- a/content/en/blog/2018/_index.md
+++ b/content/en/blog/2018/_index.md
@ -3,4 +3,5 @@ title: 2018 Posts
 description: Blog posts for 2018.
 weight: 10
 icon: blog
+list_by_publishdate: true
 ---
--- a/content/en/blog/2019/_index.md
+++ b/content/en/blog/2019/_index.md
@ -3,4 +3,5 @@ title: 2019 Posts
 description: Blog posts for 2019.
 weight: 9
 icon: blog
+list_by_publishdate: true
 ---
--- a/content/en/docs/_index.md
+++ b/content/en/docs/_index.md
@ -7,10 +7,8 @@ sidebar_multicard: true
 icon: docs
 ---

-In addition to the documentation, we provide the following resources:
+In addition to the above documentation links, please consider the following resources:

- [FAQ](/faq) section
- [Glossary](/docs/reference/glossary).
-
-Are you looking for past versions of the documentation? We keep an
-[archive of the documentation for prior releases](https://archive.istio.io/).
+- [Frequently Asked Questions](/faq)
+- [Glossary](/docs/reference/glossary)
+- [Documentation Archive](https://archive.istio.io/), which contains snapshots of the documentation for prior releases.
--- a/content/en/docs/ops/security/root-transition/index.md
+++ b/content/en/docs/ops/security/root-transition/index.md
@ -68,7 +68,7 @@ please follow the procedure and check whether you will be affected.
    Because the Pilot has issue using the old root certificate to verify the new workload certificates.
    This may cause disconnection between Pilot and Envoy.
    Please see the [here](#how-to-check-if-pilot-has-an-envoy-sidecar) for how to check.
-    The [Istio upgrade guide](/docs/setup/upgrade/steps/)
+    The [Istio upgrade guide](/docs/setup/upgrade/)
    by default installs Pilot with Envoy sidecar.
    {{< /warning >}}

@ -122,7 +122,7 @@ please follow the procedure and check whether you will be affected.
    {{< /warning >}}

    Upgrade your control plane and `istio-proxy` sidecars to 1.0.8, 1.1.8 or later.
-    Please follow the Istio [upgrade procedure](/docs/setup/upgrade/steps/).
+    Please follow the Istio [upgrade procedure](/docs/setup/upgrade/).

 1. Verify the new workload certificates are loaded by Envoy:

--- a/content/en/docs/reference/config/installation-options/index.md
+++ b/content/en/docs/reference/config/installation-options/index.md
@ -7,7 +7,7 @@ force_inline_toc: true
 ---

 {{< tip >}}
-Refer to [Installation Options Changes](/docs/reference/config/installation-options-changes/)
+Refer to [Installation Options Changes](/news/2019/announcing-1.3/helm-changes/)
 for a detailed summary of the option changes between release 1.2 and release 1.3.
 {{< /tip >}}

--- a/content/en/docs/setup/_index.md
+++ b/content/en/docs/setup/_index.md
@ -11,7 +11,7 @@ aliases:
    - /docs/setup/kubernetes/download/
    - /docs/setup/kubernetes/
 keywords: [kubernetes,install,quick-start,setup,installation]
-content_above: true
+list_below: true
 ---

 {{< tip >}}
@ -35,7 +35,7 @@ At a high level, the basic flow is the same regardless of platform:
 Download the Istio release which includes installation files, samples and a command line utility.

 1.  Go to the [Istio release]({{< istio_release_url >}}) page to
-    download the installation file corresponding to your OS. On a macOS or
+    download the installation file corresponding to your OS. Alternatively, on a macOS or
    Linux system, you can run the following command to download and
    extract the latest release automatically:

--- a/content/en/docs/setup/upgrade/_index.md
+++ b/content/en/docs/setup/upgrade/_index.md
@ -1,9 +0,0 @@
---
-title: Upgrade
-description: Information on upgrading Istio.
-weight: 25
-aliases:
-    - /docs/setup/kubernetes/upgrading-istio/
-    - /docs/setup/kubernetes/upgrade/
-keywords: [kubernetes,upgrading]
---
--- a/content/en/docs/setup/upgrade/steps/index.md
+++ b/content/en/docs/setup/upgrade/steps/index.md
@ -1,9 +1,10 @@
 ---
-title: Upgrade Steps
+title: Upgrade
 description: Upgrade the Istio control plane and data plane independently.
 weight: 25
 aliases:
    - /docs/setup/kubernetes/upgrade/steps/
+    - /docs/setup/upgrade/steps
 keywords: [kubernetes,upgrading]
 ---

@ -15,12 +16,12 @@ please ensure your Istio control plane components and your applications are
 highly available with multiple replicas.

 {{< warning >}}
-Be sure to check out the [upgrade notice](/docs/setup/upgrade/notice)
+Be sure to check out the [upgrade notes](/news/{{< istio_full_version_release_year >}}/announcing-{{< istio_version >}}/upgrade-notes)
 for a concise list of things you should know before upgrading your deployment to Istio {{< istio_version >}}.
 {{< /warning >}}

 {{< tip >}}
-Istio does **NOT** support skip level upgrades.  Only upgrades from {{< istio_previous_version >}} to {{< istio_version >}}
+Istio does **NOT** support skip level upgrades. Only upgrades from {{< istio_previous_version >}} to {{< istio_version >}}
 are supported. If you are on an older version, please upgrade to {{< istio_previous_version >}} first.
 {{< /tip >}}

--- a/content/en/news/2017/_index.md
+++ b/content/en/news/2017/_index.md
@ -3,4 +3,5 @@ title: 2017 News
 description: News items for 2017.
 weight: 20
 icon: newspaper
+list_by_publishdate: true
 ---
--- a/content/en/news/2017/announcing-0.3/index.md
+++ b/content/en/news/2017/announcing-0.3/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.3
 description: Istio 0.3 announcement.
 publishdate: 2017-11-29
 attribution: The Istio Team
-release: 0.3
+release: 0.3.0
 aliases:
    - /about/notes/older/0.3
    - /docs/welcome/notes/0.3.html
--- a/content/en/news/2017/announcing-0.4/index.md
+++ b/content/en/news/2017/announcing-0.4/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.4
 description: Istio 0.4 announcement.
 publishdate: 2017-12-18
 attribution: The Istio Team
-release: 0.3
+release: 0.4.0
 aliases:
    - /about/notes/older/0.4
    - /docs/welcome/notes/0.4.html
--- a/content/en/news/2018/_index.md
+++ b/content/en/news/2018/_index.md
@ -3,4 +3,5 @@ title: 2018 News
 description: News items for 2018.
 weight: 10
 icon: newspaper
+list_by_publishdate: true
 ---
--- a/content/en/news/2018/announcing-0.5/index.md
+++ b/content/en/news/2018/announcing-0.5/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.5
 description: Istio 0.5 announcement.
 publishdate: 2018-02-02
 attribution: The Istio Team
-release: 0.5
+release: 0.5.0
 aliases:
    - /about/notes/older/0.5
    - /about/notes/0.5/index.html
--- a/content/en/news/2018/announcing-0.6/index.md
+++ b/content/en/news/2018/announcing-0.6/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.6
 description: Istio 0.6 announcement.
 publishdate: 2018-03-08
 attribution: The Istio Team
-release: 0.6
+release: 0.6.0
 aliases:
    - /about/notes/older/0.6
    - /about/notes/0.6/index.html
--- a/content/en/news/2018/announcing-0.7/index.md
+++ b/content/en/news/2018/announcing-0.7/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.7
 description: Istio 0.7 announcement.
 publishdate: 2018-03-28
 attribution: The Istio Team
-release: 0.7
+release: 0.7.0
 aliases:
    - /about/notes/0.7
    - /about/notes/0.7/index.html
--- a/content/en/news/2018/announcing-0.8/index.md
+++ b/content/en/news/2018/announcing-0.8/index.md
@ -3,7 +3,7 @@ title: Announcing Istio 0.8
 description: Istio 0.8 announcement.
 publishdate: 2018-06-01
 attribution: The Istio Team
-release: 0.8
+release: 0.8.0
 aliases:
    - /about/notes/0.8
    - /about/notes/0.8/index.html
--- a/content/en/news/2019/_index.md
+++ b/content/en/news/2019/_index.md
@ -3,4 +3,5 @@ title: 2019 News
 description: News items for 2019.
 weight: 9
 icon: newspaper
+list_by_publishdate: true
 ---
--- a/content/en/news/2019/announcing-1.1/_index.md
+++ b/content/en/news/2019/announcing-1.1/_index.md
@ -0,0 +1,74 @@
+---
+title: Announcing Istio 1.1
+subtitle: Major Update
+description: Istio 1.1 release announcement.
+publishdate: 2019-03-19
+attribution: The Istio Team
+release: 1.1.0
+aliases:
+    - /blog/2019/announcing-1.1
+skip_list: true
+---
+
+We are pleased to announce the release of Istio 1.1!
+
+{{< relnote >}}
+
+Since we released 1.0 back in July, we’ve done a lot of work to help people get
+into production. Not surprisingly, we had to do some [patch releases](/news)
+(6 so far!), but we’ve also been hard at work adding new features to the
+product.
+
+The theme for 1.1 is Enterprise Ready. We’ve been very pleased to see more and
+more companies using Istio in production, but as some larger companies tried to
+adopt Istio they hit some limits.
+
+One of our prime areas of focus has been [performance and scalability](/docs/concepts/performance-and-scalability/).
+As people moved into production with larger clusters running more services at
+higher volume, they hit some scaling and performance issues. The
+[sidecars](/docs/concepts/traffic-management/#sidecars) took too many resources
+and added too much latency. The control plane (especially
+[Pilot](/docs/concepts/architecture/#pilot)) was overly
+resource hungry.
+
+We’ve done a lot of work to make both the data plane and the control plane more
+efficient. You can find the details of our 1.1 performance testing and the
+results in our updated [performance ans scalability concept](/docs/concepts/performance-and-scalability/).
+
+We’ve done work around namespace isolation as well. This lets you use
+Kubernetes namespaces to enforce boundaries of control, and ensures that your
+teams cannot interfere with each other.
+
+We have also improved the [multicluster capabilities and usability](/docs/concepts/deployment-models/).
+We listened to the community and improved defaults for traffic control and
+policy. We introduced a new component called
+[Galley](/docs/concepts/architecture/#galley). Galley validates that sweet,
+sweet YAML, reducing the chance of configuration errors. Galley will also be
+instrumental in [multicluster setups](/docs/setup/install/multicluster/),
+gathering service discovery information from each Kubernetes cluster. We are
+also supporting additional multicluster topologies including different
+[control plane models](/docs/concepts/deployment-models/#control-plane-models)
+topologies without requiring a flat network.
+
+There is lots more -- see the [change notes](./change-notes) for complete
+details.
+
+There is more going on in the project as well. We know that Istio has a lot of
+moving parts and can be a lot to take on. To help address that, we recently
+formed a [Usability Working Group](https://github.com/istio/community/blob/master/WORKING-GROUPS.md#working-group-meetings)
+(feel free to join). There is also a lot happening in the [Community
+Meeting](https://github.com/istio/community#community-meeting) (Thursdays at
+`11 a.m.`) and in the [Working
+Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md). And
+if you haven’t yet joined the conversation at
+[discuss.istio.io](https://discuss.istio.io), head over, log in with your
+GitHub credentials and join us!
+
+We are grateful to everyone who has worked hard on Istio over the last few
+months -- patching 1.0, adding features to 1.1, and, lately, doing tons of
+testing on 1.1. Thanks especially to those companies and users who worked with
+us installing and upgrading to the early builds and helping us catch problems
+before the release.
+
+So: now’s the time! Grab 1.1, check out [the updated documentation](/docs/),
+[install it](/docs/setup/) and...happy meshing!
--- a/content/en/news/2019/announcing-1.1/change-notes/index.md
+++ b/content/en/news/2019/announcing-1.1/change-notes/index.md
@ -1,97 +1,28 @@
 ---
-title: Announcing Istio 1.1
-subtitle: Major Update
-description: Istio 1.1 release announcement.
-publishdate: 2019-03-19
-attribution: The Istio Team
-release: 1.1.0
+title: Change Notes
+description: Istio 1.1 release notes.
+weight: 10
 aliases:
    - /about/notes/1.1
-    - /blog/2019/announcing-1.1
 ---

-We are pleased to announce the release of Istio 1.1!
-
-{{< relnote >}}
-
-Since we released 1.0 back in July, we’ve done a lot of work to help people get
-into production. Not surprisingly, we had to do some [patch releases](/news)
-(6 so far!), but we’ve also been hard at work adding new features to the
-product.
-
-The theme for 1.1 is Enterprise Ready. We’ve been very pleased to see more and
-more companies using Istio in production, but as some larger companies tried to
-adopt Istio they hit some limits.
-
-One of our prime areas of focus has been [performance and scalability](/docs/concepts/performance-and-scalability/).
-As people moved into production with larger clusters running more services at
-higher volume, they hit some scaling and performance issues. The
-[sidecars](/docs/concepts/traffic-management/#sidecars) took too many resources
-and added too much latency. The control plane (especially
-[Pilot](/docs/concepts/architecture/#pilot)) was overly
-resource hungry.
-
-We’ve done a lot of work to make both the data plane and the control plane more
-efficient. You can find the details of our 1.1 performance testing and the
-results in our updated [performance ans scalability concept](/docs/concepts/performance-and-scalability/).
-
-We’ve done work around namespace isolation as well. This lets you use
-Kubernetes namespaces to enforce boundaries of control, and ensures that your
-teams cannot interfere with each other.
-
-We have also improved the [multicluster capabilities and usability](/docs/concepts/deployment-models/).
-We listened to the community and improved defaults for traffic control and
-policy. We introduced a new component called
-[Galley](/docs/concepts/architecture/#galley). Galley validates that sweet,
-sweet YAML, reducing the chance of configuration errors. Galley will also be
-instrumental in [multicluster setups](/docs/setup/install/multicluster/),
-gathering service discovery information from each Kubernetes cluster. We are
-also supporting additional multicluster topologies including different
-[control plane models](/docs/concepts/deployment-models/#control-plane-models)
-topologies without requiring a flat network.
-
-There is lots more -- see the [release notes](#release-notes) for complete
-details.
-
-There is more going on in the project as well. We know that Istio has a lot of
-moving parts and can be a lot to take on. To help address that, we recently
-formed a [Usability Working Group](https://github.com/istio/community/blob/master/WORKING-GROUPS.md#working-group-meetings)
-(feel free to join). There is also a lot happening in the [Community
-Meeting](https://github.com/istio/community#community-meeting) (Thursdays at
-`11 a.m.`) and in the [Working
-Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md). And
-if you haven’t yet joined the conversation at
-[discuss.istio.io](https://discuss.istio.io), head over, log in with your
-GitHub credentials and join us!
-
-We are grateful to everyone who has worked hard on Istio over the last few
-months -- patching 1.0, adding features to 1.1, and, lately, doing tons of
-testing on 1.1. Thanks especially to those companies and users who worked with
-us installing and upgrading to the early builds and helping us catch problems
-before the release.
-
-So: now’s the time! Grab 1.1, check out [the updated documentation](/docs/),
-[install it](/docs/setup/) and...happy meshing!
-
-## Release notes
-
-### Incompatible changes from 1.0
+## Incompatible changes from 1.0

 In addition to the new features and improvements listed below, Istio 1.1 has introduced
 a number of significant changes from 1.0 that can alter the behavior of applications.
-A concise list of these changes can be found in the [upgrade notice](/docs/setup/upgrade/notice).
+A concise list of these changes can be found in the [upgrade notice](/news/2019/announcing-1.1/upgrade-notes).

-### Upgrades
+## Upgrades

 We recommend a manual upgrade of the control plane and data plane to 1.1. See
 the [upgrades documents](/docs/setup/upgrade/) for more information.

 {{< warning >}}
-Be sure to check out the [upgrade notice](/docs/setup/upgrade/notice) for a
+Be sure to check out the [upgrade notice](/news/2019/announcing-1.1/upgrade-notes) for a
 concise list of things you should know before upgrading your deployment to Istio 1.1.
 {{< /warning >}}

-### Installation
+## Installation

 - **CRD Install Separated from Istio Install**.  Placed Istio’s Custom Resource
  Definitions (CRDs) into the `istio-init` Helm chart. Placing the CRDs in
@ -110,7 +41,7 @@ concise list of things you should know before upgrading your deployment to Istio
  [multicluster split horizon](/docs/setup/install/multicluster/shared-gateways/) remote cluster installation
  into the Istio Helm chart simplifying the operational experience.

-### Traffic management
+## Traffic management

 - **New `Sidecar` Resource**. The new [sidecar](/docs/concepts/traffic-management/#sidecars) resource
  enables more fine-grained control over the behavior of the sidecar proxies attached to workloads within a namespace.
@ -193,7 +124,7 @@ concise list of things you should know before upgrading your deployment to Istio
 - **Customized (non `cluster.local`) Trust Domains**. Added support for
  organization- or cluster-specific trust domains in the identities.

-### Policies and telemetry
+## Policies and telemetry

 - **Policy Checks Off By Default**. Changed policy checks to be turned off by
  default to improve performance for most customer scenarios. [Enabling Policy Enforcement](/docs/tasks/policy-enforcement/enabling-policy/)
@ -262,7 +193,7 @@ concise list of things you should know before upgrading your deployment to Istio
 - **Monitoring Port**. Changed Galley's default monitoring port from 9093 to
  15014.

-### `istioctl` and `kubectl`
+## `istioctl` and `kubectl`

 - **Validate Command**. Added the [`istioctl validate`](/docs/reference/commands/istioctl/#istioctl-validate)
  command for offline validation of Istio Kubernetes resources.
--- a/content/en/news/2019/announcing-1.1/helm-changes/index.md
+++ b/content/en/news/2019/announcing-1.1/helm-changes/index.md
@ -0,0 +1,459 @@
+---
+title: Helm Changes
+description: Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.
+weight: 30
+keywords: [kubernetes, helm, install, options]
+---
+
+The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.0 and Istio 1.1. The tables are grouped in to three different categories:
+
+- The installation options already in the previous release but whose values or descriptions have been modified in the new release.
+- The new installation options added in the new release.
+- The installation options removed from the new release.
+
+<!-- Run python scripts/tablegen.py to generate this table -->
+
+<!-- AUTO-GENERATED-START -->
+
+## Modified configuration options
+
+### Modified `servicegraph` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `servicegraph.ingress.hosts` | `servicegraph.local` | `servicegraph.local` |  | `Used to create an Ingress record.` |
+
+### Modified `tracing` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `tracing.jaeger.tag` | `1.5` | `1.9` |  |  |
+
+### Modified `global` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `global.hub` | `gcr.io/istio-release` | `gcr.io/istio-release` |  | `Default hub for Istio images.Releases are published to docker hub under 'istio' project.Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly` |
+| `global.tag` | `release-1.0-latest-daily` | `release-1.1-latest-daily` |  | `Default tag for Istio images.` |
+| `global.proxy.resources.requests.cpu` | `10m` | `100m` |  |  |
+| `global.proxy.accessLogFile` | `"/dev/stdout"` | `""` |  |  |
+| `global.proxy.enableCoreDump` | `false` | `false` |  | `If set, newly injected sidecars will have core dumps enabled.` |
+| `global.proxy.autoInject` | `enabled` | `enabled` |  | `This controls the 'policy' in the sidecar injector.` |
+| `global.proxy.envoyStatsd.enabled` | `true` | `false` |  | `If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.` |
+| `global.proxy.envoyStatsd.host` | `istio-statsd-prom-bridge` | `` |  | `example: statsd-svc.istio-system` |
+| `global.proxy.envoyStatsd.port` | `9125` | `` |  | `example: 9125` |
+| `global.proxy_init.image` | `proxy_init` | `proxy_init` |  | `Base name for the proxy_init container, used to configure iptables.` |
+| `global.controlPlaneSecurityEnabled` | `false` | `false` |  | `controlPlaneMtls enabled. Will result in delays starting the pods while secrets arepropagated, not recommended for tests.` |
+| `global.disablePolicyChecks` | `false` | `true` |  | `disablePolicyChecks disables mixer policy checks.if mixer.policy.enabled==true then disablePolicyChecks has affect.Will set the value with same name in istio config map - pilot needs to be restarted to take effect.` |
+| `global.enableTracing` | `true` | `true` |  | `EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.` |
+| `global.mtls.enabled` | `false` | `false` |  | `Default setting for service-to-service mtls. Can be set explicitly usingdestination rules or service annotations.` |
+| `global.oneNamespace` | `false` | `false` |  | `Whether to restrict the applications namespace the controller manages;If not set, controller watches all namespaces` |
+| `global.configValidation` | `true` | `true` |  | `Whether to perform server-side validation of configuration.` |
+
+### Modified `gateways` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `gateways.istio-ingressgateway.type` | `LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be` | `LoadBalancer` |  | `change to NodePort, ClusterIP or LoadBalancer if need be` |
+| `gateways.istio-egressgateway.enabled` | `true` | `false` |  |  |
+| `gateways.istio-egressgateway.type` | `ClusterIP #change to NodePort or LoadBalancer if need be` | `ClusterIP` |  | `change to NodePort or LoadBalancer if need be` |
+
+### Modified `certmanager` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `certmanager.tag` | `v0.3.1` | `v0.6.2` |  |  |
+
+### Modified `kiali` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `kiali.tag` | `istio-release-1.0` | `v0.14` |  |  |
+
+### Modified `security` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `security.selfSigned` | `true # indicate if self-signed CA is used.` | `true` |  | `indicate if self-signed CA is used.` |
+
+### Modified `pilot` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `pilot.autoscaleMax` | `1` | `5` |  |  |
+| `pilot.traceSampling` | `100.0` | `1.0` |  |  |
+
+## New configuration options
+
+### New `istio_cni` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `istio_cni.enabled` | `false` |  |
+
+### New `servicegraph` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `servicegraph.nodeSelector` | `{}` |  |
+
+### New `tracing` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `tracing.nodeSelector` | `{}` |  |
+| `tracing.zipkin.hub` | `docker.io/openzipkin` |  |
+| `tracing.zipkin.tag` | `2` |  |
+| `tracing.zipkin.probeStartupDelay` | `200` |  |
+| `tracing.zipkin.queryPort` | `9411` |  |
+| `tracing.zipkin.resources.limits.cpu` | `300m` |  |
+| `tracing.zipkin.resources.limits.memory` | `900Mi` |  |
+| `tracing.zipkin.resources.requests.cpu` | `150m` |  |
+| `tracing.zipkin.resources.requests.memory` | `900Mi` |  |
+| `tracing.zipkin.javaOptsHeap` | `700` |  |
+| `tracing.zipkin.maxSpans` | `500000` |  |
+| `tracing.zipkin.node.cpus` | `2` |  |
+
+### New `sidecarInjectorWebhook` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `sidecarInjectorWebhook.nodeSelector` | `{}` |  |
+| `sidecarInjectorWebhook.rewriteAppHTTPProbe` | `false` | `If true, webhook or istioctl injector will rewrite PodSpec for livenesshealth check to redirect request to sidecar. This makes liveness check workeven when mTLS is enabled.` |
+
+### New `global` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `global.monitoringPort` | `15014` | `monitoring port used by mixer, pilot, galley` |
+| `global.k8sIngress.enabled` | `false` |  |
+| `global.k8sIngress.gatewayName` | `ingressgateway` | `Gateway used for k8s Ingress resources. By default it isusing 'istio:ingressgateway' that will be installed by setting'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'flags to true.` |
+| `global.k8sIngress.enableHttps` | `false` | `enableHttps will add port 443 on the ingress.It REQUIRES that the certificates are installed  in theexpected secrets - enabling this option without certificateswill result in LDS rejection and the ingress will not work.` |
+| `global.proxy.clusterDomain` | `"cluster.local"` | `cluster domain. Default value is "cluster.local".` |
+| `global.proxy.resources.requests.memory` | `128Mi` |  |
+| `global.proxy.resources.limits.cpu` | `2000m` |  |
+| `global.proxy.resources.limits.memory` | `128Mi` |  |
+| `global.proxy.concurrency` | `2` | `Controls number of Proxy worker threads.If set to 0 (default), then start worker thread for each CPU thread/core.` |
+| `global.proxy.accessLogFormat` | `""` | `Configure how and what fields are displayed in sidecar access log. Setting toempty string will result in default log format` |
+| `global.proxy.accessLogEncoding` | `TEXT` | `Configure the access log for sidecar to JSON or TEXT.` |
+| `global.proxy.dnsRefreshRate` | `5s` | `Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS5 seconds is the default refresh rate used by Envoy` |
+| `global.proxy.privileged` | `false` | `If set to true, istio-proxy container will have privileged securityContext` |
+| `global.proxy.statusPort` | `15020` | `Default port for Pilot agent health checks. A value of 0 will disable health checking.` |
+| `global.proxy.readinessInitialDelaySeconds` | `1` | `The initial delay for readiness probes in seconds.` |
+| `global.proxy.readinessPeriodSeconds` | `2` | `The period between readiness probes.` |
+| `global.proxy.readinessFailureThreshold` | `30` | `The number of successive failed probes before indicating readiness failure.` |
+| `global.proxy.kubevirtInterfaces` | `""` | `pod internal interfaces` |
+| `global.proxy.envoyMetricsService.enabled` | `false` |  |
+| `global.proxy.envoyMetricsService.host` | `` | `example: metrics-service.istio-system` |
+| `global.proxy.envoyMetricsService.port` | `` | `example: 15000` |
+| `global.proxy.tracer` | `"zipkin"` | `Specify which tracer to use. One of: lightstep, zipkin` |
+| `global.policyCheckFailOpen` | `false` | `policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.Default is false which means the traffic is denied when the client is unable to connect to Mixer.` |
+| `global.tracer.lightstep.address` | `""` | `example: lightstep-satellite:443` |
+| `global.tracer.lightstep.accessToken` | `""` | `example: abcdefg1234567` |
+| `global.tracer.lightstep.secure` | `true` | `example: true\|false` |
+| `global.tracer.lightstep.cacertPath` | `""` | `example: /etc/lightstep/cacert.pem` |
+| `global.tracer.zipkin.address` | `""` |  |
+| `global.defaultNodeSelector` | `{}` | `Default node selector to be applied to all deployments so that all pods can beconstrained to run a particular nodes. Each component can overwrite these defaultvalues by adding its node selector block in the relevant section below and settingthe desired values.` |
+| `global.meshExpansion.enabled` | `false` |  |
+| `global.meshExpansion.useILB` | `false` | `If set to true, the pilot and citadel mtls and the plain text pilot portswill be exposed on an internal gateway` |
+| `global.multiCluster.enabled` | `false` | `Set to true to connect two kubernetes clusters via their respectiveingressgateway services when pods in each cluster cannot directlytalk to one another. All clusters should be using Istio mTLS and musthave a shared root CA for this model to work.` |
+| `global.defaultPodDisruptionBudget.enabled` | `true` |  |
+| `global.useMCP` | `true` | `Use the Mesh Control Protocol (MCP) for configuring Mixer andPilot. Requires galley (--set galley.enabled=true).` |
+| `global.trustDomain` | `""` |  |
+| `global.outboundTrafficPolicy.mode` | `ALLOW_ANY` |  |
+| `global.sds.enabled` | `false` | `SDS enabled. IF set to true, mTLS certificates for the sidecars will bedistributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.` |
+| `global.sds.udsPath` | `""` |  |
+| `global.sds.useTrustworthyJwt` | `false` |  |
+| `global.sds.useNormalJwt` | `false` |  |
+| `global.meshNetworks` | `{}` |  |
+| `global.enableHelmTest` | `false` | `Specifies whether helm test is enabled or not.This field is set to false by default, so 'helm template ...'will ignore the helm test yaml files when generating the template` |
+
+### New `mixer` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `mixer.env.GODEBUG` | `gctrace=1` |  |
+| `mixer.env.GOMAXPROCS` | `"6"` | `max procs should be ceil(cpu limit + 1)` |
+| `mixer.policy.enabled` | `false` | `if policy is enabled, global.disablePolicyChecks has affect.` |
+| `mixer.policy.replicaCount` | `1` |  |
+| `mixer.policy.autoscaleEnabled` | `true` |  |
+| `mixer.policy.autoscaleMin` | `1` |  |
+| `mixer.policy.autoscaleMax` | `5` |  |
+| `mixer.policy.cpu.targetAverageUtilization` | `80` |  |
+| `mixer.telemetry.enabled` | `true` |  |
+| `mixer.telemetry.replicaCount` | `1` |  |
+| `mixer.telemetry.autoscaleEnabled` | `true` |  |
+| `mixer.telemetry.autoscaleMin` | `1` |  |
+| `mixer.telemetry.autoscaleMax` | `5` |  |
+| `mixer.telemetry.cpu.targetAverageUtilization` | `80` |  |
+| `mixer.telemetry.sessionAffinityEnabled` | `false` |  |
+| `mixer.telemetry.loadshedding.mode` | `enforce` | `disabled, logonly or enforce` |
+| `mixer.telemetry.loadshedding.latencyThreshold` | `100ms` | `based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.` |
+| `mixer.telemetry.resources.requests.cpu` | `1000m` |  |
+| `mixer.telemetry.resources.requests.memory` | `1G` |  |
+| `mixer.telemetry.resources.limits.cpu` | `4800m` | `It is best to do horizontal scaling of mixer using moderate cpu allocation.We have experimentally found that these values work well.` |
+| `mixer.telemetry.resources.limits.memory` | `4G` |  |
+| `mixer.podAnnotations` | `{}` |  |
+| `mixer.nodeSelector` | `{}` |  |
+| `mixer.adapters.kubernetesenv.enabled` | `true` |  |
+| `mixer.adapters.stdio.enabled` | `false` |  |
+| `mixer.adapters.stdio.outputAsJson` | `true` |  |
+| `mixer.adapters.prometheus.enabled` | `true` |  |
+| `mixer.adapters.prometheus.metricsExpiryDuration` | `10m` |  |
+| `mixer.adapters.useAdapterCRDs` | `true` | `Setting this to false sets the useAdapterCRDs mixer startup argument to false` |
+
+### New `grafana` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `grafana.image.repository` | `grafana/grafana` |  |
+| `grafana.image.tag` | `5.4.0` |  |
+| `grafana.ingress.enabled` | `false` |  |
+| `grafana.ingress.hosts` | `grafana.local` | `Used to create an Ingress record.` |
+| `grafana.persist` | `false` |  |
+| `grafana.storageClassName` | `""` |  |
+| `grafana.accessMode` | `ReadWriteMany` |  |
+| `grafana.security.secretName` | `grafana` |  |
+| `grafana.security.usernameKey` | `username` |  |
+| `grafana.security.passphraseKey` | `passphrase` |  |
+| `grafana.nodeSelector` | `{}` |  |
+| `grafana.contextPath` | `/grafana` |  |
+| `grafana.datasources.datasources.apiVersion` | `1` |  |
+| `grafana.datasources.datasources.datasources.type` | `prometheus` |  |
+| `grafana.datasources.datasources.datasources.orgId` | `1` |  |
+| `grafana.datasources.datasources.datasources.url` | `http://prometheus:9090` |  |
+| `grafana.datasources.datasources.datasources.access` | `proxy` |  |
+| `grafana.datasources.datasources.datasources.isDefault` | `true` |  |
+| `grafana.datasources.datasources.datasources.jsonData.timeInterval` | `5s` |  |
+| `grafana.datasources.datasources.datasources.editable` | `true` |  |
+| `grafana.dashboardProviders.dashboardproviders.apiVersion` | `1` |  |
+| `grafana.dashboardProviders.dashboardproviders.providers.orgId` | `1` |  |
+| `grafana.dashboardProviders.dashboardproviders.providers.folder` | `'istio'` |  |
+| `grafana.dashboardProviders.dashboardproviders.providers.type` | `file` |  |
+| `grafana.dashboardProviders.dashboardproviders.providers.disableDeletion` | `false` |  |
+| `grafana.dashboardProviders.dashboardproviders.providers.options.path` | `/var/lib/grafana/dashboards/istio` |  |
+
+### New `prometheus` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `prometheus.retention` | `6h` |  |
+| `prometheus.nodeSelector` | `{}` |  |
+| `prometheus.scrapeInterval` | `15s` | `Controls the frequency of prometheus scraping` |
+| `prometheus.contextPath` | `/prometheus` |  |
+| `prometheus.ingress.enabled` | `false` |  |
+| `prometheus.ingress.hosts` | `prometheus.local` | `Used to create an Ingress record.` |
+| `prometheus.security.enabled` | `true` |  |
+
+### New `gateways` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `gateways.istio-ingressgateway.sds.enabled` | `false` | `If true, ingress gateway fetches credentials from SDS server to handle TLS connections.` |
+| `gateways.istio-ingressgateway.sds.image` | `node-agent-k8s` | `SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.This server runs in the same pod as ingress gateway.` |
+| `gateways.istio-ingressgateway.autoscaleEnabled` | `true` |  |
+| `gateways.istio-ingressgateway.cpu.targetAverageUtilization` | `80` |  |
+| `gateways.istio-ingressgateway.loadBalancerSourceRanges` | `[]` |  |
+| `gateways.istio-ingressgateway.externalIPs` | `[]` |  |
+| `gateways.istio-ingressgateway.podAnnotations` | `{}` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `15029` |  |
+| `gateways.istio-ingressgateway.ports.name` | `https-kiali` |  |
+| `gateways.istio-ingressgateway.ports.name` | `https-prometheus` |  |
+| `gateways.istio-ingressgateway.ports.name` | `https-grafana` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `15032` |  |
+| `gateways.istio-ingressgateway.ports.name` | `https-tracing` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `15443` |  |
+| `gateways.istio-ingressgateway.ports.name` | `tls` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `15020` |  |
+| `gateways.istio-ingressgateway.ports.name` | `status-port` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `15011` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-pilot-grpc-tls` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `15004` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-mixer-grpc-tls` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `8060` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-citadel-grpc-tls` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `853` |  |
+| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-dns-tls` |  |
+| `gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE` | `"sni-dnat"` | `A gateway with this mode ensures that pilot generates an additionalset of clusters for internal services but without Istio mTLS, toenable cross cluster routing.` |
+| `gateways.istio-ingressgateway.nodeSelector` | `{}` |  |
+| `gateways.istio-egressgateway.autoscaleEnabled` | `true` |  |
+| `gateways.istio-egressgateway.cpu.targetAverageUtilization` | `80` |  |
+| `gateways.istio-egressgateway.podAnnotations` | `{}` |  |
+| `gateways.istio-egressgateway.ports.targetPort` | `15443` |  |
+| `gateways.istio-egressgateway.ports.name` | `tls` |  |
+| `gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE` | `"sni-dnat"` |  |
+| `gateways.istio-egressgateway.nodeSelector` | `{}` |  |
+| `gateways.istio-ilbgateway.autoscaleEnabled` | `true` |  |
+| `gateways.istio-ilbgateway.cpu.targetAverageUtilization` | `80` |  |
+| `gateways.istio-ilbgateway.podAnnotations` | `{}` |  |
+| `gateways.istio-ilbgateway.nodeSelector` | `{}` |  |
+
+### New `kiali` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `kiali.contextPath` | `/kiali` |  |
+| `kiali.nodeSelector` | `{}` |  |
+| `kiali.ingress.hosts` | `kiali.local` | `Used to create an Ingress record.` |
+| `kiali.dashboard.secretName` | `kiali` |  |
+| `kiali.dashboard.usernameKey` | `username` |  |
+| `kiali.dashboard.passphraseKey` | `passphrase` |  |
+| `kiali.prometheusAddr` | `http://prometheus:9090` |  |
+| `kiali.createDemoSecret` | `false` | `When true, a secret will be created with a default username and password. Useful for demos.` |
+
+### New `istiocoredns` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `istiocoredns.enabled` | `false` |  |
+| `istiocoredns.replicaCount` | `1` |  |
+| `istiocoredns.coreDNSImage` | `coredns/coredns:1.1.2` |  |
+| `istiocoredns.coreDNSPluginImage` | `istio/coredns-plugin:0.2-istio-1.1` |  |
+| `istiocoredns.nodeSelector` | `{}` |  |
+
+### New `security` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `security.enabled` | `true` |  |
+| `security.createMeshPolicy` | `true` |  |
+| `security.nodeSelector` | `{}` |  |
+
+### New `nodeagent` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `nodeagent.enabled` | `false` |  |
+| `nodeagent.image` | `node-agent-k8s` |  |
+| `nodeagent.env.CA_PROVIDER` | `""` | `name of authentication provider.` |
+| `nodeagent.env.CA_ADDR` | `""` | `CA endpoint.` |
+| `nodeagent.env.Plugins` | `""` | `names of authentication provider's plugins.` |
+| `nodeagent.nodeSelector` | `{}` |  |
+
+### New `pilot` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `pilot.autoscaleEnabled` | `true` |  |
+| `pilot.env.PILOT_PUSH_THROTTLE` | `100` |  |
+| `pilot.env.GODEBUG` | `gctrace=1` |  |
+| `pilot.cpu.targetAverageUtilization` | `80` |  |
+| `pilot.nodeSelector` | `{}` |  |
+| `pilot.keepaliveMaxServerConnectionAge` | `30m` | `The following is used to limit how long a sidecar can be connectedto a pilot. It balances out load across pilot instances at the cost ofincreasing system churn.` |
+
+## Removed configuration options
+
+### Removed `ingress` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `ingress.service.ports.nodePort` | `32000` |  |
+| `ingress.service.selector.istio` | `ingress` |  |
+| `ingress.autoscaleMin` | `1` |  |
+| `ingress.service.loadBalancerIP` | `""` |  |
+| `ingress.enabled` | `false` |  |
+| `ingress.service.annotations` | `{}` |  |
+| `ingress.service.ports.name` | `http` |  |
+| `ingress.service.ports.name` | `https` |  |
+| `ingress.autoscaleMax` | `5` |  |
+| `ingress.replicaCount` | `1` |  |
+| `ingress.service.type` | `LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be` |  |
+
+### Removed `servicegraph` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `servicegraph` | `servicegraph.local` |  |
+| `servicegraph.ingress` | `servicegraph.local` |  |
+| `servicegraph.service.internalPort` | `8088` |  |
+
+### Removed `telemetry-gateway` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `telemetry-gateway.prometheusEnabled` | `false` |  |
+| `telemetry-gateway.gatewayName` | `ingressgateway` |  |
+| `telemetry-gateway.grafanaEnabled` | `false` |  |
+
+### Removed `global` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `global.hyperkube.tag` | `v1.7.6_coreos.0` |  |
+| `global.k8sIngressHttps` | `false` |  |
+| `global.crds` | `true` |  |
+| `global.hyperkube.hub` | `quay.io/coreos` |  |
+| `global.meshExpansion` | `false` |  |
+| `global.k8sIngressSelector` | `ingress` |  |
+| `global.meshExpansionILB` | `false` |  |
+
+### Removed `mixer` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `mixer.autoscaleMin` | `1` |  |
+| `mixer.istio-policy.cpu.targetAverageUtilization` | `80` |  |
+| `mixer.autoscaleMax` | `5` |  |
+| `mixer.istio-telemetry.autoscaleMin` | `1` |  |
+| `mixer.prometheusStatsdExporter.tag` | `v0.6.0` |  |
+| `mixer.istio-telemetry.autoscaleMax` | `5` |  |
+| `mixer.istio-telemetry.cpu.targetAverageUtilization` | `80` |  |
+| `mixer.istio-policy.autoscaleEnabled` | `true` |  |
+| `mixer.istio-telemetry.autoscaleEnabled` | `true` |  |
+| `mixer.replicaCount` | `1` |  |
+| `mixer.prometheusStatsdExporter.hub` | `docker.io/prom` |  |
+| `mixer.istio-policy.autoscaleMin` | `1` |  |
+| `mixer.istio-policy.autoscaleMax` | `5` |  |
+
+### Removed `grafana` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `grafana.image` | `grafana` |  |
+| `grafana.service.internalPort` | `3000` |  |
+| `grafana.security.adminPassword` | `admin` |  |
+| `grafana.security.adminUser` | `admin` |  |
+
+### Removed `gateways` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `gateways.istio-ilbgateway.replicaCount` | `1` |  |
+| `gateways.istio-egressgateway.replicaCount` | `1` |  |
+| `gateways.istio-ingressgateway.replicaCount` | `1` |  |
+| `gateways.istio-ingressgateway.ports.name` | `tcp-pilot-grpc-tls` |  |
+| `gateways.istio-ingressgateway.ports.name` | `tcp-citadel-grpc-tls` |  |
+| `gateways.istio-ingressgateway.ports.name` | `http2-prometheus` |  |
+| `gateways.istio-ingressgateway.ports.name` | `http2-grafana` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `15011` |  |
+| `gateways.istio-ingressgateway.ports.targetPort` | `8060` |  |
+
+### Removed `tracing` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `tracing.service.internalPort` | `9411` |  |
+| `tracing.replicaCount` | `1` |  |
+| `tracing.jaeger.ingress` | `jaeger.local` |  |
+| `tracing.ingress` | `tracing.local` |  |
+| `tracing.jaeger` | `jaeger.local` |  |
+| `tracing` | `jaeger.local tracing.local` |  |
+| `tracing.jaeger.ingress.hosts` | `jaeger.local` |  |
+| `tracing.jaeger.ingress.enabled` | `false` |  |
+| `tracing.ingress.hosts` | `tracing.local` |  |
+| `tracing.jaeger.ui.port` | `16686` |  |
+
+### Removed `kiali` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `kiali.dashboard.username` | `admin` |  |
+| `kiali.dashboard.passphrase` | `admin` |  |
+
+### Removed `pilot` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `pilot.replicaCount` | `1` |  |
+
+<!-- AUTO-GENERATED-END -->
--- a/content/en/news/2019/announcing-1.1/upgrade-notes/index.md
+++ b/content/en/news/2019/announcing-1.1/upgrade-notes/index.md
@ -0,0 +1,64 @@
+---
+title: Upgrade Notes
+description: Important changes operators must understand before upgrading to Istio 1.1.
+weight: 20
+---
+
+This page describes changes you need to be aware of when upgrading from Istio 1.0 to 1.1.  Here we detail cases where we intentionally broke backwards compatibility.  We also mention cases where backwards compatibility was preserved but new behavior was introduced that would be surprising to someone familiar with the use and operation of Istio 1.0.
+
+For an overview of new features introduced with Istio 1.1, please refer to the [1.1 change notes](/news/2019/announcing-1.1/change-notes/).
+
+## Installation
+
+- We have increased the control plane and envoy sidecar’s required CPU and memory.  It is critical to ensure your cluster have enough resource before proceeding
+the update.
+
+- Istio’s CRDs have been placed into their own Helm chart `istio-init`.  This prevents loss of custom resource data, facilitates the upgrade process, and enables
+Istio to evolve beyond a Helm-based installation.  The [upgrade documentation](/docs/setup/upgrade/) provides the proper procedures for upgrading
+from Istio 1.0.6 to Istio 1.1.  Please follow these instructions carefully when upgrading.  If `certmanager` is desired, use the `--set certmanager=true` flag
+when installing both `istio-init` and Istio charts with either `template` or `tiller` installation modes.
+
+- Many installation options have been added, removed, or changed. Refer to [Installation Options Changes](/news/2019/announcing-1.1/helm-changes/) for a detailed
+summary of the changes.
+
+- The 1.0 `istio-remote` chart used for [multicluster VPN](/docs/setup/install/multicluster/shared-vpn/) and
+[multicluster shared gateways](/docs/setup/install/multicluster/shared-gateways/) remote cluster installation has been consolidated into the Istio chart.  To generate
+an equivalent `istio-remote` chart, use the `--set global.istioRemote=true` flag.
+
+- Addons are no longer exposed via separate load balancers.  Instead addons can now be optionally exposed via the Ingress Gateway.  To expose an addon via the
+Ingress Gateway, please follow the [Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways/) guide.
+
+- The built-in Istio Statsd collector has been removed. Istio retains the capability of integrating with your own Statsd collector, using the
+`--set global.envoyStatsd.enabled=true` flag.
+
+- The `ingress` series of options for configuring a Kubernetes Ingress have been removed.  Kubernetes Ingress is still functional and can be enabled using the
+`--set global.k8sIngress.enabled=true` flag.  Check out [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/ingress/ingress-certmgr/)
+to learn how to secure your Kubernetes ingress resources.
+
+## Traffic Management
+
+- Outbound traffic policy now defaults to `ALLOW_ANY`.  Traffic to unknown ports will be forwarded as-is. Traffic to known ports (e.g., port 80) will be matched
+with one of the services in the system and forwarded accordingly.
+
+- During sidecar routing to a service, destination rules for the target service in the same namespace as the sidecar will take precedence, followed by destination
+rules in the service’s namespace, and finally followed by destination rules in other namespaces if applicable.
+
+- We recommend storing gateway resources in the same namespace as the gateway workload (e.g., `istio-system` in case of `istio-ingressgateway`).  When referring
+to gateway resources in virtual services, use the namespace/name format instead of using `name.namespace.svc.cluster.local`.
+
+- The optional egress gateway is now disabled by default.  It is enabled in the demo profile for users to explore but disabled in all other profiles by default.
+If you need to control and secure your outbound traffic through the egress gateway, you will need to enable `gateways.istio-egressgateway.enabled=true` manually
+in any of the non-demo profiles.
+
+## Policy & Telemetry
+
+- `istio-policy` check is now disabled by default.  It is enabled in the demo profile for users to explore but disabled in all other profiles.  This change is
+only for `istio-policy` and not for `istio-telemetry`.  In order to re-enable policy checking, run `helm template` with `--set global.disablePolicyChecks=false`
+and re-apply the configuration.
+
+- The Service Graph component has now been deprecated in favor of [Kiali](https://www.kiali.io/).
+
+## Security
+
+- RBAC configuration has been modified to implement cluster scoping.  The `RbacConfig` resource has been replaced with the `ClusterRbacConfig` resource. Refer
+to [Migrating `RbacConfig` to `ClusterRbacConfig`](https://archive.istio.io/v1.1/docs/setup/kubernetes/upgrade/steps/#migrating-from-rbacconfig-to-clusterrbacconfig) for migration instructions.
--- a/content/en/news/2019/announcing-1.2/_index.md
+++ b/content/en/news/2019/announcing-1.2/_index.md
@ -0,0 +1,71 @@
+---
+title: Announcing Istio 1.2
+subtitle: Major Update
+description: Istio 1.2 release announcement.
+publishdate: 2019-06-18
+attribution: The Istio Team
+release: 1.2.0
+aliases:
+    - /blog/2019/announcing-1.2
+skip_list: true
+---
+
+We are pleased to announce the release of Istio 1.2!
+
+{{< relnote >}}
+
+The theme of 1.2 is Predictable Releases - predictable in quality (we want
+every release to be a good release) as well as in time (we want to be able
+to ship on well known schedules).
+
+As nearly anyone using Istio 1.0 noticed, it took us a long time to get 1.1
+out. Far too long. One of the reasons was that we needed to do some work on
+our testing and infrastructure -- it was simply far too manual a process to
+build, test and release. Because of that, 1.2 focuses on improving the
+stability of these new features, and improving general product health.
+
+In order to make release quality and timing predictable, we declared a
+"Code Mauve",  meaning that we would spend the next iteration focusing on
+project infrastructure. As a result, we’ve been investing a ton of effort
+in our build, test and release machinery.
+
+We formed 3 new teams (GitHub Workflow, Source Organization, Testing
+Methodology, and Build & Release Automation). Each had a set of issues to
+take on and a set of exit criteria. Code Mauve isn’t over yet, in fact we
+expect it to go
+on for some time.   We’re putting in place the infrastructure to measure the
+metrics each team decided on (paraphrasing Peter Drucker: if you can’t
+measure it, you can’t manage it).
+
+You might have noticed that the [patch releases](/news/) for 1.1 have
+been coming fast and furious.
+
+In order to get features in the hands of our customers and users as soon as
+possible, most of the new features from the last three months have been
+delivered in 1.1.x releases. With 1.2, those features are now officially
+part of the release.
+
+We're seeing early results from the usability group. In the release notes,
+you'll find that you can now set log levels for the control plane and the
+data plane globally.  You can use [`istioctl`](/docs/reference/commands/istioctl) to validate that your Kubernetes
+installation meets Istio's requirements. And the new
+`traffic.sidecar.istio.io/includeInboundPorts` annotation to eliminate the
+need for service owner to declare `containerPort` in the deployment yaml.
+
+Some of the features have matured as well. The following features have
+progressed from Beta status
+to Stable:  SNI at ingress, distributed tracing, and service tracing. The
+following features have reached beta status: cert management on ingress,
+configuration resource validation, and configuration processing with Galley.
+We know there are lots of feature requests outstanding, and we have an
+exciting roadmap (watch for a forthcoming post from the TOC on that). The
+work we have done in this release has taken care of some technical debt which
+will help us get those features out reliably in future.
+
+As always, there is also a lot happening in the [Community
+Meeting](https://github.com/istio/community#community-meeting) (Thursdays at
+`11 a.m. Pactific`) and in the [Working
+Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md). And
+if you haven’t yet joined the conversation at
+[discuss.istio.io](https://discuss.istio.io), head over, log in with your
+GitHub credentials and join us!
--- a/content/en/news/2019/announcing-1.2/change-notes/index.md
+++ b/content/en/news/2019/announcing-1.2/change-notes/index.md
@ -1,83 +1,17 @@
 ---
-title: Announcing Istio 1.2
-subtitle: Major Update
-description: Istio 1.2 release announcement.
-publishdate: 2019-06-18
-attribution: The Istio Team
-release: 1.2.0
+title: Change Notes
+description: Istio 1.2 release notes.
+weight: 10
 aliases:
    - /about/notes/1.2
-    - /blog/2019/announcing-1.2
 ---

-We are pleased to announce the release of Istio 1.2!
-
-{{< relnote >}}
-
-The theme of 1.2 is Predictable Releases - predictable in quality (we want
-every release to be a good release) as well as in time (we want to be able
-to ship on well known schedules).
-
-As nearly anyone using Istio 1.0 noticed, it took us a long time to get 1.1
-out. Far too long. One of the reasons was that we needed to do some work on
-our testing and infrastructure -- it was simply far too manual a process to
-build, test and release. Because of that, 1.2 focuses on improving the
-stability of these new features, and improving general product health.
-
-In order to make release quality and timing predictable, we declared a
-"Code Mauve",  meaning that we would spend the next iteration focusing on
-project infrastructure. As a result, we’ve been investing a ton of effort
-in our build, test and release machinery.
-
-We formed 3 new teams (GitHub Workflow, Source Organization, Testing
-Methodology, and Build & Release Automation). Each had a set of issues to
-take on and a set of exit criteria. Code Mauve isn’t over yet, in fact we
-expect it to go
-on for some time.   We’re putting in place the infrastructure to measure the
-metrics each team decided on (paraphrasing Peter Drucker: if you can’t
-measure it, you can’t manage it).
-
-You might have noticed that the [patch releases](/news/) for 1.1 have
-been coming fast and furious.
-
-In order to get features in the hands of our customers and users as soon as
-possible, most of the new features from the last three months have been
-delivered in 1.1.x releases. With 1.2, those features are now officially
-part of the release.
-
-We're seeing early results from the usability group. In the release notes,
-you'll find that you can now set log levels for the control plane and the
-data plane globally.  You can use [`istioctl`](/docs/reference/commands/istioctl) to validate that your Kubernetes
-installation meets Istio's requirements. And the new
-`traffic.sidecar.istio.io/includeInboundPorts` annotation to eliminate the
-need for service owner to declare `containerPort` in the deployment yaml.
-
-Some of the features have matured as well. The following features have
-progressed from Beta status
-to Stable:  SNI at ingress, distributed tracing, and service tracing. The
-following features have reached beta status: cert management on ingress,
-configuration resource validation, and configuration processing with Galley.
-We know there are lots of feature requests outstanding, and we have an
-exciting roadmap (watch for a forthcoming post from the TOC on that). The
-work we have done in this release has taken care of some technical debt which
-will help us get those features out reliably in future.
-
-As always, there is also a lot happening in the [Community
-Meeting](https://github.com/istio/community#community-meeting) (Thursdays at
-`11 a.m. Pactific`) and in the [Working
-Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md). And
-if you haven’t yet joined the conversation at
-[discuss.istio.io](https://discuss.istio.io), head over, log in with your
-GitHub credentials and join us!
-
-## Release notes
-
-### General
+## General

 - **Added** `traffic.sidecar.istio.io/includeInboundPorts` annotation to eliminate the need for service owner to declare `containerPort` in the deployment yaml file.  This will become the default in a future release.
 - **Added** IPv6 experimental support for Kubernetes clusters.

-### Traffic management
+## Traffic management

 - **Improved** [locality based routing](/docs/ops/traffic-management/locality-load-balancing/) in multicluster environments.
 - **Improved** outbound traffic policy in [`ALLOW_ANY` mode](/docs/reference/config/installation-options/#global-options). Traffic for unknown HTTP/HTTPS hosts on an existing port will be [forwarded as is](/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services). Unknown traffic will be logged in Envoy access logs.
@ -86,7 +20,7 @@ GitHub credentials and join us!
 - **Added** ability to configure the [DNS refresh rate](/docs/reference/config/installation-options/#global-options) for sidecar Envoys, to reduce the load on the DNS servers.
 - **Graduated** [Sidecar API](/docs/reference/config/networking/v1alpha3/sidecar/) from Alpha to Alpha API and Beta runtime.

-### Security
+## Security

 - **Improved** extend the default lifetime of self-signed Citadel root certificates to 10 years.
 - **Added** Kubernetes health check prober rewrite per deployment via `sidecar.istio.io/rewriteAppHTTPProbers: "true"` in the `PodSpec` [annotation](/docs/ops/app-health-check/#use-annotations-on-pod).
@ -98,24 +32,24 @@ GitHub credentials and join us!
 - **Graduated** [SNI with multiple certificates support at ingress gateway](/docs/reference/config/networking/v1alpha3/gateway/) from Alpha to Stable.
 - **Graduated** [certification management on Ingress Gateway](/docs/tasks/traffic-management/ingress/secure-ingress-sds/) from Alpha to Beta.

-### Telemetry
+## Telemetry

 - **Added** Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
 - **Changed** Prometheus generated traffic is excluded from metrics.
 - **Added** support for sending traces to Datadog.
 - **Graduated** [distributed tracing](/docs/tasks/observability/distributed-tracing/) from Beta to Stable.

-### Policy
+## Policy

 - **Fixed** [Mixer based](https://github.com/istio/istio/issues/13868)TCP Policy enforcement.
 - **Graduated** [Authorization (RBAC)](/docs/reference/config/authorization/istio.rbac.v1alpha1/) from Alpha to Alpha API and Beta runtime.

-### Configuration management
+## Configuration management

 - **Improved** validation of Policy & Telemetry CRDs.
 - **Graduated** basic configuration resource validation from Alpha to Beta.

-### Installation and upgrade
+## Installation and upgrade

 - **Updated** default proxy memory limit size(`global.proxy.resources.limits.memory`) from `128Mi` to `1024Mi` to ensure proxy has sufficient memory.
 - **Added** pod [anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) and [toleration](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) support to all of our control plane components.
@ -124,9 +58,9 @@ GitHub credentials and join us!
 - **Added** support to configure the Datadog location via [`global.tracer.datadog.address`](/docs/reference/config/installation-options/#global-options).
 - **Removed** Previously [deprecated]( https://discuss.istio.io/t/deprecation-notice-custom-mixer-adapter-crds/2055) Adapter and Template CRDs are disabled by default. Use  `mixer.templates.useTemplateCRDs=true` and `mixer.adapters.useAdapterCRDs=true` install options to re-enable them.

-Refer to the [installation option change page](/docs/reference/config/installation-options-changes/) to view the complete list of changes.
+Refer to the [installation option change page](/news/2019/announcing-1.2/helm-changes/) to view the complete list of changes.

-### `istioctl` and `kubectl`
+## `istioctl` and `kubectl`

 - **Graduated** `istioctl verify-install` out of experimental.
 - **Improved** `istioctl verify-install` to validate if a given Kubernetes environment meets Istio's prerequisites.
@ -136,7 +70,7 @@ Refer to the [installation option change page](/docs/reference/config/installati
 - **Improved** `istioctl version` to report both Istio control plane and `istioctl` version info by default.
 - **Improved** `istioctl validate` to validate Mixer configuration and supports deep validation with referential integrity.

-### Others
+## Miscellaneous

 - **Added** [Istio CNI support](/docs/setup/additional-setup/cni/) to setup sidecar network redirection and remove the use of `istio-init` containers requiring `NET_ADMIN` capability.
 - **Added** a new experimental ['a-la-carte' Istio installer](https://github.com/istio/installer/wiki) to enable users to install and upgrade Istio with desired isolation and security.
--- a/content/en/news/2019/announcing-1.2/helm-changes/index.md
+++ b/content/en/news/2019/announcing-1.2/helm-changes/index.md
@ -0,0 +1,236 @@
+---
+title: Helm Changes
+description: Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.
+weight: 30
+keywords: [kubernetes, helm, install, options]
+---
+
+The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.1 and Istio 1.2. The tables are grouped in to three different categories:
+
+- The installation options already in the previous release but whose values have been modified in the new release.
+- The new installation options added in the new release.
+- The installation options removed from the new release.
+
+<!-- Run python scripts/tablegen.py to generate this table -->
+
+<!-- AUTO-GENERATED-START -->
+
+## Modified configuration options
+
+### Modified `kiali` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `kiali.hub` | `docker.io/kiali` | `quay.io/kiali` |  |  |
+| `kiali.tag` | `v0.14` | `v0.20` |  |  |
+
+### Modified `prometheus` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `prometheus.tag` | `v2.3.1` | `v2.8.0` |  |  |
+
+### Modified `global` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `global.tag` | `release-1.1-latest-daily` | `1.2.0-rc.3` | `Default tag for Istio images.`  | `Default tag for Istio images.` |
+| `global.proxy.resources.limits.memory` | `128Mi` | `1024Mi` |  |  |
+| `global.proxy.dnsRefreshRate` | `5s` | `300s` | `Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS 5 seconds is the default refresh rate used by Envoy`  | `Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.` |
+
+### Modified `mixer` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `mixer.adapters.useAdapterCRDs` | `true` | `false` | `Setting this to false sets the useAdapterCRDs mixer startup argument to false`  | `Setting this to false sets the useAdapterCRDs mixer startup argument to false` |
+
+### Modified `grafana` key/value pairs
+
+| Key | Old Default Value | New Default Value | Old Description | New Description |
+| --- | --- | --- | --- | --- |
+| `grafana.image.tag` | `5.4.0` | `6.1.6` |  |  |
+
+## New configuration options
+
+### New `tracing` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `tracing.podAntiAffinityLabelSelector` | `[]` |  |
+| `tracing.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `sidecarInjectorWebhook` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `sidecarInjectorWebhook.podAntiAffinityLabelSelector` | `[]` |  |
+| `sidecarInjectorWebhook.podAntiAffinityTermLabelSelector` | `[]` |  |
+| `sidecarInjectorWebhook.neverInjectSelector` | `[]` | `You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or always skip the injection on pods that match that label selector, regardless of the global policy. See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/more-control-adding-exceptions` |
+| `sidecarInjectorWebhook.alwaysInjectSelector` | `[]` |  |
+
+### New `global` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `global.logging.level` | `"default:info"` |  |
+| `global.proxy.logLevel` | `""` | `Log level for proxy, applies to gateways and sidecars.  If left empty, "warning" is used. Expected values are: trace\|debug\|info\|warning\|error\|critical\|off` |
+| `global.proxy.componentLogLevel` | `""` | `Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.` |
+| `global.proxy.excludeOutboundPorts` | `""` |  |
+| `global.tracer.datadog.address` | `"$(HOST_IP):8126"` |  |
+| `global.imagePullSecrets` | `[]` | `Lists the secrets you need to use to pull Istio images from a secure registry.` |
+| `global.localityLbSetting` | `{}` |  |
+
+### New `galley` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `galley.nodeSelector` | `{}` |  |
+| `galley.tolerations` | `[]` |  |
+| `galley.podAntiAffinityLabelSelector` | `[]` |  |
+| `galley.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `mixer` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `mixer.tolerations` | `[]` |  |
+| `mixer.podAntiAffinityLabelSelector` | `[]` |  |
+| `mixer.podAntiAffinityTermLabelSelector` | `[]` |  |
+| `mixer.templates.useTemplateCRDs` | `false` |  |
+
+### New `grafana` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `grafana.tolerations` | `[]` |  |
+| `grafana.podAntiAffinityLabelSelector` | `[]` |  |
+| `grafana.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `prometheus` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `prometheus.tolerations` | `[]` |  |
+| `prometheus.podAntiAffinityLabelSelector` | `[]` |  |
+| `prometheus.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `gateways` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `gateways.istio-ingressgateway.sds.resources.requests.cpu` | `100m` |  |
+| `gateways.istio-ingressgateway.sds.resources.requests.memory` | `128Mi` |  |
+| `gateways.istio-ingressgateway.sds.resources.limits.cpu` | `2000m` |  |
+| `gateways.istio-ingressgateway.sds.resources.limits.memory` | `1024Mi` |  |
+| `gateways.istio-ingressgateway.resources.requests.cpu` | `100m` |  |
+| `gateways.istio-ingressgateway.resources.requests.memory` | `128Mi` |  |
+| `gateways.istio-ingressgateway.resources.limits.cpu` | `2000m` |  |
+| `gateways.istio-ingressgateway.resources.limits.memory` | `1024Mi` |  |
+| `gateways.istio-ingressgateway.applicationPorts` | `""` |  |
+| `gateways.istio-ingressgateway.tolerations` | `[]` |  |
+| `gateways.istio-ingressgateway.podAntiAffinityLabelSelector` | `[]` |  |
+| `gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector` | `[]` |  |
+| `gateways.istio-egressgateway.resources.requests.cpu` | `100m` |  |
+| `gateways.istio-egressgateway.resources.requests.memory` | `128Mi` |  |
+| `gateways.istio-egressgateway.resources.limits.cpu` | `2000m` |  |
+| `gateways.istio-egressgateway.resources.limits.memory` | `256Mi` |  |
+| `gateways.istio-egressgateway.tolerations` | `[]` |  |
+| `gateways.istio-egressgateway.podAntiAffinityLabelSelector` | `[]` |  |
+| `gateways.istio-egressgateway.podAntiAffinityTermLabelSelector` | `[]` |  |
+| `gateways.istio-ilbgateway.tolerations` | `[]` |  |
+
+### New `certmanager` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `certmanager.replicaCount` | `1` |  |
+| `certmanager.nodeSelector` | `{}` |  |
+| `certmanager.tolerations` | `[]` |  |
+| `certmanager.podAntiAffinityLabelSelector` | `[]` |  |
+| `certmanager.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `kiali` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `kiali.podAntiAffinityLabelSelector` | `[]` |  |
+| `kiali.podAntiAffinityTermLabelSelector` | `[]` |  |
+| `kiali.dashboard.viewOnlyMode` | `false` | `Bind the service account to a role with only read access` |
+
+### New `istiocoredns` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `istiocoredns.tolerations` | `[]` |  |
+| `istiocoredns.podAntiAffinityLabelSelector` | `[]` |  |
+| `istiocoredns.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `security` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `security.tolerations` | `[]` |  |
+| `security.citadelHealthCheck` | `false` |  |
+| `security.podAntiAffinityLabelSelector` | `[]` |  |
+| `security.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `nodeagent` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `nodeagent.tolerations` | `[]` |  |
+| `nodeagent.podAntiAffinityLabelSelector` | `[]` |  |
+| `nodeagent.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+### New `pilot` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `pilot.tolerations` | `[]` |  |
+| `pilot.podAntiAffinityLabelSelector` | `[]` |  |
+| `pilot.podAntiAffinityTermLabelSelector` | `[]` |  |
+
+## Removed configuration options
+
+### Removed `kiali` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `kiali.dashboard.usernameKey` | `username` | `This is the key name within the secret whose value is the actual username.`  |
+| `kiali.dashboard.passphraseKey` | `passphrase` | `This is the key name within the secret whose value is the actual passphrase.`  |
+
+### Removed `security` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `security.replicaCount` | `1` |  |
+
+### Removed `gateways` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `gateways.istio-ingressgateway.resources` | `{}` |  |
+
+### Removed `mixer` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `mixer.enabled` | `true` |  |
+
+### Removed `servicegraph` key/value pairs
+
+| Key | Default Value | Description |
+| --- | --- | --- |
+| `servicegraph.ingress.enabled` | `false` |  |
+| `servicegraph.service.name` | `http` |  |
+| `servicegraph.replicaCount` | `1` |  |
+| `servicegraph.service.type` | `ClusterIP` |  |
+| `servicegraph.service.annotations` | `{}` |  |
+| `servicegraph.enabled` | `false` |  |
+| `servicegraph.image` | `servicegraph` |  |
+| `servicegraph.service.externalPort` | `8088` |  |
+| `servicegraph.ingress.hosts` | `servicegraph.local` | `Used to create an Ingress record.`  |
+| `servicegraph.nodeSelector` | `{}` |  |
+| `servicegraph.prometheusAddr` | `http://prometheus:9090` |  |
+
+<!-- AUTO-GENERATED-END -->
--- a/content/en/news/2019/announcing-1.2/upgrade-notes/index.md
+++ b/content/en/news/2019/announcing-1.2/upgrade-notes/index.md
@ -0,0 +1,42 @@
+---
+title: Upgrade Notes
+description: Important changes operators must understand before upgrading to Istio 1.2.
+weight: 20
+---
+
+This page describes changes you need to be aware of when upgrading from
+Istio 1.1 to 1.2.  Here, we detail cases where we intentionally broke backwards
+compatibility.  We also mention cases where backwards compatibility was
+preserved but new behavior was introduced that would be surprising to someone
+familiar with the use and operation of Istio 1.1.
+
+For an overview of new features introduced with Istio 1.2, please refer
+to the [1.2 release notes](/news/2019/announcing-1.2/change-notes).
+
+## Installation and Upgrade
+
+{{< tip >}}
+The configuration model for Mixer has been simplified. Support for
+adapter-specific and template-specific Custom Resources has been
+removed by default in 1.2 and will be removed entirely in 1.3.
+Please move to the new configuration model.
+{{< /tip >}}
+
+Most Mixer CRDs were removed from the system to simplify the configuration
+model, improve performance of Mixer when used with Kubernetes, and improve
+reliability in a variety of Kubernetes environments.
+
+The following CRDs remain:
+
+| Custom Resource Definition name | Purpose |
+| --- | --- |
+| `adapter`| Specification of Istio extension declarations |
+| `attributemanifest` | Specification of Istio extension declarations |
+| `template` | Specification of Istio extension declarations |
+| `handler` | Specification of extension invocations |
+| `rule` | Specification of extension invocations |
+| `instance` | Specification of extension invocations |
+
+In the event you are using the removed mixer configuration schemas, set
+the following Helm flags during upgrade of the main Helm chart:
+`--set mixer.templates.useTemplateCRDs=true --set mixer.adapters.useAdapterCRDs=true`
--- a/content/en/news/2019/announcing-1.3/_index.md
+++ b/content/en/news/2019/announcing-1.3/_index.md
@ -0,0 +1,72 @@
+---
+title: Announcing Istio 1.3
+subtitle: Major Update
+description: Istio 1.3 release announcement.
+publishdate: 2019-09-12
+attribution: The Istio Team
+release: 1.3.0
+aliases:
+    - /blog/2019/announcing-1.3
+skip_list: true
+---
+
+We are pleased to announce the release of Istio 1.3!
+
+{{< relnote >}}
+
+The theme of Istio 1.3 is User Experience:
+
+- Improve the experience of new users adopting Istio
+- Improve the experience of users debugging problems
+- Support more applications without any additional configuration
+
+Every few releases, the Istio team delivers dramatic improvements to usability, APIs, and the overall system performance. Istio 1.3 is one such release, and the team is very excited to roll out some key updates.
+
+## Intelligent protocol detection (experimental)
+
+To take advantage of Istio's routing features, service ports must use a special port naming format to explicitly declare the protocol. This requirement can cause problems for users that do not name their ports when they add their applications to the mesh. Starting with 1.3, the protocol for outbound traffic is automatically detected as HTTP or TCP when the ports are not named according to Istio's conventions. We will be polishing this feature in the upcoming releases with support for protocol sniffing on inbound traffic as well as identifying protocols other than HTTP.
+
+## Mixer-less telemetry (experimental)
+
+Yes, you read that right! We implemented most of the common security policies, such as RBAC, directly into Envoy. We previously turned off the `istio-policy` service by default and are now on track to migrate most of Mixer's telemetry functionality into Envoy as well. In this release, we have enhanced the Istio proxy to emit HTTP metrics directly to Prometheus, without requiring the `istio-telemetry` service to enrich the information. This enhancement is great if all you care about is telemetry for HTTP services. Follow the [Mixer-less HTTP telemetry instructions](https://github.com/istio/istio/wiki/Mixerless-HTTP-Telemetry) to experiment with this feature. We are polishing this feature in the coming months to add telemetry support for TCP services when you enable Istio mutual TLS.
+
+## Container ports are no longer required
+
+Previous releases required that pods explicitly declare the Kubernetes `containerPort` for each container as a security measure against trampolining traffic. Istio 1.3 has a secure and simpler way of handling all inbound traffic on any port into a {{< gloss >}}workload instance{{< /gloss >}} without requiring the `containerPort` declarations. We have also completely eliminated the infinite loops caused in the IP tables rules when workload instances send traffic to themselves.
+
+## Fully customize generated Envoy configuration
+
+While Istio 1.3 focuses on usability, expert users can use advanced features in Envoy that are not part of the Istio Networking APIs. We enhanced the `EnvoyFilter` API to allow users to fully customize:
+
+- The HTTP/TCP listeners and their filter chains returned by LDS
+- The Envoy HTTP route configuration returned by the RDS
+- The set of clusters returned by CDS
+
+You get the best of both worlds:
+
+Leverage Istio to integrate with Kubernetes and handle large fleets of Envoys in an efficient manner, while you still can customize the generated Envoy configuration to meet specific requirements within your infrastructure.
+
+## Other enhancements
+
+- `istioctl` gained many debugging features to help you highlight various issues in your mesh installation. Checkout the `istioctl` [reference page](/docs/reference/commands/istioctl/) for the set of all supported features.
+
+- Locality aware load balancing graduated from experimental to default in this release too. Istio now takes advantage of existing locality information to prioritize load balancing pools and favor sending requests to the closest backends.
+
+- Better support for headless services with Istio mutual TLS
+
+- We enhanced control plane monitoring in the following ways:
+
+    - Added new metrics to monitor configuration state
+    - Added metrics for sidecar injector
+    - Added a new Grafana dashboard for Citadel
+    - Improved the Pilot dashboard to expose additional key metrics
+
+- Added the new [Istio Deployment Models concept](/docs/concepts/deployment-models/) to help you decide what deployment model suits your needs.
+
+- Organized the content in of our [Operations Guide](/docs/ops/) and created a [section with all troubleshooting tasks](/docs/ops/troubleshooting) to help you find the information you seek faster.
+
+As always, there is a lot happening in the [Community Meeting](https://github.com/istio/community#community-meeting); join us every other Thursday at 11 AM Pacific.
+
+The growth and success of Istio is due to its 400+ contributors from over 300 companies. Join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us make Istio even better.
+
+To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), log in with your GitHub credentials and join us!
--- a/content/en/news/2019/announcing-1.3/change-notes/index.md
+++ b/content/en/news/2019/announcing-1.3/change-notes/index.md
@ -1,83 +1,16 @@
 ---
-title: Announcing Istio 1.3
-subtitle: Major Update
-description: Istio 1.3 release announcement.
-publishdate: 2019-09-12
-attribution: The Istio Team
-release: 1.3.0
+title: Change Notes
+description: Istio 1.3 release notes.
+weight: 10
 aliases:
    - /about/notes/1.3
-    - /blog/2019/announcing-1.3
 ---

-We are pleased to announce the release of Istio 1.3!
-
-{{< relnote >}}
-
-The theme of Istio 1.3 is User Experience:
-
- Improve the experience of new users adopting Istio
- Improve the experience of users debugging problems
- Support more applications without any additional configuration
-
-Every few releases, the Istio team delivers dramatic improvements to usability, APIs, and the overall system performance. Istio 1.3 is one such release, and the team is very excited to roll out some key updates.
-
-## Intelligent protocol detection (experimental)
-
-To take advantage of Istio's routing features, service ports must use a special port naming format to explicitly declare the protocol. This requirement can cause problems for users that do not name their ports when they add their applications to the mesh. Starting with 1.3, the protocol for outbound traffic is automatically detected as HTTP or TCP when the ports are not named according to Istio's conventions. We will be polishing this feature in the upcoming releases with support for protocol sniffing on inbound traffic as well as identifying protocols other than HTTP.
-
-## Mixer-less telemetry (experimental)
-
-Yes, you read that right! We implemented most of the common security policies, such as RBAC, directly into Envoy. We previously turned off the `istio-policy` service by default and are now on track to migrate most of Mixer's telemetry functionality into Envoy as well. In this release, we have enhanced the Istio proxy to emit HTTP metrics directly to Prometheus, without requiring the `istio-telemetry` service to enrich the information. This enhancement is great if all you care about is telemetry for HTTP services. Follow the [Mixer-less HTTP telemetry instructions](https://github.com/istio/istio/wiki/Mixerless-HTTP-Telemetry) to experiment with this feature. We are polishing this feature in the coming months to add telemetry support for TCP services when you enable Istio mutual TLS.
-
-## Container ports are no longer required
-
-Previous releases required that pods explicitly declare the Kubernetes `containerPort` for each container as a security measure against trampolining traffic. Istio 1.3 has a secure and simpler way of handling all inbound traffic on any port into a {{< gloss >}}workload instance{{< /gloss >}} without requiring the `containerPort` declarations. We have also completely eliminated the infinite loops caused in the IP tables rules when workload instances send traffic to themselves.
-
-## Fully customize generated Envoy configuration
-
-While Istio 1.3 focuses on usability, expert users can use advanced features in Envoy that are not part of the Istio Networking APIs. We enhanced the `EnvoyFilter` API to allow users to fully customize:
-
- The HTTP/TCP listeners and their filter chains returned by LDS
- The Envoy HTTP route configuration returned by the RDS
- The set of clusters returned by CDS
-
-You get the best of both worlds:
-
-Leverage Istio to integrate with Kubernetes and handle large fleets of Envoys in an efficient manner, while you still can customize the generated Envoy configuration to meet specific requirements within your infrastructure.
-
-## Other enhancements
-
- `istioctl` gained many debugging features to help you highlight various issues in your mesh installation. Checkout the `istioctl` [reference page](/docs/reference/commands/istioctl/) for the set of all supported features.
-
- Locality aware load balancing graduated from experimental to default in this release too. Istio now takes advantage of existing locality information to prioritize load balancing pools and favor sending requests to the closest backends.
-
- Better support for headless services with Istio mutual TLS
-
- We enhanced control plane monitoring in the following ways:
-
-    - Added new metrics to monitor configuration state
-    - Added metrics for sidecar injector
-    - Added a new Grafana dashboard for Citadel
-    - Improved the Pilot dashboard to expose additional key metrics
-
- Added the new [Istio Deployment Models concept](/docs/concepts/deployment-models/) to help you decide what deployment model suits your needs.
-
- Organized the content in of our [Operations Guide](/docs/ops/) and created a [section with all troubleshooting tasks](/docs/ops/troubleshooting) to help you find the information you seek faster.
-
-As always, there is a lot happening in the [Community Meeting](https://github.com/istio/community#community-meeting); join us every other Thursday at 11 AM Pacific.
-
-The growth and success of Istio is due to its 400+ contributors from over 300 companies. Join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us make Istio even better.
-
-To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), log in with your GitHub credentials and join us!
-
-## Release notes
-
-### Installation
+## Installation

 - **Added** experimental [manifest and profile commands](/docs/setup/install/operator/) to install and manage the Istio control plane for evaluation.

-### Traffic management
+## Traffic management

 - **Added** [automatic protocol determination](/docs/ops/traffic-management/protocol-selection/) of HTTP or TCP for outbound traffic when ports are not named according to Istio’s [conventions](/docs/setup/additional-setup/requirements/).
 - **Added** a mode to the Gateway API for mutual TLS operation.
@ -91,7 +24,7 @@ To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), lo
 - **Improved** the `ServiceEntry` API to allow for the same hostname in different namespaces.
 - **Improved** the [Sidecar API](/docs/reference/config/networking/v1alpha3/sidecar/#OutboundTrafficPolicy) to customize the `OutboundTrafficPolicy` policy.

-### Security
+## Security

 - **Added** trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
 - **Added** [labels](/docs/concepts/security/#how-citadel-determines-whether-to-create-service-account-secrets) to control service account secret generation by namespace.
@ -106,7 +39,7 @@ To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), lo
 - **Removed** integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
 - **Enabled** the Envoy JWT filter by default to improve security and reliability.

-### Telemetry
+## Telemetry

 - **Added** Access Log Service [ALS](https://www.envoyproxy.io/docs/envoy/latest/api-v2/service/accesslog/v2/als.proto#grpc-access-log-service-als) support for Envoy gRPC.
 - **Added** a Grafana dashboard for Citadel monitoring.
@ -123,16 +56,16 @@ To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), lo
 - **Removed** deprecated `Adapter` and `Template` custom resource definitions (CRDs).
 - **Deprecated** the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.

-### Policy
+## Policy

 - **Improved** rate limit enforcement to allow communication when the quota backend is unavailable.

-### Configuration management
+## Configuration management

 - **Fixed** Galley to stop too many gRPC pings from closing connections.
 - **Improved** Galley to avoid control plane upgrade failures.

-### `istioctl`
+## `istioctl`

 - **Added** [`istioctl experimental manifest`](/docs/reference/commands/istioctl/#istioctl-experimental-manifest) to manage the new experimental install manifests.
 - **Added** [`istioctl experimental profile`](/docs/reference/commands/istioctl/#istioctl-experimental-profile) to manage the new experimental install profiles.
@ -143,7 +76,7 @@ To join the conversation, go to [discuss.istio.io](https://discuss.istio.io), lo
 - **Promoted** the [`istioctl experimental convert-ingress`](/docs/reference/commands/istioctl/#istioctl-convert-ingress) command to `istioctl convert-ingress`.
 - **Promoted** the [`istioctl experimental dashboard`](/docs/reference/commands/istioctl/#istioctl-dashboard) command to `istioctl dashboard`.

-### Other
+## Miscellaneous

 - **Added** new images based on [distroless](/docs/ops/security/harden-docker-images/) base images.
 - **Improved** the Istio CNI Helm chart to have consistent versions with Istio.
--- a/content/en/docs/reference/config/installation-options-changes/index.md
+++ b/content/en/docs/reference/config/installation-options-changes/index.md
@ -1,11 +1,13 @@
 ---
-title: Installation Options Changes
-description: Details the Helm chart installation options differences between release-1.2 and release-1.3.
+title: Helm Changes
+description: Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.
 weight: 30
 keywords: [kubernetes, helm, install, options]
+aliases:
+    - /docs/reference/config/installation-options-changes
 ---

-The tables below show changes made to the installation options used to customize Istio install using Helm between release 1.2 and release 1.3. The tables are grouped in to three different categories:
+The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.2 and Istio 1.3. The tables are grouped in to three different categories:

 - The installation options already in the previous release but whose values have been modified in the new release.
 - The new installation options added in the new release.
--- a/content/en/news/2019/announcing-1.3/upgrade-notes/index.md
+++ b/content/en/news/2019/announcing-1.3/upgrade-notes/index.md
@ -1,9 +1,10 @@
 ---
-title: 1.3 Upgrade Notice
+title: Upgrade Notes
 description: Important changes to consider when upgrading to Istio 1.3.
-weight: 5
+weight: 20
 aliases:
    - /docs/setup/kubernetes/upgrade/notice/
+    - /docs/setup/upgrade/notice
 ---

 This page describes changes you need to be aware of when upgrading from
@ -12,9 +13,6 @@ compatibility.  We also mention cases where backwards compatibility was
 preserved but new behavior was introduced that would be surprising to someone
 familiar with the use and operation of Istio 1.2.

-For an overview of new features introduced with Istio 1.3, please refer
-to the [1.3 release notes](/news/2019/announcing-1.3/).
-
 ## Installation and upgrade

 We simplified the configuration model for Mixer and removed support for
--- a/content/en/news/2019/announcing-1.4/_index.md
+++ b/content/en/news/2019/announcing-1.4/_index.md
@ -0,0 +1,13 @@
+---
+title: Announcing Istio 1.4
+subtitle: Major Update
+description: Istio 1.4 release announcement.
+publishdate: 2019-11-12
+attribution: The Istio Team
+release: 1.4.0
+skip_list: true
+---
+
+We are pleased to announce the release of Istio 1.4!
+
+{{< relnote >}}
--- a/content/en/news/2019/announcing-1.4/change-notes/index.md
+++ b/content/en/news/2019/announcing-1.4/change-notes/index.md
@ -0,0 +1,7 @@
+---
+title: Change Notes
+description: Istio 1.4 release notes.
+weight: 10
+---
+
+TBD
--- a/content/en/news/2019/announcing-1.4/helm-changes/index.md
+++ b/content/en/news/2019/announcing-1.4/helm-changes/index.md
@ -0,0 +1,8 @@
+---
+title: Helm Changes
+description: Details the Helm chart installation options differences between Istio 1.3 and Istio 1.4.
+weight: 30
+keywords: [kubernetes, helm, install, options]
+---
+
+TBD
--- a/content/en/news/2019/announcing-1.4/upgrade-notes/index.md
+++ b/content/en/news/2019/announcing-1.4/upgrade-notes/index.md
@ -0,0 +1,11 @@
+---
+title: Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.4.
+weight: 20
+---
+
+This page describes changes you need to be aware of when upgrading from
+Istio 1.3 to 1.4.  Here, we detail cases where we intentionally broke backwards
+compatibility.  We also mention cases where backwards compatibility was
+preserved but new behavior was introduced that would be surprising to someone
+familiar with the use and operation of Istio 1.3.
--- a/content/en/news/2019/istio-security-2019-005/index.md
+++ b/content/en/news/2019/istio-security-2019-005/index.md
@ -28,9 +28,9 @@ Both Istio gateways and sidecars are vulnerable to this issue. If you are runnin

 ## Mitigation

-* For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of [Istio 1.1.16](/news/2019/announcing-1.1.16).
-* For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of [Istio 1.2.7](/news/2019/announcing-1.2.7).
-* For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of [Istio 1.3.2](/news/2019/announcing-1.3.2).
+* For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.1.16](/news/2019/announcing-1.1.16).
+* For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.2.7](/news/2019/announcing-1.2.7).
+* For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.3.2](/news/2019/announcing-1.3.2).

 We'd like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.

--- a/content/zh/docs/setup/kubernetes/_index.md
+++ b/content/zh/docs/setup/kubernetes/_index.md
@ -4,7 +4,7 @@ description: 关于如何在 Kubernetes 集群中安装 Istio 控制平面和添
 weight: 10
 icon: kubernetes
 keywords: [kubernetes,install,quick-start,setup,installation]
-content_above: true
+list_below: true
 ---

 {{< tip >}}
--- a/data/args.yml
+++ b/data/args.yml
@ -3,6 +3,7 @@ version: "1.4"

 # The full Istio version identifier the docs describe
 full_version: "1.4.0"
+full_version_release_year: 2019

 # The previous Istio version identifier the docs describe, used for upgrade documentation
 previous_version: "1.3"
--- a/i18n/en.toml
+++ b/i18n/en.toml
@ -98,13 +98,13 @@ other = "%d words"
 other = "%v minute read"

 [relnote_download]
-other = "DOWNLOAD %s"
+other = "Download Istio %s"

 [relnote_changes]
-other = "CHANGES IN %s"
+other = "See what's changed in the source code for Istio %s"

 [relnote_docs]
-other = "%s DOCS"
+other = "Visit the %s documentation"

 [relnote_update_advice]
 other = "Before you download %s, you should know that there's a newer patch release with the latest bug fixes and perf improvements."
--- a/layouts/_default/list.html
+++ b/layouts/_default/list.html
@ -4,41 +4,51 @@

 {{ partial "primary_top.html" . }}

-<p>{{ .Description }}</p>
-
-{{ if .Params.content_above }}
-{{ .Content }}
+{{ if not .Params.skip_list }}
+    <p>{{ .Description }}</p>
 {{ end }}

-<div class="section-index">
-    {{ $pages := (where .Site.Pages "Section" .Section).ByWeight }}
-    {{ $parent := .Page }}
+{{ if .Params.list_below }}
+    {{ .Content }}
+{{ end }}

-    {{ if $parent.Params.simple_list }}
-        <ul>
+{{ if not .Params.skip_list }}
+    <div class="section-index">
+        {{ $pages := (where .Site.Pages "Section" .Section) }}
+
+        {{ if .Params.list_by_publishdate }}
+            {{ $pages = sort $pages ".Params.publishdate" "desc" }}
+        {{ end }}
+
+        {{ $parent := .Page }}
+
+        {{ if $parent.Params.simple_list }}
+            <ul>
+                {{ range $pages }}
+                    {{ if eq .Parent $parent }}
+                        <li><a href="{{ .Permalink }}">{{- .Title -}}</a></li>
+                    {{ end }}
+                {{ end }}
+            </ul>
+        {{ else }}
            {{ range $pages }}
                {{ if eq .Parent $parent }}
-                    <li><a href="{{ .Permalink }}">{{- .Title -}}</a></li>
+                    <div class="entry">
+                        <h5>
+                            <a href="{{ .Permalink }}">
+                                {{- if .Params.icon -}}<i class="page-icon">{{- partial "icon.html" .Params.icon -}}</i>{{- end -}}{{- .Title -}}
+                            </a>
+                        </h5>
+                        <p>{{ .Description }}</p>
+                    </div>
                {{ end }}
            {{ end }}
-        </ul>
-    {{ else }}
-        {{ range $pages }}
-            {{ if eq .Parent $parent }}
-                <div class="entry">
-                    <h5>
-                        <a href="{{ .Permalink }}">{{- if .Params.icon -}}<i class="page-icon">
-                                {{- partial "icon.html" .Params.icon -}}</i>{{- end -}}{{- .Title -}}</a>
-                    </h5>
-                    <p>{{ .Description }}</p>
-                </div>
-            {{ end }}
        {{ end }}
-    {{ end }}
-</div>
+    </div>
+{{ end }}

-{{ if not .Params.content_above }}
-{{ .Content }}
+{{ if not .Params.list_below }}
+    {{ .Content }}
 {{ end }}

 {{ partial "primary_bottom.html" . }}
--- a/layouts/partials/sidebar_level.html
+++ b/layouts/partials/sidebar_level.html
@ -5,6 +5,12 @@
 {{ $top := .top }}
 {{ $labelledby := .labelledby }}

+{{ if $parent.Params.list_by_publishdate }}
+    {{ $pages = sort $pages ".Params.publishdate" "desc" }}
+{{ else }}
+    {{ $pages = sort $pages ".Params.weight" "asc" }}
+{{ end }}
+
 {{ $leafSection := true }}
 {{ range $pages }}
    {{ if eq .Parent $parent }}
--- a/layouts/shortcodes/istio_full_version_release_year.html
+++ b/layouts/shortcodes/istio_full_version_release_year.html
@ -0,0 +1 @@
+{{ .Site.Data.args.full_version_release_year }}
--- a/layouts/shortcodes/relnote.html
+++ b/layouts/shortcodes/relnote.html
@ -57,38 +57,87 @@
    {{ $release_location = "main" }}
 {{ end }}

-<div class="call-to-action">
-    {{ if eq $release_location "preliminary" }}
-        <span class="btn">{{ printf (i18n "relnote_download") $release_name }}</span>
-        <span class="btn">{{ printf (i18n "relnote_docs") $release_name }}</span>
+<div class="relnote-actions call-to-action">
+    {{ $change_notes := .Page.GetPage "./change-notes" }}
+    {{ if $change_notes }}
+        <a class="entry" href="./change-notes">
+            <h5>CHANGE NOTES</h5>
+            <p>Get a detailed list of what's changed.</p>
+        </a>
+    {{ end }}

-        {{ if $patch }}
-            <span class="btn">{{ printf (i18n "relnote_changes") $release_name }}</span>
+    {{ $upgrade_notes := .Page.GetPage "./upgrade-notes" }}
+    {{ if not $upgrade_notes }}
+        {{ $base_version := printf "%v.%v.0" $page_version $page_revision }}
+        {{ range $page := .Site.Pages }}
+            {{ $release := $page.Params.release }}
+            {{ if eq $release $base_version }}
+                {{ $path := printf "/%supgrade-notes" $page.Dir }}
+                {{ $upgrade_notes = .Page.GetPage $path }}
+            {{ end }}
        {{ end }}
+    {{ end }}
+
+    {{ if $upgrade_notes }}
+        <a class="entry" href="{{ $upgrade_notes.Permalink }}">
+            <h5>BEFORE YOU UPGRADE</h5>
+            <p>Things to know and prepare before upgrading.</p>
+        </a>
+    {{ end }}
+
+    {{ if eq $release_location "preliminary" }}
+        <div class="entry">
+            <h5>DOWNLOAD</h5>
+            <p>Download and install this release.</p>
+        </div>
    {{ else }}
        {{ if ne $latest_full_version $full_version }}
            {{ .Page.Scratch.Set "needPopper" true }}
-            <button class="btn update-notice"
-                    data-title='{{ i18n "relnote_update_notice" }}'
-                    data-downloadhref="https://github.com/istio/istio/releases/tag/{{ $full_version }}"
-                    data-updateadvice='{{ printf (i18n "relnote_update_advice") $release_name }}'
-                    data-updatebutton='{{ printf (i18n "relnote_update_button") $latest_full_version }}'
-                    data-updatehref="{{ $latest_patch_url }}">
-                {{ printf (i18n "relnote_download") $release_name }}
-            </button>
+            <a class="update-notice entry"
+                data-title='{{ i18n "relnote_update_notice" }}'
+                data-downloadhref="https://github.com/istio/istio/releases/tag/{{ $full_version }}"
+                data-downloadbuttontext="DOWNLOAD {{ $full_version }}"
+                data-updateadvice='{{ printf (i18n "relnote_update_advice") $release_name }}'
+                data-updatebutton='{{ printf (i18n "relnote_update_button") $latest_full_version }}'
+                data-updatehref="{{ $latest_patch_url }}">
+                <h5>DOWNLOAD</h5>
+                <p>Download and install this release.</p>
+            </a>
        {{ else }}
-            <a class="btn" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">{{ printf (i18n "relnote_download") $release_name }}</a>
-        {{ end }}
-
-        {{ if eq $release_location "archive" }}
-            <a class="btn" href="https://archive.istio.io/v{{ $version }}">{{ printf (i18n "relnote_docs") $release_name }}</a>
-        {{ else }}
-            <a class="btn" href="https://istio.io{{ $lang }}/docs">{{ printf (i18n "relnote_docs") $release_name }}</a>
-        {{ end }}
-
-        {{ if $patch }}
-            {{ $old_full_version := printf "%v.%d" $version (sub $patch 1) }}
-            <a class="btn" href="https://github.com/istio/istio/compare/{{ $old_full_version }}...{{ $full_version }}">{{ printf (i18n "relnote_changes") $release_name }}</a>
+            <a class="entry" href="https://github.com/istio/istio/releases/tag/{{ $full_version }}">
+                <h5>DOWNLOAD</h5>
+                <p>Download and install this release.</p>
+            </a>
        {{ end }}
    {{ end }}
+
+    {{ $doc_link := printf "https://istio.io%s/docs" $lang }}
+    {{ if eq $release_location "archive" }}
+        {{ $doc_link = printf "https://archive.istio.io/v%s" $version }}
+    {{ else if eq $release_location "preliminary" }}
+        {{ $doc_link := printf "https://preliminry.istio.io%s/docs" $lang }}
+    {{ end }}
+
+    <a class="entry" href="{{ $doc_link }}">
+        <h5>DOCS</h5>
+        <p>Visit the documentation for this release.</p>
+    </a>
+
+    {{ $helm_changes := .Page.GetPage "./helm-changes" }}
+    {{ if $helm_changes }}
+        <a class="entry" href="./helm-changes">
+            <h5>HELM CHANGES</h5>
+            <p>Learn about changes in our Helm installation options.</p>
+        </a>
+    {{ end }}
+
+    {{ if $patch }}
+        {{ $old_full_version := printf "%v.%d" $version (sub $patch 1) }}
+        {{ $delta_link := printf "https://github.com/istio/istio/compare/%s...%s" $old_full_version $full_version }}
+
+        <a class="entry" href="{{ $delta_link }}">
+            <h5>SOURCE CHANGES</h5>
+            <p>Inspect the full set of source code changes.</p>
+        </a>
+    {{ end }}
 </div>
--- a/src/sass/_all.scss
+++ b/src/sass/_all.scss
@ -35,6 +35,7 @@
@import "misc/popover";
@import "misc/primary";
@import "misc/promotion";
+@import "misc/relnote-actions";
@import "misc/search-results";
@import "misc/section-index";
@import "misc/see-also";
--- a/src/sass/misc/_call-to-action.scss
+++ b/src/sass/misc/_call-to-action.scss
@ -27,23 +27,4 @@
            text-decoration: underline;
        }
    }
-
-    span.btn {
-        cursor: not-allowed;
-
-        &:hover {
-            background-color: $secondBrandColor;
-            color: $textBrandColor;
-        }
-
-        &:active {
-            background-color: $secondBrandColor;
-            color: $textBrandColor;
-        }
-
-        &:focus {
-            background-color: $secondBrandColor;
-            color: $textBrandColor;
-        }
-    }
 }
--- a/src/sass/misc/_relnote-actions.scss
+++ b/src/sass/misc/_relnote-actions.scss
@ -0,0 +1,75 @@
+.relnote-actions {
+    display: grid;
+    grid-template-columns: [entry] 1fr;
+
+    @media (min-width: $bp-sm) {
+        grid-template-columns: [entry] 1fr [entry] 1fr;
+        padding-left: 1rem;
+        padding-right: 1rem;
+    }
+
+    @media (min-width: $bp-xl) {
+        grid-template-columns: [entry] 1fr [entry] 1fr [entry] 1fr;
+        padding-left: 2rem;
+        padding-right: 2rem;
+    }
+
+    a {
+        color: $textColor;
+        text-decoration: none;
+
+        &:hover {
+            color: $textColor;
+            text-decoration: none;
+        }
+    }
+
+    .entry {
+        padding: 1rem;
+        border: $tabsetBorderColor 1px dashed;
+        display: block;
+
+        @media (min-width: $bp-md) {
+            padding: 1rem 4rem;
+        }
+
+        &:hover {
+            background-color: $mainBrandColor;
+            cursor: pointer;
+        }
+
+        &:active {
+            background-color: $buttonActiveColor;
+        }
+
+        &:focus {
+            background-color: $textBrandColor;
+        }
+    }
+
+    div.entry {
+        cursor: not-allowed;
+
+        &:hover {
+            background-color: $backgroundColor;
+            cursor: not-allowed;
+        }
+
+        &:active {
+            background-color: $backgroundColor;
+        }
+
+        &:focus {
+            background-color: $backgroundColor;
+        }
+    }
+
+    h5 {
+        margin-bottom: 0;
+    }
+
+    p {
+        margin-top: 0;
+        margin-bottom: 0;
+    }
+}
--- a/src/sass/misc/_section-index.scss
+++ b/src/sass/misc/_section-index.scss
@ -28,5 +28,6 @@

    p {
        margin-top: 0;
+        margin-bottom: 0;
    }
 }
--- a/src/sass/misc/_see-also.scss
+++ b/src/sass/misc/_see-also.scss
@ -22,6 +22,7 @@

        .desc {
            margin-top: 0;
+            margin-bottom: 0;
        }
    }
 }
--- a/src/ts/overlays.ts
+++ b/src/ts/overlays.ts
@ -144,7 +144,8 @@ function handleOverlays(): void {
        body.innerHTML =
            "<p>" + downloadButton.dataset.updateadvice + "</p>" +
            "<a class='btn wide' href='" + downloadButton.dataset.updatehref + "'>" + downloadButton.dataset.updatebutton + "</a>" +
-            "<a class='btn wide' target='_blank' rel='noopener' href='" + downloadButton.dataset.downloadhref + "'>" + downloadButton.innerText + "</a>";
+            "<a class='btn wide' target='_blank' rel='noopener' href='" + downloadButton.dataset.downloadhref + "'>" +
+            downloadButton.dataset.downloadbuttontext + "</a>";

        const arrow = document.createElement("div");
        arrow.className = "arrow";
				`@ -0,0 +1 @@`
				`{{ .Site.Data.args.full_version_release_year }}`