diff --git a/autogen/main/README.md b/autogen/main/README.md index d8559f66a1..f59184d88a 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -92,7 +92,6 @@ module "gke" { enable_private_nodes = true {% endif %} {% if beta_cluster and autopilot_cluster != true %} - istio = true cloudrun = true {% endif %} dns_cache = false diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index aa9a960938..20a8dfd2d2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -501,11 +501,6 @@ resource "google_container_cluster" "primary" { {% endif %} {% if beta_cluster and autopilot_cluster != true %} - istio_config { - disabled = !var.istio - auth = var.istio_auth - } - dynamic "cloudrun_config" { for_each = local.cluster_cloudrun_config @@ -513,10 +508,6 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } - - kalm_config { - enabled = var.kalm_config - } {% endif %} } {% if autopilot_cluster %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index ce3268200c..0034bdd5fe 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -176,7 +176,6 @@ locals { {% if beta_cluster %} # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -239,7 +238,6 @@ locals { {% if beta_cluster %} # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled {% if autopilot_cluster != true %} cluster_telemetry_type_is_set = var.cluster_telemetry_type != null {% endif %} diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 767edfdfb1..fa9e33c5bf 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -230,11 +230,6 @@ output "cloudrun_enabled" { {% endif %} } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d431e1be02..d58e58cc3a 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -1122,24 +1122,6 @@ variable "enable_multi_networking" { {% if beta_cluster %} {% if autopilot_cluster != true %} -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - variable "cloudrun" { description = "(Beta) Enable CloudRun addon" type = bool diff --git a/autogen/safer-cluster/README.md b/autogen/safer-cluster/README.md index 772dff12d4..b20203a0f5 100644 --- a/autogen/safer-cluster/README.md +++ b/autogen/safer-cluster/README.md @@ -31,8 +31,8 @@ are available for configuration, recommendations on their settings are documente - Placing them in the same cluster will provide fast network communication, and the different namespaces will be configured to - provide some administrative isolation. Istio will be used to encrypt and - control communication between applications. + provide some administrative isolation. Cloud Service Mesh can be used to + encrypt and control communication between applications. - We suggest to store user or business data persistently in managed storage services that are inventoried and controlled by centralized teams. diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 8415104812..2f38b49b64 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -150,10 +150,6 @@ module "gke" { master_ipv4_cidr_block = var.master_ipv4_cidr_block - // Istio is recommended for pod-to-pod communications. - istio = var.istio - istio_auth = var.istio_auth - cloudrun = var.cloudrun dns_cache = var.dns_cache diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 4627cb489f..7b4c9def0a 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -323,18 +323,6 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." diff --git a/docs/upgrading_to_v43.0.md b/docs/upgrading_to_v43.0.md new file mode 100644 index 0000000000..e20c07620f --- /dev/null +++ b/docs/upgrading_to_v43.0.md @@ -0,0 +1,16 @@ +# Upgrading to v43.0 +The v43.0 release of *kubernetes-engine* is a backwards incompatible release. + +## Migration Guide + +### `kalm_config` Removal + +The `kalm_config` variable has been removed. + +Users currently including `kalm_config` should remove this variable from their module definition. + +### `istio_config` Removal + +The `istio` and `istio_auth` variables have been removed. The `istio_enabled` output has also been removed from these modules and the autopilot beta modules. + +Users currently using the GKE Istio addon should migrate to Anthos Service Mesh (ASM) or another service mesh solution. diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index e13f196d5d..6d3cb7287a 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -194,7 +194,6 @@ Then perform the following commands on the root folder: | identity\_namespace | Workload Identity pool | | identity\_service\_enabled | Whether Identity Service is enabled | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 04b06a22e3..bdd7167857 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -99,7 +99,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -133,7 +132,6 @@ locals { cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled # /BETA features diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml index c82238ff51..65a388d442 100644 --- a/modules/beta-autopilot-private-cluster/metadata.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.yaml @@ -564,8 +564,6 @@ spec: description: Whether Identity Service is enabled - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 365d3f158c..0a55d5f5c9 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -182,11 +182,6 @@ output "cloudrun_enabled" { value = false } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 1592b837ab..9feade0e07 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index bbe82f9407..7447632cb4 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -182,7 +182,6 @@ Then perform the following commands on the root folder: | identity\_namespace | Workload Identity pool | | identity\_service\_enabled | Whether Identity Service is enabled | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index a665591fd6..7ae5bf9f72 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -92,7 +92,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -126,7 +125,6 @@ locals { cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled # /BETA features diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml index a78badd469..9850e671c1 100644 --- a/modules/beta-autopilot-public-cluster/metadata.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.yaml @@ -542,8 +542,6 @@ spec: description: Whether Identity Service is enabled - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 9a4b7b9501..e86a83e914 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -172,11 +172,6 @@ output "cloudrun_enabled" { value = false } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index fd89068ac7..559023526c 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 5ca2e3b2b2..642ebc5fa9 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -80,7 +80,6 @@ module "gke" { filestore_csi_driver = false enable_private_endpoint = true enable_private_nodes = true - istio = true cloudrun = true dns_cache = false @@ -253,9 +252,6 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | @@ -350,7 +346,6 @@ Then perform the following commands on the root folder: | identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 400b6ff8dd..3a2f7dd656 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -414,11 +414,6 @@ resource "google_container_cluster" "primary" { } } - istio_config { - disabled = !var.istio - auth = var.istio_auth - } - dynamic "cloudrun_config" { for_each = local.cluster_cloudrun_config @@ -426,10 +421,6 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } - - kalm_config { - enabled = var.kalm_config - } } datapath_provider = var.datapath_provider diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 7e82e41d1e..b56e68cfb8 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -146,7 +146,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -196,7 +195,6 @@ locals { }] : [] # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml index 8720e9bb39..55733633e9 100644 --- a/modules/beta-private-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -280,15 +280,6 @@ spec: issue_client_certificate: name: issue_client_certificate title: Issue Client Certificate - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth - kalm_config: - name: kalm_config - title: Kalm Config kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml index ebff7640d6..0613f83826 100644 --- a/modules/beta-private-cluster-update-variant/metadata.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.yaml @@ -766,18 +766,6 @@ spec: - name: enable_multi_networking description: Whether multi-networking is enabled for this cluster varType: bool - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - - name: kalm_config - description: (Beta) Whether KALM is enabled for this cluster. - varType: bool - defaultValue: false - name: cloudrun description: (Beta) Enable CloudRun addon varType: bool @@ -863,8 +851,6 @@ spec: description: List of GKE generated instance groups - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 282eea5f12..21ec9b1799 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -209,11 +209,6 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index cdcaee31c9..00fa37522e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -1055,24 +1055,6 @@ variable "enable_multi_networking" { default = null } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - variable "cloudrun" { description = "(Beta) Enable CloudRun addon" type = bool diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 623a5ef3e1..e144c7b9a3 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6a296f8616..cb03cff38e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -58,7 +58,6 @@ module "gke" { filestore_csi_driver = false enable_private_endpoint = true enable_private_nodes = true - istio = true cloudrun = true dns_cache = false @@ -231,9 +230,6 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | @@ -328,7 +324,6 @@ Then perform the following commands on the root folder: | identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index ce227c4f27..d15cefa932 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -414,11 +414,6 @@ resource "google_container_cluster" "primary" { } } - istio_config { - disabled = !var.istio - auth = var.istio_auth - } - dynamic "cloudrun_config" { for_each = local.cluster_cloudrun_config @@ -426,10 +421,6 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } - - kalm_config { - enabled = var.kalm_config - } } datapath_provider = var.datapath_provider diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 7e82e41d1e..b56e68cfb8 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -146,7 +146,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -196,7 +195,6 @@ locals { }] : [] # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml index 5d6f26b541..a37e4fd071 100644 --- a/modules/beta-private-cluster/metadata.display.yaml +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -280,15 +280,6 @@ spec: issue_client_certificate: name: issue_client_certificate title: Issue Client Certificate - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth - kalm_config: - name: kalm_config - title: Kalm Config kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml index 39aa71aadf..1d6f049722 100644 --- a/modules/beta-private-cluster/metadata.yaml +++ b/modules/beta-private-cluster/metadata.yaml @@ -766,18 +766,6 @@ spec: - name: enable_multi_networking description: Whether multi-networking is enabled for this cluster varType: bool - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - - name: kalm_config - description: (Beta) Whether KALM is enabled for this cluster. - varType: bool - defaultValue: false - name: cloudrun description: (Beta) Enable CloudRun addon varType: bool @@ -863,8 +851,6 @@ spec: description: List of GKE generated instance groups - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 282eea5f12..21ec9b1799 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -209,11 +209,6 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cdcaee31c9..00fa37522e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -1055,24 +1055,6 @@ variable "enable_multi_networking" { default = null } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - variable "cloudrun" { description = "(Beta) Enable CloudRun addon" type = bool diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 1fb9ee5305..9dec6ae6e6 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 0cf610924e..1f8e41ccc7 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -74,7 +74,6 @@ module "gke" { network_policy = false horizontal_pod_autoscaling = true filestore_csi_driver = false - istio = true cloudrun = true dns_cache = false @@ -244,9 +243,6 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | @@ -338,7 +334,6 @@ Then perform the following commands on the root folder: | identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 38761ba5e0..9047cf7674 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -414,11 +414,6 @@ resource "google_container_cluster" "primary" { } } - istio_config { - disabled = !var.istio - auth = var.istio_auth - } - dynamic "cloudrun_config" { for_each = local.cluster_cloudrun_config @@ -426,10 +421,6 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } - - kalm_config { - enabled = var.kalm_config - } } datapath_provider = var.datapath_provider diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 015c44702c..2571592579 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -139,7 +139,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -189,7 +188,6 @@ locals { }] : [] # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml index b718c6277d..0c9c625db4 100644 --- a/modules/beta-public-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -271,15 +271,6 @@ spec: issue_client_certificate: name: issue_client_certificate title: Issue Client Certificate - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth - kalm_config: - name: kalm_config - title: Kalm Config kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml index c1cec245b1..8c48997063 100644 --- a/modules/beta-public-cluster-update-variant/metadata.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.yaml @@ -744,18 +744,6 @@ spec: - name: enable_multi_networking description: Whether multi-networking is enabled for this cluster varType: bool - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - - name: kalm_config - description: (Beta) Whether KALM is enabled for this cluster. - varType: bool - defaultValue: false - name: cloudrun description: (Beta) Enable CloudRun addon varType: bool @@ -841,8 +829,6 @@ spec: description: List of GKE generated instance groups - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 68b54129ca..729f94e2d9 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -199,11 +199,6 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index dcd9ee9d9d..bf24152041 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -1019,24 +1019,6 @@ variable "enable_multi_networking" { default = null } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - variable "cloudrun" { description = "(Beta) Enable CloudRun addon" type = bool diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 2a6ed5a6ae..54de8f5f17 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 6d188d339d..98006222a5 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -52,7 +52,6 @@ module "gke" { network_policy = false horizontal_pod_autoscaling = true filestore_csi_driver = false - istio = true cloudrun = true dns_cache = false @@ -222,9 +221,6 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | @@ -316,7 +312,6 @@ Then perform the following commands on the root folder: | identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 4fceef97cf..c81bd197d5 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -414,11 +414,6 @@ resource "google_container_cluster" "primary" { } } - istio_config { - disabled = !var.istio - auth = var.istio_auth - } - dynamic "cloudrun_config" { for_each = local.cluster_cloudrun_config @@ -426,10 +421,6 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } - - kalm_config { - enabled = var.kalm_config - } } datapath_provider = var.datapath_provider diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 015c44702c..2571592579 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -139,7 +139,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false # /BETA features @@ -189,7 +188,6 @@ locals { }] : [] # BETA features - cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml index 0e8004f537..119348512b 100644 --- a/modules/beta-public-cluster/metadata.display.yaml +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -271,15 +271,6 @@ spec: issue_client_certificate: name: issue_client_certificate title: Issue Client Certificate - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth - kalm_config: - name: kalm_config - title: Kalm Config kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml index 293b34675c..7ca10ecf6f 100644 --- a/modules/beta-public-cluster/metadata.yaml +++ b/modules/beta-public-cluster/metadata.yaml @@ -744,18 +744,6 @@ spec: - name: enable_multi_networking description: Whether multi-networking is enabled for this cluster varType: bool - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - - name: kalm_config - description: (Beta) Whether KALM is enabled for this cluster. - varType: bool - defaultValue: false - name: cloudrun description: (Beta) Enable CloudRun addon varType: bool @@ -841,8 +829,6 @@ spec: description: List of GKE generated instance groups - name: intranode_visibility_enabled description: Whether intra-node visibility is enabled - - name: istio_enabled - description: Whether Istio is enabled - name: location description: Cluster location (region if regional cluster, zone if zonal cluster) - name: logging_service diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 68b54129ca..729f94e2d9 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -199,11 +199,6 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index dcd9ee9d9d..bf24152041 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -1019,24 +1019,6 @@ variable "enable_multi_networking" { default = null } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - variable "cloudrun" { description = "(Beta) Enable CloudRun addon" type = bool diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 5cfa8e40a5..1f2d1c9384 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -29,7 +29,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 3cc7f5fc8d..8a362c4912 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index b79aab17e9..ec74ae5644 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index e38cac18ac..7e11a4c0b2 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -31,8 +31,8 @@ are available for configuration, recommendations on their settings are documente - Placing them in the same cluster will provide fast network communication, and the different namespaces will be configured to - provide some administrative isolation. Istio will be used to encrypt and - control communication between applications. + provide some administrative isolation. Cloud Service Mesh can be used to + encrypt and control communication between applications. - We suggest to store user or business data persistently in managed storage services that are inventoried and controlled by centralized teams. @@ -242,8 +242,6 @@ For simplicity, we suggest using `roles/container.admin` and | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | `string` | `null` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index cdd03b9f53..37dc82808e 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -146,10 +146,6 @@ module "gke" { master_ipv4_cidr_block = var.master_ipv4_cidr_block - // Istio is recommended for pod-to-pod communications. - istio = var.istio - istio_auth = var.istio_auth - cloudrun = var.cloudrun dns_cache = var.dns_cache diff --git a/modules/safer-cluster-update-variant/metadata.display.yaml b/modules/safer-cluster-update-variant/metadata.display.yaml index 19faf805d4..e4ab738c17 100644 --- a/modules/safer-cluster-update-variant/metadata.display.yaml +++ b/modules/safer-cluster-update-variant/metadata.display.yaml @@ -151,12 +151,6 @@ spec: ip_range_services: name: ip_range_services title: Ip Range Services - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/safer-cluster-update-variant/metadata.yaml b/modules/safer-cluster-update-variant/metadata.yaml index b1d530745e..57399cb72b 100644 --- a/modules/safer-cluster-update-variant/metadata.yaml +++ b/modules/safer-cluster-update-variant/metadata.yaml @@ -335,14 +335,6 @@ spec: description: The IP range in CIDR notation to use for the hosted master network varType: string defaultValue: 10.0.0.0/28 - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - name: dns_cache description: (Beta) The status of the NodeLocal DNSCache addon. varType: bool diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 93717ebcaf..f9e77588a4 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -323,18 +323,6 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index e38cac18ac..7e11a4c0b2 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -31,8 +31,8 @@ are available for configuration, recommendations on their settings are documente - Placing them in the same cluster will provide fast network communication, and the different namespaces will be configured to - provide some administrative isolation. Istio will be used to encrypt and - control communication between applications. + provide some administrative isolation. Cloud Service Mesh can be used to + encrypt and control communication between applications. - We suggest to store user or business data persistently in managed storage services that are inventoried and controlled by centralized teams. @@ -242,8 +242,6 @@ For simplicity, we suggest using `roles/container.admin` and | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | `string` | `null` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 9f372c607c..6cd8822f94 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -146,10 +146,6 @@ module "gke" { master_ipv4_cidr_block = var.master_ipv4_cidr_block - // Istio is recommended for pod-to-pod communications. - istio = var.istio - istio_auth = var.istio_auth - cloudrun = var.cloudrun dns_cache = var.dns_cache diff --git a/modules/safer-cluster/metadata.display.yaml b/modules/safer-cluster/metadata.display.yaml index 0111bf9135..01fd87fa22 100644 --- a/modules/safer-cluster/metadata.display.yaml +++ b/modules/safer-cluster/metadata.display.yaml @@ -151,12 +151,6 @@ spec: ip_range_services: name: ip_range_services title: Ip Range Services - istio: - name: istio - title: Istio - istio_auth: - name: istio_auth - title: Istio Auth kubernetes_version: name: kubernetes_version title: Kubernetes Version diff --git a/modules/safer-cluster/metadata.yaml b/modules/safer-cluster/metadata.yaml index ccfc6bc5f5..58510cc522 100644 --- a/modules/safer-cluster/metadata.yaml +++ b/modules/safer-cluster/metadata.yaml @@ -335,14 +335,6 @@ spec: description: The IP range in CIDR notation to use for the hosted master network varType: string defaultValue: 10.0.0.0/28 - - name: istio - description: (Beta) Enable Istio addon - varType: bool - defaultValue: false - - name: istio_auth - description: (Beta) The authentication type between services in Istio. - varType: string - defaultValue: AUTH_MUTUAL_TLS - name: dns_cache description: (Beta) The status of the NodeLocal DNSCache addon. varType: bool diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 93717ebcaf..f9e77588a4 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -323,18 +323,6 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } -variable "istio" { - description = "(Beta) Enable Istio addon" - type = bool - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index c2c462e555..a757fd9b99 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.13" + version = "~> 3.0" } } diff --git a/test/integration/beta_cluster/testdata/TestBetaCluster.json b/test/integration/beta_cluster/testdata/TestBetaCluster.json index 1f1277dc5d..afa39af022 100755 --- a/test/integration/beta_cluster/testdata/TestBetaCluster.json +++ b/test/integration/beta_cluster/testdata/TestBetaCluster.json @@ -11,11 +11,9 @@ "gkeBackupAgentConfig": {}, "horizontalPodAutoscaling": {}, "httpLoadBalancing": {}, - "istioConfig": { "auth": "AUTH_MUTUAL_TLS", "disabled": true }, - "kalmConfig": {}, "kubernetesDashboard": { "disabled": true }, diff --git a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json index b1cb9ae910..a11e8c2060 100644 --- a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json +++ b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json @@ -9,11 +9,9 @@ "gkeBackupAgentConfig": {}, "horizontalPodAutoscaling": {}, "httpLoadBalancing": {}, - "istioConfig": { "auth": "AUTH_MUTUAL_TLS", "disabled": true }, - "kalmConfig": {}, "kubernetesDashboard": { "disabled": true }, diff --git a/versions.tf b/versions.tf index 1660d7bbb6..5ef7ccee57 100644 --- a/versions.tf +++ b/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 3.0" } random = { source = "hashicorp/random"