terraform-google-modules · renovate · Dec 17, 2025 · Dec 17, 2025
@@ -92,7 +92,6 @@ module "gke" {
   enable_private_nodes       = true
   {% endif %}
   {% if beta_cluster and autopilot_cluster != true  %}
-  istio                      = true
   cloudrun                   = true
   {% endif %}
   dns_cache                  = false

@@ -501,22 +501,13 @@ resource "google_container_cluster" "primary" {
     {% endif %}
 
     {% if beta_cluster and autopilot_cluster != true %}
-    istio_config {
-      disabled = !var.istio
-      auth     = var.istio_auth
-    }
-
     dynamic "cloudrun_config" {
       for_each = local.cluster_cloudrun_config
 
       content {
         disabled = cloudrun_config.value.disabled
       }
     }
-
-    kalm_config {
-      enabled = var.kalm_config
-    }
     {% endif %}
   }
   {% if autopilot_cluster %}

@@ -176,7 +176,6 @@ locals {
 
 {% if beta_cluster %}
   # BETA features
-  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
@@ -239,7 +238,6 @@ locals {
 
 {% if beta_cluster %}
   # BETA features
-  cluster_istio_enabled               = !local.cluster_output_istio_disabled
   {% if autopilot_cluster != true %}
   cluster_telemetry_type_is_set       = var.cluster_telemetry_type != null
   {% endif %}

@@ -230,11 +230,6 @@ output "cloudrun_enabled" {
   {% endif %}
 }
 
-output "istio_enabled" {
-  description = "Whether Istio is enabled"
-  value       = local.cluster_istio_enabled
-}
-
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = local.cluster_pod_security_policy_enabled

@@ -1122,24 +1122,6 @@ variable "enable_multi_networking" {
 {% if beta_cluster %}
   {% if autopilot_cluster != true %}
 
-variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  type        = bool
-  default     = false
-}
-
-variable "istio_auth" {
-  type        = string
-  description = "(Beta) The authentication type between services in Istio."
-  default     = "AUTH_MUTUAL_TLS"
-}
-
-variable "kalm_config" {
-  type        = bool
-  description = "(Beta) Whether KALM is enabled for this cluster."
-  default     = false
-}
-
 variable "cloudrun" {
   description = "(Beta) Enable CloudRun addon"
   type        = bool

@@ -31,8 +31,8 @@ are available for configuration, recommendations on their settings are documente
 
     -   Placing them in the same cluster will provide fast network
         communication, and the different namespaces will be configured to
-        provide some administrative isolation. Istio will be used to encrypt and
-        control communication between applications.
+        provide some administrative isolation. Cloud Service Mesh can be used to
+        encrypt and control communication between applications.
 
 -   We suggest to store user or business data persistently in managed storage
     services that are inventoried and controlled by centralized teams.

@@ -150,10 +150,6 @@ module "gke" {
 
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
-  // Istio is recommended for pod-to-pod communications.
-  istio      = var.istio
-  istio_auth = var.istio_auth
-
   cloudrun = var.cloudrun
 
   dns_cache = var.dns_cache

@@ -323,18 +323,6 @@ variable "master_ipv4_cidr_block" {
   default     = "10.0.0.0/28"
 }
 
-variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  type        = bool
-  default     = false
-}
-
-variable "istio_auth" {
-  type        = string
-  description = "(Beta) The authentication type between services in Istio."
-  default     = "AUTH_MUTUAL_TLS"
-}
-
 variable "dns_cache" {
   type        = bool
   description = "(Beta) The status of the NodeLocal DNSCache addon."

@@ -0,0 +1,16 @@
+# Upgrading to v43.0
+The v43.0 release of *kubernetes-engine* is a backwards incompatible release.
+
+## Migration Guide
+
+### `kalm_config` Removal
+
+The `kalm_config` variable has been removed.
+
+Users currently including `kalm_config` should remove this variable from their module definition.
+
+### `istio_config` Removal
+
+The `istio` and `istio_auth` variables have been removed.  The `istio_enabled` output has also been removed from these modules and the autopilot beta modules.
+
+Users currently using the GKE Istio addon should migrate to Anthos Service Mesh (ASM) or another service mesh solution.
@@ -194,7 +194,6 @@ Then perform the following commands on the root folder:
 | identity\_namespace | Workload Identity pool |
 | identity\_service\_enabled | Whether Identity Service is enabled |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | logging\_service | Logging service used |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |

@@ -99,7 +99,6 @@ locals {
   cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # BETA features
-  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
@@ -133,7 +132,6 @@ locals {
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
   # BETA features
-  cluster_istio_enabled               = !local.cluster_output_istio_disabled
   cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
 
   # /BETA features

@@ -564,8 +564,6 @@ spec:
         description: Whether Identity Service is enabled
       - name: intranode_visibility_enabled
         description: Whether intra-node visibility is enabled
-      - name: istio_enabled
-        description: Whether Istio is enabled
       - name: location
         description: Cluster location (region if regional cluster, zone if zonal cluster)
       - name: logging_service

@@ -182,11 +182,6 @@ output "cloudrun_enabled" {
   value       = false
 }
 
-output "istio_enabled" {
-  description = "Whether Istio is enabled"
-  value       = local.cluster_istio_enabled
-}
-
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = local.cluster_pod_security_policy_enabled

@@ -29,7 +29,7 @@ terraform {
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "~> 2.10"
+      version = "~> 3.0"
     }
     random = {
       source  = "hashicorp/random"

@@ -182,7 +182,6 @@ Then perform the following commands on the root folder:
 | identity\_namespace | Workload Identity pool |
 | identity\_service\_enabled | Whether Identity Service is enabled |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | logging\_service | Logging service used |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |

@@ -92,7 +92,6 @@ locals {
   cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # BETA features
-  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
@@ -126,7 +125,6 @@ locals {
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
   # BETA features
-  cluster_istio_enabled               = !local.cluster_output_istio_disabled
   cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
 
   # /BETA features

@@ -542,8 +542,6 @@ spec:
         description: Whether Identity Service is enabled
       - name: intranode_visibility_enabled
         description: Whether intra-node visibility is enabled
-      - name: istio_enabled
-        description: Whether Istio is enabled
       - name: location
         description: Cluster location (region if regional cluster, zone if zonal cluster)
       - name: logging_service

@@ -172,11 +172,6 @@ output "cloudrun_enabled" {
   value       = false
 }
 
-output "istio_enabled" {
-  description = "Whether Istio is enabled"
-  value       = local.cluster_istio_enabled
-}
-
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = local.cluster_pod_security_policy_enabled

@@ -29,7 +29,7 @@ terraform {
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "~> 2.10"
+      version = "~> 3.0"
     }
     random = {
       source  = "hashicorp/random"

@@ -80,7 +80,6 @@ module "gke" {
   filestore_csi_driver       = false
   enable_private_endpoint    = true
   enable_private_nodes       = true
-  istio                      = true
   cloudrun                   = true
   dns_cache                  = false
 
@@ -253,9 +252,6 @@ Then perform the following commands on the root folder:
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
-| istio | (Beta) Enable Istio addon | `bool` | `false` | no |
-| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no |
-| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no |
 | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no |
@@ -350,7 +346,6 @@ Then perform the following commands on the root folder:
 | identity\_service\_enabled | Whether Identity Service is enabled |
 | instance\_group\_urls | List of GKE generated instance groups |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | logging\_service | Logging service used |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |

@@ -414,22 +414,13 @@ resource "google_container_cluster" "primary" {
       }
     }
 
-    istio_config {
-      disabled = !var.istio
-      auth     = var.istio_auth
-    }
-
     dynamic "cloudrun_config" {
       for_each = local.cluster_cloudrun_config
 
       content {
         disabled = cloudrun_config.value.disabled
       }
     }
-
-    kalm_config {
-      enabled = var.kalm_config
-    }
   }
 
   datapath_provider = var.datapath_provider

@@ -146,7 +146,6 @@ locals {
   cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # BETA features
-  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
@@ -196,7 +195,6 @@ locals {
   }] : []
 
   # BETA features
-  cluster_istio_enabled               = !local.cluster_output_istio_disabled
   cluster_telemetry_type_is_set       = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
 

@@ -280,15 +280,6 @@ spec:
         issue_client_certificate:
           name: issue_client_certificate
           title: Issue Client Certificate
-        istio:
-          name: istio
-          title: Istio
-        istio_auth:
-          name: istio_auth
-          title: Istio Auth
-        kalm_config:
-          name: kalm_config
-          title: Kalm Config
         kubernetes_version:
           name: kubernetes_version
           title: Kubernetes Version

@@ -766,18 +766,6 @@ spec:
       - name: enable_multi_networking
         description: Whether multi-networking is enabled for this cluster
         varType: bool
-      - name: istio
-        description: (Beta) Enable Istio addon
-        varType: bool
-        defaultValue: false
-      - name: istio_auth
-        description: (Beta) The authentication type between services in Istio.
-        varType: string
-        defaultValue: AUTH_MUTUAL_TLS
-      - name: kalm_config
-        description: (Beta) Whether KALM is enabled for this cluster.
-        varType: bool
-        defaultValue: false
       - name: cloudrun
         description: (Beta) Enable CloudRun addon
         varType: bool
@@ -863,8 +851,6 @@ spec:
         description: List of GKE generated instance groups
       - name: intranode_visibility_enabled
         description: Whether intra-node visibility is enabled
-      - name: istio_enabled
-        description: Whether Istio is enabled
       - name: location
         description: Cluster location (region if regional cluster, zone if zonal cluster)
       - name: logging_service

@@ -209,11 +209,6 @@ output "cloudrun_enabled" {
   value       = local.cluster_cloudrun_enabled
 }
 
-output "istio_enabled" {
-  description = "Whether Istio is enabled"
-  value       = local.cluster_istio_enabled
-}
-
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = local.cluster_pod_security_policy_enabled

@@ -1055,24 +1055,6 @@ variable "enable_multi_networking" {
   default     = null
 }
 
-variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  type        = bool
-  default     = false
-}
-
-variable "istio_auth" {
-  type        = string
-  description = "(Beta) The authentication type between services in Istio."
-  default     = "AUTH_MUTUAL_TLS"
-}
-
-variable "kalm_config" {
-  type        = bool
-  description = "(Beta) Whether KALM is enabled for this cluster."
-  default     = false
-}
-
 variable "cloudrun" {
   description = "(Beta) Enable CloudRun addon"
   type        = bool