cloud-mu 2.1.0beta → 3.0.0beta

data/modules/mu/clouds/aws/collection.rb

@@ -20,21 +20,11 @@ module MU
       # An Amazon CloudFormation stack as configured in {MU::Config::BasketofKittens::collections}
       class Collection < MU::Cloud::Collection
 
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :cloud_id
-
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::vpcs}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          if !mu_name.nil?
-            @mu_name = mu_name
-          else
-            @mu_name = @deploy.getResourceName(@config['name'], need_unique_string: true)
-          end
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
+          @mu_name ||= @deploy.getResourceName(@config['name'], need_unique_string: true)
           MU.setVar("curRegion", @config['region']) if !@config['region'].nil?
         end
 
@@ -104,7 +94,7 @@ module MU
               else
                 # json file and template path is same
                 file_dir =File.dirname(ARGV[0])
-                if File.exists? file_dir+"/"+@config["template_file"] then
+                if File.exist? file_dir+"/"+@config["template_file"] then
                   template_body=File.read(file_dir+"/"+@config["template_file"]);
                 end
               end
@@ -158,7 +148,7 @@ module MU
 
               case resource.resource_type
                 when "AWS::EC2::Instance"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   instance_name = MU.deploy_id+"-"+@config['name']+"-"+resource.logical_resource_id
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", instance_name, credentials: @config['credentials'])
 
@@ -186,14 +176,14 @@ module MU
                   end
 
                 when "AWS::EC2::SecurityGroup"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   MU::Cloud::AWS::FirewallRule.notifyDeploy(
                       @config['name']+"-"+resource.logical_resource_id,
                       resource.physical_resource_id
                   )
                 when "AWS::EC2::Subnet"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
@@ -201,7 +191,7 @@ module MU
                   }
                   @deploy.notify("subnets", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::VPC"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                   data = {
                       "collection" => @config["name"],
@@ -209,10 +199,10 @@ module MU
                   }
                   @deploy.notify("vpcs", @config['name']+"-"+resource.logical_resource_id, data)
                 when "AWS::EC2::InternetGateway"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
                 when "AWS::EC2::RouteTable"
-                  MU::MommaCat.createStandardTags(resource.physical_resource_id)
+                  MU::Cloud::AWS.createStandardTags(resource.physical_resource_id)
                   MU::MommaCat.createTag(resource.physical_resource_id, "Name", MU.deploy_id+"-"+@config['name']+'-'+resource.logical_resource_id, credentials: @config['credentials'])
 
                 # The rest of these aren't anything we act on

data/modules/mu/clouds/aws/container_cluster.rb

@@ -17,26 +17,12 @@ module MU
     class AWS
       # A ContainerCluster as configured in {MU::Config::BasketofKittens::container_clusters}
       class ContainerCluster < MU::Cloud::ContainerCluster
-        @deploy = nil
-        @config = nil
-        attr_reader :mu_name
-        attr_reader :config
-        attr_reader :cloud_id
-
-        @cloudformation_data = {}
-        attr_reader :cloudformation_data
-        # Return the list of regions where we know EKS is supported.
-        def self.EKSRegions
-          # XXX would prefer to query service API for this
-          ["us-east-1", "us-west-2", "eu-west-1"]
-        end
 
-        # @param mommacat [MU::MommaCat]: A {MU::Mommacat} object containing the deploy of which this resource is/will be a member.
-        # @param kitten_cfg [Hash]: The fully parsed and resolved {MU::Config} resource descriptor as defined in {MU::Config::BasketofKittens::container_clusters}
-        def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
-          @deploy = mommacat
-          @config = MU::Config.manxify(kitten_cfg)
-          @cloud_id ||= cloud_id
+
+        # Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like +@vpc+, for us.
+        # @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
+        def initialize(**args)
+          super
           @mu_name ||= @deploy.getResourceName(@config["name"])
         end
 
@@ -101,14 +87,13 @@ module MU
                 retry
               end
             rescue Aws::EKS::Errors::InvalidParameterException => e
-              if e.message.match(/role with arn: #{Regexp.quote(role_arn)}.*?(could not be assumed|does not exist)/)
+              if e.message.match(/role with arn: #{Regexp.quote(role_arn)}.*?(could not be assumed|does not exist)/i)
                 sleep 5
                 retry
               else
                 MU.log e.message, MU::WARN, details: role_arn
                 sleep 5
                 retry
-                puts e.message
               end
             end
 
@@ -119,6 +104,9 @@ module MU
                 name: @mu_name
               )
               status = resp.cluster.status
+              if status == "FAILED"
+                raise MuError, "EKS cluster #{@mu_name} had FAILED status"
+              end
               if retries > 0 and (retries % 3) == 0 and status != "ACTIVE"
                 MU.log "Waiting for EKS cluster #{@mu_name} to become active (currently #{status})", MU::NOTICE
               end
@@ -153,8 +141,18 @@ module MU
           serverpool = @deploy.findLitterMate(type: "server_pools", name: @config["name"]+"workers")
           resource_lookup = MU::Cloud::AWS.listInstanceTypes(@config['region'])[@config['region']]
 
-          if @config['kubernetes']
-            kube = ERB.new(File.read(MU.myRoot+"/cookbooks/mu-tools/templates/default/kubeconfig.erb"))
+          if @config['flavor'] == "EKS"
+            # This will be needed if a loadbalancer has never been created in
+            # this account; EKS applications might want one, but will fail in
+            # confusing ways if this hasn't been done.
+            begin
+              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_service_linked_role(
+                aws_service_name: "elasticloadbalancing.amazonaws.com"
+              )
+            rescue ::Aws::IAM::Errors::InvalidInput
+            end
+
+            kube = ERB.new(File.read(MU.myRoot+"/cookbooks/mu-tools/templates/default/kubeconfig-eks.erb"))
             configmap = ERB.new(File.read(MU.myRoot+"/extras/aws-auth-cm.yaml.erb"))
             tagme = [@vpc.cloud_id]
             tagme_elb = []
@@ -167,7 +165,7 @@ module MU
             ).route_tables
             tagme.concat(rtbs.map { |r| r.route_table_id } )
             main_sg = @deploy.findLitterMate(type: "firewall_rules", name: "server_pool#{@config['name']}workers")
-            tagme << main_sg.cloud_id
+            tagme << main_sg.cloud_id if main_sg
             MU.log "Applying kubernetes.io tags to VPC resources", details: tagme
             MU::Cloud::AWS.createTag("kubernetes.io/cluster/#{@mu_name}", "shared", tagme, credentials: @config['credentials'])
             MU::Cloud::AWS.createTag("kubernetes.io/cluster/elb", @mu_name, tagme_elb, credentials: @config['credentials'])
@@ -192,38 +190,27 @@ module MU
             File.open(gitlab_helper, "w"){ |k|
               k.puts gitlab.result(binding)
             }
+            authmap_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
 
-            authmap_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
+            authmap_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{eks_auth}"}
             MU.log "Configuring Kubernetes <=> IAM mapping for worker nodes", MU::NOTICE, details: authmap_cmd
 # maybe guard this mess
             %x{#{authmap_cmd}}
 
 # and this one
-            admin_user_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-user.yaml"}
-            admin_role_cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-role-binding.yaml"}
+            admin_user_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-user.yaml"}
+            admin_role_cmd = %Q{#{MU::Master.kubectl} --kubeconfig "#{kube_conf}" apply -f "#{MU.myRoot}/extras/admin-role-binding.yaml"}
             MU.log "Configuring Kubernetes admin-user and role", MU::NOTICE, details: admin_user_cmd+"\n"+admin_role_cmd
             %x{#{admin_user_cmd}}
             %x{#{admin_role_cmd}}
 
             if @config['kubernetes_resources']
-              count = 0
-              @config['kubernetes_resources'].each { |blob|
-                blobfile = @deploy.deploy_dir+"/k8s-resource-#{count.to_s}-#{@config['name']}"
-                File.open(blobfile, "w") { |f|
-                  f.puts blob.to_yaml
-                }
-                %x{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" get -f #{blobfile} > /dev/null 2>&1}
-                arg = $?.exitstatus == 0 ? "replace" : "create"
-                cmd = %Q{/opt/mu/bin/kubectl --kubeconfig "#{kube_conf}" #{arg} -f #{blobfile}}
-                MU.log "Applying Kubernetes resource #{count.to_s} with kubectl #{arg}", details: cmd
-                output = %x{#{cmd} 2>&1}
-                if $?.exitstatus == 0
-                  MU.log "Kuberentes resource #{count.to_s} #{arg} was successful: #{output}", details: blob.to_yaml
-                else
-                  MU.log "Kuberentes resource #{count.to_s} #{arg} failed: #{output}", MU::WARN, details: blob.to_yaml
-                end
-                count += 1
-              }
+              MU::Master.applyKubernetesResources(
+                @config['name'], 
+                @config['kubernetes_resources'],
+                kubeconfig: kube_conf,
+                outputdir: @deploy.deploy_dir
+              )
             end
 
             MU.log %Q{How to interact with your Kubernetes cluster\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml\nkubectl --kubeconfig "#{kube_conf}" get nodes}, MU::SUMMARY
@@ -329,7 +316,7 @@ module MU
             created_generic_loggroup = false
 
             @config['containers'].each { |c|
-              service_name = c['service'] ? @mu_name+"-"+c['service'].upcase : @mu_name+"-"+c['name'].upcase
+              service_name = c['service'] ? @mu_name+"-"+c['service'].upcase : @mu_name
               tasks[service_name] ||= []
               tasks[service_name] << c
             }
@@ -339,8 +326,10 @@ module MU
               cpu_total = 0
               mem_total = 0
               role_arn = nil
+              lbs = []
 
               container_definitions = containers.map { |c|
+                container_name = @mu_name+"-"+c['name'].upcase
                 cpu_total += c['cpu']
                 mem_total += c['memory']
 
@@ -362,6 +351,50 @@ module MU
                     raise MuError, "Unable to find execution role from #{c["role"]}"
                   end
                 end
+                
+                if c['loadbalancers'] != []
+                  c['loadbalancers'].each {|lb|
+                    found = @deploy.findLitterMate(name: lb['name'], type: "loadbalancer")
+                    if found
+                      MU.log "Mapping LB #{found.mu_name} to service #{c['name']}", MU::INFO
+                      if found.cloud_desc.type != "classic"
+                        elb_groups = MU::Cloud::AWS.elb2(region: @config['region'], credentials: @config['credentials']).describe_target_groups({
+                            load_balancer_arn: found.cloud_desc.load_balancer_arn
+                          })
+                          matching_target_groups = []
+                          elb_groups.target_groups.each { |tg|
+                            if tg.port.to_i == lb['container_port'].to_i
+                              matching_target_groups << {
+                                arn: tg['target_group_arn'],
+                                name: tg['target_group_name']
+                              }
+                            end 
+                          }
+                          if matching_target_groups.length >= 1
+                            MU.log "#{matching_target_groups.length} matching target groups found. Mapping #{container_name} to target group #{matching_target_groups.first['name']}", MU::INFO
+                            lbs << {
+                              container_name: container_name,
+                              container_port: lb['container_port'],
+                              target_group_arn: matching_target_groups.first[:arn]
+                            }
+                          else
+                            raise MuError, "No matching target groups found"
+                          end
+                      elsif @config['flavor'] == "Fargate" && found.cloud_desc.type == "classic"
+                        raise MuError, "Classic Load Balancers are not supported with Fargate."
+                      else
+                        MU.log "Mapping Classic LB #{found.mu_name} to service #{container_name}", MU::INFO
+                        lbs << {
+                          container_name: container_name,
+                          container_port: lb['container_port'],
+                          load_balancer_name: found.mu_name
+                        }
+                      end
+                    else
+                      raise MuError, "Unable to find loadbalancers from #{c["loadbalancers"].first['name']}"
+                    end
+                  }
+                end
 
                 params = {
                   name: @mu_name+"-"+c['name'].upcase,
@@ -451,13 +484,13 @@ module MU
               resp = MU::Cloud::AWS.ecs(region: @config['region'], credentials: @config['credentials']).register_task_definition(task_params)
 
               task_def = resp.task_definition.task_definition_arn
-
               service_params = {
                 :cluster => @mu_name,
                 :desired_count => @config['instance_count'], # XXX this makes no sense
                 :service_name => service_name,
                 :launch_type => launch_type,
-                :task_definition => task_def
+                :task_definition => task_def,
+                :load_balancers => lbs
               }
               if @config['vpc']
                 subnet_ids = []
@@ -651,52 +684,68 @@ MU.log c.name, MU::NOTICE, details: t
           return deploy_struct
         end
 
+        @@eks_versions = {}
+        @@eks_version_semaphore = Mutex.new
         # Use the AWS SSM API to fetch the current version of the Amazon Linux
         # ECS-optimized AMI, so we can use it as a default AMI for ECS deploys.
         # @param flavor [String]: ECS or EKS
-        def self.getECSImageId(flavor = "ECS", region = MU.myRegion)
-          if flavor == "ECS"
-            resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
+        # @param region [String]: Target AWS region
+        # @param version [String]: Version of Kubernetes, if +flavor+ is set to +EKS+
+        # @param gpu [Boolean]: Whether to request an image with GPU support
+        def self.getStandardImage(flavor = "ECS", region = MU.myRegion, version: nil, gpu: false)
+          resp = if flavor == "ECS"
+            MU::Cloud::AWS.ssm(region: region).get_parameters(
               names: ["/aws/service/#{flavor.downcase}/optimized-ami/amazon-linux/recommended"]
             )
-            if resp and resp.parameters and resp.parameters.size > 0
-              image_details = JSON.parse(resp.parameters.first.value)
-              return image_details['image_id']
-            end
-          elsif flavor == "EKS"
-            # XXX this is absurd, but these don't appear to be available from an API anywhere
-            # Here's their Packer build, should just convert to Chef: https://github.com/awslabs/amazon-eks-ami
-            amis = {
-              "us-east-1" => "ami-0abcb9f9190e867ab",
-              "us-east-2" => "ami-04ea7cb66af82ae4a",
-              "us-west-2" => "ami-0923e4b35a30a5f53",
-              "eu-west-1" => "ami-08716b70cac884aaa",
-              "eu-west-2" => "ami-0c7388116d474ee10",
-              "eu-west-3" => "ami-0560aea042fec8b12",
-              "ap-northeast-1" => "ami-0bfedee6a7845c26d",
-              "ap-northeast-2" => "ami-0a904348b703e620c",
-              "ap-south-1" => "ami-09c3eb35bb3be46a4",
-              "ap-southeast-1" => "ami-07b922b9b94d9a6d2",
-              "ap-southeast-2" => "ami-0f0121e9e64ebd3dc"
+          else
+            @@eks_version_semaphore.synchronize {
+              if !@@eks_versions[region]
+                @@eks_versions[region] ||= []
+                versions = {}
+                resp = nil
+                next_token = nil
+                begin
+                  resp = MU::Cloud::AWS.ssm(region: region).get_parameters_by_path(
+                    path: "/aws/service/#{flavor.downcase}",
+                    recursive: true,
+                    next_token: next_token
+                  )
+                  resp.parameters.each { |p|
+                    p.name.match(/\/aws\/service\/eks\/optimized-ami\/([^\/]+?)\//)
+                    versions[Regexp.last_match[1]] = true
+                  }
+                  next_token = resp.next_token
+                end while !next_token.nil?
+                @@eks_versions[region] = versions.keys.sort { |a, b| MU.version_sort(a, b) }
+              end
             }
-            return amis[region]
+            if !version or version == "latest"
+              version = @@eks_versions[region].last
+            end
+            MU::Cloud::AWS.ssm(region: region).get_parameters(
+              names: ["/aws/service/#{flavor.downcase}/optimized-ami/#{version}/amazon-linux-2#{gpu ? "-gpu" : ""}/recommended"]
+            )
           end
-          nil
-        end
 
-        # Use the AWS SSM API to fetch the current version of the Amazon Linux
-        # EKS-optimized AMI, so we can use it as a default AMI for EKS deploys.
-        def self.getEKSImageId(region = MU.myRegion)
-          resp = MU::Cloud::AWS.ssm(region: region).get_parameters(
-            names: ["/aws/service/ekss/optimized-ami/amazon-linux/recommended"]
-          )
           if resp and resp.parameters and resp.parameters.size > 0
             image_details = JSON.parse(resp.parameters.first.value)
             return image_details['image_id']
           end
+
           nil
         end
 
+        # Return the list of regions where we know EKS is supported.
+        def self.EKSRegions(credentials = nil)
+          eks_regions = []
+          MU::Cloud::AWS.listRegions(credentials: credentials).each { |r|
+            ami = getStandardImage("EKS", r)
+            eks_regions << r if ami
+          }
+
+          eks_regions
+        end
+
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
@@ -718,6 +767,7 @@ MU.log c.name, MU::NOTICE, details: t
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
           resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).list_clusters
 
+
           if resp and resp.cluster_arns and resp.cluster_arns.size > 0
             resp.cluster_arns.each { |arn|
               if arn.match(/:cluster\/(#{MU.deploy_id}[^:]+)$/)
@@ -744,8 +794,8 @@ MU.log c.name, MU::NOTICE, details: t
                   cluster: cluster
                 })
                 if instances
-                  instances.container_instance_arns.each { |arn|
-                    uuid = arn.sub(/^.*?:container-instance\//, "")
+                  instances.container_instance_arns.each { |instance_arn|
+                    uuid = instance_arn.sub(/^.*?:container-instance\//, "")
                     MU.log "Deregistering instance #{uuid} from ECS Cluster #{cluster}"
                     if !noop
                       resp = MU::Cloud::AWS.ecs(credentials: credentials, region: region).deregister_container_instance({
@@ -775,6 +825,7 @@ MU.log c.name, MU::NOTICE, details: t
           tasks = MU::Cloud::AWS.ecs(region: region, credentials: credentials).list_task_definitions(
             family_prefix: MU.deploy_id
           )
+
           if tasks and tasks.task_definition_arns
             tasks.task_definition_arns.each { |arn|
               MU.log "Deregistering Fargate task definition #{arn}"
@@ -788,8 +839,14 @@ MU.log c.name, MU::NOTICE, details: t
 
           return if !MU::Cloud::AWS::ContainerCluster.EKSRegions.include?(region)
 
+          resp = begin
+            MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
+          rescue Aws::EKS::Errors::AccessDeniedException
+            # EKS isn't actually live in this region, even though SSM lists
+            # base images for it
+            return
+          end
 
-          resp = MU::Cloud::AWS.eks(credentials: credentials, region: region).list_clusters
 
           if resp and resp.clusters
             resp.clusters.each { |cluster|
@@ -865,17 +922,24 @@ MU.log c.name, MU::NOTICE, details: t
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
           toplevel_required = []
+
           schema = {
             "flavor" => {
-              "enum" => ["ECS", "EKS", "Fargate"],
+              "enum" => ["ECS", "EKS", "Fargate", "Kubernetes"],
+              "type" => "string",
+              "description" => "The AWS container platform to deploy",
               "default" => "ECS"
             },
             "kubernetes" => {
-              "default" => { "version" => "1.11" }
+              "default" => { "version" => "latest" }
+            },
+            "gpu" => {
+              "type" => "boolean",
+              "default" => false,
+              "description" => "Enable worker nodes with GPU capabilities"
             },
             "platform" => {
-              "description" => "The platform to choose for worker nodes. Will default to Amazon Linux for ECS, CentOS 7 for everything else. Only valid for EKS and ECS flavors.",
-              "default" => "centos7"
+              "description" => "The platform to choose for worker nodes."
             },
             "ami_id" => {
               "type" => "string",
@@ -1415,6 +1479,25 @@ MU.log c.name, MU::NOTICE, details: t
                         "description" => "Per-driver configuration options. See also: https://docs.aws.amazon.com/sdkforruby/api/Aws/ECS/Types/ContainerDefinition.html#log_configuration-instance_method"
                       }
                     }
+                  },
+                  "loadbalancers" => {
+                    "type" => "array",
+                    "description" => "Array of loadbalancers to associate with this container servvice See also: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ECS/Client.html#create_service-instance_method",
+                    "default" => [],
+                    "items" => {
+                      "description" => "Load Balancers to associate with the container services",
+                      "type" => "object",
+                      "properties" => {
+                        "name" => {
+                          "type" => "string",
+                          "description" => "Name of the loadbalancer to associate"
+                        },
+                        "container_port" => {
+                          "type" => "integer",
+                          "description" => "container port to map to the loadbalancer"
+                        }
+                      }
+                    }
                   }
                 }
               }
@@ -1433,6 +1516,8 @@ MU.log c.name, MU::NOTICE, details: t
           cluster['size'] = MU::Cloud::AWS::Server.validateInstanceType(cluster["instance_type"], cluster["region"])
           ok = false if cluster['size'].nil?
 
+          cluster["flavor"] = "EKS" if cluster["flavor"].match(/^Kubernetes$/i)
+
           if cluster["flavor"] == "ECS" and cluster["kubernetes"] and !MU::Cloud::AWS.isGovCloud?(cluster["region"])
             cluster["flavor"] = "EKS"
             MU.log "Setting flavor of ContainerCluster '#{cluster['name']}' to EKS ('kubernetes' stanza was specified)", MU::NOTICE
@@ -1455,6 +1540,7 @@ MU.log c.name, MU::NOTICE, details: t
           end
 
           if cluster["flavor"] != "EKS" and cluster["containers"]
+            cluster.delete("kubernetes")
             created_generic_loggroup = false
             cluster['containers'].each { |c|
               if c['log_configuration'] and
@@ -1485,14 +1571,14 @@ MU.log c.name, MU::NOTICE, details: t
                   logdesc = {
                     "name" => logname,
                     "region" => cluster["region"],
-                    "cloud" => cluster["cloud"]
+                    "cloud" => "AWS"
                   }
                   configurator.insertKitten(logdesc, "logs")
 
                   if !c['role']
                     roledesc = {
                       "name" => rolename,
-                      "cloud" => cluster["cloud"],
+                      "cloud" => "AWS",
                       "can_assume" => [
                         {
                           "entity_id" => "ecs-tasks.amazonaws.com",
@@ -1542,19 +1628,28 @@ MU.log c.name, MU::NOTICE, details: t
           end
 
           if cluster["flavor"] == "EKS" and !cluster["vpc"]
-            if !MU::Cloud::AWS.hosted?
-              MU.log "EKS cluster #{cluster['name']} must declare a VPC", MU::ERR
-              ok = false
+            if !MU::Cloud::AWS.hosted? or !MU::Cloud::AWS.myVPCObj
+              siblings = configurator.haveLitterMate?(nil, "vpcs", has_multiple: true)
+              if siblings.size == 1
+                MU.log "EKS cluster #{cluster['name']} did not declare a VPC. Inserting into an available sibling VPC.", MU::WARN
+                cluster["vpc"] = {
+                  "name" => siblings[0]['name'],
+                  "subnet_pref" => "all_private"
+                }
+              else
+                MU.log "EKS cluster #{cluster['name']} must declare a VPC", MU::ERR
+                ok = false
+              end
             else
               cluster["vpc"] = {
-                "vpc_id" => MU.myVPC,
+                "id" => MU.myVPC,
                 "subnet_pref" => "all_private"
               }
             end
           end
 
           if ["ECS", "EKS"].include?(cluster["flavor"])
-            std_ami = getECSImageId(cluster["flavor"], cluster['region'])
+            std_ami = getStandardImage(cluster["flavor"], cluster['region'], version: cluster['kubernetes']['version'], gpu: cluster['gpu'])
             cluster["host_image"] ||= std_ami
             if cluster["host_image"] != std_ami
               if cluster["flavor"] == "ECS"
@@ -1582,41 +1677,36 @@ MU.log c.name, MU::NOTICE, details: t
 
           end
 
+          fwname = "container_cluster#{cluster['name']}"
+
           cluster['ingress_rules'] ||= []
-          if cluster['flavor'] == "ECS"
+          if ["ECS", "EKS"].include?(cluster["flavor"])
             cluster['ingress_rules'] << {
-              "sgs" => ["server_pool#{cluster['name']}workers"],
-              "port" => 443
+              "sgs" => ["server_pool"+cluster["name"]+"workers"],
+              "port" => 443,
+              "proto" => "tcp",
+              "ingress" => true,
+              "comment" => "Allow worker nodes to access API"
             }
+            ruleset = configurator.haveLitterMate?(fwname, "firewall_rules")
+            if ruleset
+              ruleset["rules"].concat(cluster['ingress_rules'])
+              ruleset["rules"].uniq!
+            end
           end
-          fwname = "container_cluster#{cluster['name']}"
-
-          acl = {
-            "name" => fwname,
-            "credentials" => cluster["credentials"],
-            "rules" => cluster['ingress_rules'],
-            "region" => cluster['region'],
-            "optional_tags" => cluster['optional_tags']
-          }
-          acl["tags"] = cluster['tags'] if cluster['tags'] && !cluster['tags'].empty?
-          acl["vpc"] = cluster['vpc'].dup if cluster['vpc']
-
-          ok = false if !configurator.insertKitten(acl, "firewall_rules")
-          cluster["add_firewall_rules"] = [] if cluster["add_firewall_rules"].nil?
-          cluster["add_firewall_rules"] << {"rule_name" => fwname}
-          cluster["dependencies"] << {
-            "name" => fwname,
-            "type" => "firewall_rule",
-          }
 
           if ["ECS", "EKS"].include?(cluster["flavor"])
+            cluster["max_size"] ||= cluster["instance_count"]
+            cluster["min_size"] ||= cluster["instance_count"]
 
             worker_pool = {
               "name" => cluster["name"]+"workers",
+              "cloud" => "AWS",
+              "skipinitialupdates" => (cluster["flavor"] == "EKS"),
               "credentials" => cluster["credentials"],
               "region" => cluster['region'],
-              "min_size" => cluster["instance_count"],
-              "max_size" => cluster["instance_count"],
+              "min_size" => cluster["min_size"],
+              "max_size" => cluster["max_size"],
               "wait_for_nodes" => cluster["instance_count"],
               "ssh_user" => cluster["host_ssh_user"],
               "role_strip_path" => true,
@@ -1629,7 +1719,7 @@ MU.log c.name, MU::NOTICE, details: t
             }
             if cluster["flavor"] == "EKS"
               worker_pool["ingress_rules"] = [
-                "sgs" => ["container_cluster#{cluster['name']}"],
+                "sgs" => [fwname],
                 "port_range" => "1-65535"
               ]
               worker_pool["application_attributes"] ||= {}
@@ -1681,6 +1771,7 @@ MU.log c.name, MU::NOTICE, details: t
               role = {
                 "name" => cluster["name"]+"controlplane",
                 "credentials" => cluster["credentials"],
+                "cloud" => "AWS",
                 "can_assume" => [
                   { "entity_id" => "eks.amazonaws.com", "entity_type" => "service" }
                 ],