RubyGems - cloud-mu - Versions diffs - 3.1.2 → 3.2.0 - Mend

cloud-mu 3.1.2 → 3.2.0

Files changed (201) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +10 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -3
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +135 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +165 -111
data/modules/mu/adoption.rb +401 -68
data/modules/mu/cleanup.rb +199 -306
data/modules/mu/cloud.rb +100 -1632
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +46 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +920 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +165 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +4 -4
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +83 -104
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +6 -6
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +4 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +3 -3
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +3 -3
data/modules/mu/config/ref.rb +365 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +97 -70
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +70 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +83 -60
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +30 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +389 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +217 -2612
data/modules/mu/mommacat/daemon.rb +397 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +271 -112
data/modules/mu/{clouds → providers}/aws/alarm.rb +5 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +26 -22
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +33 -67
data/modules/mu/{clouds → providers}/aws/collection.rb +24 -23
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +681 -721
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +64 -63
data/modules/mu/{clouds → providers}/aws/endpoint.rb +22 -27
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +214 -244
data/modules/mu/{clouds → providers}/aws/folder.rb +7 -7
data/modules/mu/{clouds → providers}/aws/function.rb +17 -22
data/modules/mu/{clouds → providers}/aws/group.rb +23 -23
data/modules/mu/{clouds → providers}/aws/habitat.rb +17 -14
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +57 -48
data/modules/mu/{clouds → providers}/aws/log.rb +15 -12
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +17 -16
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +18 -11
data/modules/mu/{clouds → providers}/aws/notifier.rb +11 -6
data/modules/mu/{clouds → providers}/aws/role.rb +112 -86
data/modules/mu/{clouds → providers}/aws/search_domain.rb +39 -33
data/modules/mu/{clouds → providers}/aws/server.rb +835 -1133
data/modules/mu/{clouds → providers}/aws/server_pool.rb +56 -60
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +24 -42
data/modules/mu/{clouds → providers}/aws/user.rb +21 -22
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +523 -929
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +95 -48
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +67 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +84 -77
data/modules/mu/{clouds → providers}/google/database.rb +10 -20
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +139 -167
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +18 -20
data/modules/mu/{clouds → providers}/google/role.rb +92 -58
data/modules/mu/{clouds → providers}/google/server.rb +242 -155
data/modules/mu/{clouds → providers}/google/server_pool.rb +25 -44
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +11 -0
data/modules/tests/centos7.yaml +11 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +1 -0
data/modules/tests/super_simple_bok.yml +1 -3
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +232 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985

data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb RENAMED

@@ -129,13 +129,13 @@ module MU
             if launch_desc["storage"]
               launch_desc["storage"].each { |vol|
-                mapping, cfm_mapping = MU::Cloud::AWS::Server.convertBlockDeviceMapping(vol)
+                mapping, cfm_mapping = MU::Cloud.resourceClass("AWS", "Server").convertBlockDeviceMapping(vol)
                 if cfm_mapping.size > 0
                   MU::Cloud::CloudFormation.setCloudFormationProp(@cfm_template[@cfm_launch_name], "BlockDeviceMappings", cfm_mapping)
                 end
               }
             end
-            MU::Cloud::AWS::Server.ephemeral_mappings.each { |mapping|
+            MU::Cloud.resourceClass("AWS", "Server.ephemeral_mappings").each { |mapping|
               MU::Cloud::CloudFormation.setCloudFormationProp(@cfm_template[@cfm_launch_name], "BlockDeviceMappings", { "DeviceName" => mapping[:device_name], "VirtualName" => mapping[:virtual_name] })
             }
@@ -263,7 +263,7 @@ module MU
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
-          MU::Cloud::AWS::ServerPool.schema(config)
+          MU::Cloud.resourceClass("AWS", "ServerPool").schema(config)
         end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::servers}, bare and unvalidated.
@@ -271,14 +271,14 @@ module MU
         # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(server, configurator)
-          MU::Cloud::AWS::ServerPool.validateConfig(server, configurator)
+          MU::Cloud.resourceClass("AWS", "ServerPool").validateConfig(server, configurator)
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
         def self.isGlobal?
-          MU::Cloud::AWS::ServerPool.isGlobal?
+          MU::Cloud.resourceClass("AWS", "ServerPool").isGlobal?
         end
       end

data/modules/mu/{clouds → providers}/cloudformation/vpc.rb RENAMED

@@ -240,8 +240,6 @@ module MU
           {}
         end
-        protected
         # Subnets are almost a first-class resource. So let's kinda sorta treat
         # them like one. This should only be invoked on objects that already
         # exists in the cloud layer.
@@ -288,13 +286,13 @@ module MU
         # Placeholder. This is a NOOP for CloudFormation, which doesn't build
         # resources directly.
-        def self.find(*args)
+        def self.find(**args)
           MU.log "find() not implemented for CloudFormation layer", MU::DEBUG
           nil
         end
         # Placeholder. This is a NOOP for CloudFormation, which doesn't build
         # resources directly.
-        def self.cleanup(*args)
+        def self.cleanup(**args)
           MU.log "cleanup() not implemented for CloudFormation layer", MU::DEBUG
           nil
         end
@@ -303,7 +301,7 @@ module MU
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
-          MU::Cloud::AWS::VPC.schema(config)
+          MU::Cloud.resourceClass("AWS", "VPC").schema(config)
         end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::servers}, bare and unvalidated.
@@ -311,14 +309,14 @@ module MU
         # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(server, configurator)
-          MU::Cloud::AWS::VPC.validateConfig(server, configurator)
+          MU::Cloud.resourceClass("AWS", "VPC").validateConfig(server, configurator)
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
         def self.isGlobal?
-          MU::Cloud::AWS::VPC.isGlobal?
+          MU::Cloud.resourceClass("AWS", "VPC").isGlobal?
         end
       end #class

data/modules/mu/{clouds → providers}/docker.rb RENAMED

File without changes

data/modules/mu/{clouds → providers}/google.rb RENAMED

@@ -52,6 +52,22 @@ module MU
         [:url]
       end
+      # Is this a "real" cloud provider, or a stub like CloudFormation?
+      def self.virtual?
+        false
+      end
+      # Most of our resource implementation +find+ methods have to mangle their
+      # args to make sure they've extracted a project or location argument from
+      # other available information. This does it for them.
+      # @return [Hash]
+      def self.findLocationArgs(**args)
+        args[:project] ||= args[:habitat]
+        args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
+        args[:location] ||= args[:region] || args[:availability_zone] || "-"
+        args
+      end
       # A hook that is always called just before any of the instance method of
       # our resource implementations gets invoked, so that we can ensure that
       # repetitive setup tasks (like resolving +:resource_group+ for Azure
@@ -141,10 +157,9 @@ module MU
       def self.habitat(cloudobj, nolookup: false, deploy: nil)
         @@habmap ||= {}
 # XXX whaddabout config['habitat'] HNNNGH
         return nil if !cloudobj.cloudclass.canLiveIn.include?(:Habitat)
-# XXX users are assholes because they're valid two different ways ugh ugh
+# XXX these are assholes because they're valid two different ways ugh ugh
         return nil if [MU::Cloud::Google::Group, MU::Cloud::Google::Folder].include?(cloudobj.cloudclass)
         if cloudobj.config and cloudobj.config['project']
           if nolookup
@@ -154,7 +169,6 @@ module MU
             return @@habmap[cloudobj.config['project']]
           end
           deploy ||= cloudobj.deploy if cloudobj.respond_to?(:deploy)
           projectobj = projectLookup(cloudobj.config['project'], deploy, raise_on_fail: false)
           if projectobj
@@ -222,7 +236,7 @@ module MU
       # @param sibling_only [Boolean]
       # @return [MU::Config::Habitat,nil]
       def self.projectLookup(name, deploy = MU.mommacat, raise_on_fail: true, sibling_only: false)
-        project_obj = deploy.findLitterMate(type: "habitats", name: name) if deploy
+        project_obj = deploy.findLitterMate(type: "habitats", name: name) if deploy if !caller.grep(/`findLitterMate'/) # XXX the dumbest
         if !project_obj and !sibling_only
           resp = MU::MommaCat.findStray(
@@ -328,6 +342,7 @@ module MU
       # etc)
       # @param deploy_id [MU::MommaCat]
       def self.cleanDeploy(deploy_id, credentials: nil, noop: false)
+        removeDeploySecretsAndRoles(deploy_id, noop: noop, credentials: credentials)
       end
       # Plant a Mu deploy secret into a storage bucket somewhere for so our kittens can consume it
@@ -363,7 +378,7 @@ module MU
         cfg = credConfig(credentials)
         return if !cfg or !cfg['project']
         flags["project"] ||= cfg['project']
-        name = deploy_id+"-secret"
         resp = MU::Cloud::Google.storage(credentials: credentials).list_objects(
           adminBucketName(credentials),
           prefix: deploy_id
@@ -420,7 +435,7 @@ module MU
 MU.log e.message, MU::WARN, details: e.inspect
           if e.inspect.match(/body: "Not Found"/)
             raise MuError, "Google admin bucket #{adminBucketName(credentials)} or key #{name} does not appear to exist or is not visible with #{credentials ? credentials : "default"} credentials"
-          elsif e.message.match(/notFound: |Unknown user:/)
+          elsif e.message.match(/notFound: |Unknown user:|conflict: /)
             if retries < 5
               sleep 5
               retries += 1
@@ -429,7 +444,7 @@ MU.log e.message, MU::WARN, details: e.inspect
               raise e
             end
           elsif e.inspect.match(/The metadata for object "null" was edited during the operation/)
-            MU.log e.message+" - Google admin bucket #{adminBucketName(credentials)}/#{name} with #{credentials ? credentials : "default"} credentials", MU::WARN, details: aclobj
+            MU.log e.message+" - Google admin bucket #{adminBucketName(credentials)}/#{name} with #{credentials ? credentials : "default"} credentials", MU::DEBUG, details: aclobj
             sleep 10
             retry
           else
@@ -539,8 +554,8 @@ MU.log e.message, MU::WARN, details: e.inspect
             begin
               listRegions(credentials: credentials)
               listInstanceTypes(credentials: credentials)
-              listProjects(credentials)
-            rescue ::Google::Apis::ClientError => e
+              listHabitats(credentials)
+            rescue ::Google::Apis::ClientError
               MU.log "Found machine credentials #{@@svc_account_name}, but these don't appear to have sufficient permissions or scopes", MU::WARN, details: scopes
               @@authorizers.delete(credentials)
               return nil
@@ -691,13 +706,26 @@ MU.log e.message, MU::WARN, details: e.inspect
         nil
       end
+      @allprojects = []
       # List all Google Cloud Platform projects available to our credentials
-      def self.listProjects(credentials = nil)
+      def self.listHabitats(credentials = nil, use_cache: true)
         cfg = credConfig(credentials)
-        return [] if !cfg or !cfg['project']
+        return [] if !cfg
+        if cfg['restrict_to_habitats'] and cfg['restrict_to_habitats'].is_a?(Array)
+          cfg['restrict_to_habitats'] << cfg['project'] if cfg['project']
+          return cfg['restrict_to_habitats'].uniq
+        end
+        if @allprojects and !@allprojects.empty? and use_cache
+          return @allprojects
+        end
         result = MU::Cloud::Google.resource_manager(credentials: credentials).list_projects
         result.projects.reject! { |p| p.lifecycle_state == "DELETE_REQUESTED" }
-        result.projects.map { |p| p.project_id }
+        @allprojects = result.projects.map { |p| p.project_id }
+        if cfg['ignore_habitats'] and cfg['ignore_habitats'].is_a?(Array)
+          @allprojects.reject! { |p| cfg['ignore_habitats'].include?(p) }
+        end
+        @allprojects
       end
       @@regions = {}
@@ -717,7 +745,6 @@ MU.log e.message, MU::WARN, details: e.inspect
             raise e
           end
-          regions = []
           result.items.each { |region|
             @@regions[region.name] = []
             region.zones.each { |az|
@@ -846,7 +873,7 @@ MU.log e.message, MU::WARN, details: e.inspect
           if subclass.nil?
             begin
               @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: use_scopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials, auth_error_quiet: true)
-            rescue Signet::AuthorizationError => e
+            rescue Signet::AuthorizationError
               MU.log "Falling back to read-only access to DirectoryService API for credential set '#{credentials}'", MU::WARN
               @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: readscopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials)
               @@readonly[credentials] ||= {}
@@ -1003,8 +1030,10 @@ MU.log e.message, MU::WARN, details: e.inspect
           "default"
         end
+        with_id ||= creds['org'] if creds['org']
         return @@orgmap[credname] if @@orgmap.has_key?(credname)
         resp = MU::Cloud::Google.resource_manager(credentials: credname).search_organizations
         if resp and resp.organizations
           # XXX no idea if it's possible to be a member of multiple orgs
           if !with_id
@@ -1012,7 +1041,8 @@ MU.log e.message, MU::WARN, details: e.inspect
             return resp.organizations.first
           else
             resp.organizations.each { |org|
-              if org.name == with_id
+              if org.name == with_id or org.display_name == with_id or
+                 org.name == "organizations/#{with_id}"
                 @@orgmap[credname] = org
                 return org
               end
@@ -1052,8 +1082,6 @@ MU.log e.message, MU::WARN, details: e.inspect
         @@customer_ids_cache[credentials]
       end
-      private
       # Wrapper class for Google APIs, so that we can catch some common
       # transient endpoint errors without having to spray rescues all over the
       # codebase.
@@ -1109,12 +1137,13 @@ MU.log e.message, MU::WARN, details: e.inspect
         # @param filter [String]: The Compute API filter string to use to isolate appropriate resources
         def delete(type, project, region = nil, noop = false, filter = "description eq #{MU.deploy_id}", credentials: nil)
           list_sym = "list_#{type.sub(/y$/, "ie")}s".to_sym
+          credentials ||= @credentials
           resp = nil
           begin
             if region
-              resp = MU::Cloud::Google.compute(credentials: @credentials).send(list_sym, project, region, filter: filter, mu_gcp_enable_apis: false)
+              resp = MU::Cloud::Google.compute(credentials: credentials).send(list_sym, project, region, filter: filter, mu_gcp_enable_apis: false)
             else
-              resp = MU::Cloud::Google.compute(credentials: @credentials).send(list_sym, project, filter: filter, mu_gcp_enable_apis: false)
+              resp = MU::Cloud::Google.compute(credentials: credentials).send(list_sym, project, filter: filter, mu_gcp_enable_apis: false)
             end
           rescue ::Google::Apis::ClientError => e
@@ -1137,9 +1166,9 @@ MU.log e.message, MU::WARN, details: e.inspect
                     resp = nil
                     failed = false
                     if region
-                      resp = MU::Cloud::Google.compute(credentials: @credentials).send(delete_sym, project, region, obj.name)
+                      resp = MU::Cloud::Google.compute(credentials: credentials).send(delete_sym, project, region, obj.name)
                     else
-                      resp = MU::Cloud::Google.compute(credentials: @credentials).send(delete_sym, project, obj.name)
+                      resp = MU::Cloud::Google.compute(credentials: credentials).send(delete_sym, project, obj.name)
                     end
                     if resp.error and resp.error.errors and resp.error.errors.size > 0
@@ -1195,11 +1224,19 @@ MU.log e.message, MU::WARN, details: e.inspect
             retval = nil
             retries = 0
             wait_backoff = 5
-            if next_page_token
-              if arguments.size == 1 and arguments.first.is_a?(Hash)
-                arguments[0][:page_token] = next_page_token
-              else
-                arguments << { :page_token => next_page_token }
+            if next_page_token
+              if method_sym != :list_entry_log_entries
+                if arguments.size == 1 and arguments.first.is_a?(Hash)
+                  arguments[0][:page_token] = next_page_token
+                else
+                  arguments << { :page_token => next_page_token }
+                end
+              elsif arguments.first.class == ::Google::Apis::LoggingV2::ListLogEntriesRequest
+                arguments[0] = ::Google::Apis::LoggingV2::ListLogEntriesRequest.new(
+                  resource_names: arguments.first.resource_names,
+                  filter: arguments.first.filter,
+                  page_token: next_page_token
+                )
               end
             end
             begin
@@ -1318,7 +1355,6 @@ MU.log e.message, MU::WARN, details: e.inspect
             if retval.class.name.match(/.*?::Operation$/)
               retries = 0
-              orig_target = retval.name
               # Check whether the various types of +Operation+ responses say
               # they're done, without knowing which specific API they're from
@@ -1390,7 +1426,7 @@ MU.log e.message, MU::WARN, details: e.inspect
               # take advantage.
               # XXX might want to do something similar for delete ops? just the
               # but where we wait for the operation to definitely be done
-              had_been_found = false
+#              had_been_found = false
               if method_sym.to_s.match(/^(insert|create|patch)_/)
                 get_method = method_sym.to_s.gsub(/^(insert|patch|create_disk|create)_/, "get_").to_sym
                 cloud_id = if retval.respond_to?(:target_link)
@@ -1417,7 +1453,7 @@ MU.log e.message, MU::WARN, details: e.inspect
 #if method_sym == :insert_instance
 #MU.log "actual_resource", MU::WARN, details: actual_resource
 #end
-                had_been_found = true
+#                had_been_found = true
                 if actual_resource.respond_to?(:status) and
                   ["PROVISIONING", "STAGING", "PENDING", "CREATING", "RESTORING"].include?(actual_resource.status)
                   retries = 0
@@ -1440,6 +1476,7 @@ MU.log e.message, MU::WARN, details: e.inspect
             if overall_retval
               if method_sym.to_s.match(/^list_(.*)/)
                 require 'google/apis/iam_v1'
+                require 'google/apis/logging_v2'
                 what = Regexp.last_match[1].to_sym
                 whatassign = (Regexp.last_match[1]+"=").to_sym
                 if overall_retval.class == ::Google::Apis::IamV1::ListServiceAccountsResponse
@@ -1451,7 +1488,7 @@ MU.log e.message, MU::WARN, details: e.inspect
                     newarray = retval.public_send(what) + overall_retval.public_send(what)
                     overall_retval.public_send(whatassign, newarray)
                   end
-                else
+                elsif !retval.respond_to?(:next_page_token) or retval.next_page_token.nil? or retval.next_page_token.empty?
                   MU.log "Not sure how to append #{method_sym.to_s} results to #{overall_retval.class.name} (apparently #{what.to_s} and #{whatassign.to_s} aren't it), returning first page only", MU::WARN, details: retval
                   return retval
                 end

data/modules/mu/{clouds → providers}/google/bucket.rb RENAMED

@@ -34,7 +34,7 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          @project_id = MU::Cloud::Google.projectLookup(@config['project'], @deploy).cloudobj.cloud_id
+          @project_id = MU::Cloud::Google.projectLookup(@config['project'], @deploy).cloud_id
           current = cloud_desc
           changed = false
@@ -143,15 +143,14 @@ module MU
         # Remove all buckets associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
+        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
-          resp = MU::Cloud::Google.storage(credentials: credentials).list_buckets(flags['project'])
+          resp = MU::Cloud::Google.storage(credentials: credentials).list_buckets(flags['habitat'])
           if resp and resp.items
             resp.items.each { |bucket|
-              if bucket.labels and bucket.labels["mu-id"] == MU.deploy_id.downcase
+              if bucket.labels and bucket.labels["mu-id"] == MU.deploy_id.downcase and (ignoremaster or bucket.labels['mu-master-ip'] == MU.mu_public_ip.gsub(/\./, "_"))
                 MU.log "Deleting Cloud Storage bucket #{bucket.name}"
                 if !noop
                   MU::Cloud::Google.storage(credentials: credentials).delete_bucket(bucket.name)
@@ -172,8 +171,7 @@ module MU
         # Locate an existing bucket.
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching bucket.
         def self.find(**args)
-          args[:project] ||= args[:habitat]
-          args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
+          args = MU::Cloud::Google.findLocationArgs(args)
           found = {}
           if args[:cloud_id]
@@ -198,7 +196,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "Google",
             "credentials" => @config['credentials'],
@@ -245,7 +243,7 @@ module MU
                   grantees[binding.role] << { "id" => grantee }
                 elsif grantee.match(/^serviceAccount:(.*)/)
                   sa_name = Regexp.last_match[1]
-                  if MU::Cloud::Google::User.cannedServiceAcctName?(sa_name)
+                  if MU::Cloud.resourceClass("Google", "User").cannedServiceAcctName?(sa_name)
                     grantees[binding.role] << { "id" => grantee }
                   else
                     grantees[binding.role] << MU::Config::Ref.get(
@@ -300,14 +298,14 @@ module MU
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "storage_class" => {
               "type" => "string",
-              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY"],
+              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY", "ARCHIVE"],
               "default" => "STANDARD"
             },
             "bucket_wide_acls" => {
@@ -322,9 +320,9 @@ module MU
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::bucket}, bare and unvalidated.
         # @param bucket [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(bucket, configurator)
+        def self.validateConfig(bucket, _configurator)
           ok = true
           bucket['project'] ||= MU::Cloud::Google.defaultProject(bucket['credentials'])

data/modules/mu/{clouds → providers}/google/container_cluster.rb RENAMED

@@ -250,7 +250,7 @@ module MU
           @config['master_az'] = @config['region']
           parent_arg = "projects/"+@config['project']+"/locations/"+@config['master_az']
-          cluster = MU::Cloud::Google.container(credentials: @config['credentials']).create_project_location_cluster(
+          MU::Cloud::Google.container(credentials: @config['credentials']).create_project_location_cluster(
             parent_arg,
             requestobj
           )
@@ -277,11 +277,9 @@ module MU
           me = cloud_desc
-          parent_arg = "projects/"+@config['project']+"/locations/"+me.location
           # Enable/disable basic auth
           authcfg = {}
-          action = nil
           if @config['master_user'] and (me.master_auth.username != @config['master_user'] or !me.master_auth.password)
             authcfg[:username] = @config['master_user']
             authcfg[:password] = Password.pronounceable(16..18)
@@ -368,15 +366,24 @@ module MU
             }
           end
+          # map from GKE Kuberentes addon parameter names to our BoK equivalent
+          # fields so we can check all these programmatically
+          addon_map = {
+            :horizontal_pod_autoscaling => 'horizontal_pod_autoscaling',
+            :http_load_balancing => 'http_load_balancing',
+            :kubernetes_dashboard => 'dashboard',
+            :network_policy_config => 'network_policy_addon'
+          }
           if @config['kubernetes']
-            if (me.addons_config.horizontal_pod_autoscaling.disabled and @config['kubernetes']['horizontal_pod_autoscaling']) or
-               (!me.addons_config.horizontal_pod_autoscaling and !@config['kubernetes']['horizontal_pod_autoscaling']) or
-               (me.addons_config.http_load_balancing.disabled and @config['kubernetes']['http_load_balancing']) or
-               (!me.addons_config.http_load_balancing and !@config['kubernetes']['http_load_balancing']) or
-               (me.addons_config.kubernetes_dashboard.disabled and @config['kubernetes']['dashboard']) or
-               (!me.addons_config.kubernetes_dashboard and !@config['kubernetes']['dashboard']) or
-               (me.addons_config.network_policy_config.disabled and @config['kubernetes']['network_policy_addon']) or
-               (!me.addons_config.network_policy_config and !@config['kubernetes']['network_policy_addon'])
+            have_changes = false
+            addon_map.each_pair { |param, bok_param|
+              if (me.addons_config.send(param).disabled and @config['kubernetes'][bok_param]) or
+                 (!me.addons_config.send(param) and !@config['kubernetes'][bok_param])
+                have_changes = true
+              end
+            }
+            if have_changes
               updates << { :desired_addons_config => MU::Cloud::Google.container(:AddonsConfig).new(
                 horizontal_pod_autoscaling: MU::Cloud::Google.container(:HorizontalPodAutoscaling).new(
                   disabled: !@config['kubernetes']['horizontal_pod_autoscaling']
@@ -467,13 +474,10 @@ module MU
           MU.log %Q{How to interact with your GKE cluster\nkubectl --kubeconfig "#{kube_conf}" get events --all-namespaces\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml\nkubectl --kubeconfig "#{kube_conf}" get nodes}, MU::SUMMARY
         end
         # Locate an existing ContainerCluster or ContainerClusters and return an array containing matching GCP resource descriptors for those that match.
         # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching ContainerClusters
         def self.find(**args)
-          args[:project] ||= args[:habitat]
-          args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
-          location = args[:region] || args[:availability_zone] || "-"
+          args = MU::Cloud::Google.findLocationArgs(args)
           found = {}
@@ -486,7 +490,7 @@ module MU
             found[args[:cloud_id]] = resp if resp
           else
             resp = begin
-              MU::Cloud::Google.container(credentials: args[:credentials]).list_project_location_clusters("projects/#{args[:project]}/locations/#{location}")
+              MU::Cloud::Google.container(credentials: args[:credentials]).list_project_location_clusters("projects/#{args[:project]}/locations/#{args[:location]}")
             rescue ::Google::Apis::ClientError => e
               raise e if !e.message.match(/forbidden:/)
             end
@@ -503,7 +507,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "Google",
@@ -562,22 +566,24 @@ module MU
             bok['kubernetes']['network_policy_addon'] = true
           end
-          if cloud_desc.ip_allocation_policy.use_ip_aliases
-            bok['ip_aliases'] = true
-          end
-          if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-            bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-          end
-          if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-            bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-          end
+          if cloud_desc.ip_allocation_policy
+            if cloud_desc.ip_allocation_policy.use_ip_aliases
+              bok['ip_aliases'] = true
+            end
+            if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+              bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+            end
+            if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+              bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+            end
-          if cloud_desc.ip_allocation_policy.create_subnetwork
-            bok['custom_subnet'] = {
-              "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
-            }
-            if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
-              bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+            if cloud_desc.ip_allocation_policy.create_subnetwork
+              bok['custom_subnet'] = {
+                "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
+              }
+              if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+                bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+              end
             end
           end
@@ -651,7 +657,7 @@ module MU
           end
           if bok['service_account']
-            found = MU::Cloud::Google::User.find(
+            found = MU::Cloud.resourceClass("Google", "User").find(
               credentials: bok['credentials'],
               project: bok['project'],
               cloud_id: bok['service_account']
@@ -739,24 +745,25 @@ module MU
         # @param region [String]: The cloud provider region in which to operate
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          skipsnapshots = flags["skipsnapshots"]
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
           clusters = []
           # Make sure we catch regional *and* zone clusters
-          found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['project']}/locations/#{region}")
+          found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['habitat']}/locations/#{region}")
           clusters.concat(found.clusters) if found and found.clusters
           MU::Cloud::Google.listAZs(region).each { |az|
-            found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['project']}/locations/#{az}")
+            found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['habitat']}/locations/#{az}")
             clusters.concat(found.clusters) if found and found.clusters
           }
           clusters.uniq.each { |cluster|
             if !cluster.resource_labels or (
                  !cluster.name.match(/^#{Regexp.quote(MU.deploy_id)}\-/i) and
-                 cluster.resource_labels['mu-id'] != MU.deploy_id.downcase
+                 (cluster.resource_labels['mu-id'] != MU.deploy_id.downcase or
+                  (!ignoremaster and cluster.resource_labels['mu-master-ip'] != MU.mu_public_ip.gsub(/\./, "_"))
+                 )
                )
               next
             end
@@ -810,10 +817,10 @@ module MU
               "type" => "integer",
               "description" => "The number of local SSD disks to be attached to workers. See https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits"
             },
-            "ssh_user" => MU::Cloud::Google::Server.schema(config)[1]["ssh_user"],
-            "metadata" => MU::Cloud::Google::Server.schema(config)[1]["metadata"],
-            "service_account" => MU::Cloud::Google::Server.schema(config)[1]["service_account"],
-            "scopes" => MU::Cloud::Google::Server.schema(config)[1]["scopes"],
+            "ssh_user" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["ssh_user"],
+            "metadata" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["metadata"],
+            "service_account" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["service_account"],
+            "scopes" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["scopes"],
             "private_cluster" => {
               "description" => "Set a GKE cluster to be private, that is segregated into its own hidden VPC.",
               "type" => "object",
@@ -1014,6 +1021,25 @@ module MU
             cluster['ip_aliases'] = true
           end
+          # try to stake out some nice /21s for our networking config
+          if cluster['ip_aliases'] and cluster["vpc"] and cluster["vpc"]["id"]
+            habarg = if cluster["vpc"]["habitat"] and cluster["vpc"]["habitat"]["id"]
+              cluster["vpc"]["habitat"]["id"]
+            else
+              cluster["project"]
+            end
+            found = MU::MommaCat.findStray("Google", "vpcs", cloud_id: cluster["vpc"]["id"], credentials: cluster["credentials"], habitats: [habarg], dummy_ok: true)
+            if found and found.size == 1
+              myvpc = found.first
+# XXX this might not make sense with custom_subnet
+              cluster['pod_ip_block'] ||= myvpc.getUnusedAddressBlock(max_bits: 21)
+              cluster['services_ip_block'] ||= myvpc.getUnusedAddressBlock(exclude: [cluster['pod_ip_block']], max_bits: 21)
+              if cluster['tpu']
+                cluster['tpu_ip_block'] ||= myvpc.getUnusedAddressBlock(exclude: [cluster['pod_ip_block'], cluster['services_ip_block']], max_bits: 21)
+              end
+            end
+          end
           if cluster['service_account']
             cluster['service_account']['cloud'] = "Google"
             cluster['service_account']['habitat'] ||= MU::Config::Ref.get(
@@ -1023,12 +1049,9 @@ module MU
               type: "habitats"
             )
             if cluster['service_account']['name'] and
-               !cluster['service_account']['id']
-              cluster['dependencies'] ||= []
-              cluster['dependencies'] << {
-                "type" => "user",
-                "name" => cluster['service_account']['name']
-              }
+               !cluster['service_account']['id'] and
+               !cluster['service_account']['deploy_id']
+              MU::Config.addDependency(cluster, cluster['service_account']['name'], "user")
             end
             found = MU::Config::Ref.get(cluster['service_account'])
             # XXX verify that found.kitten fails when it's supposed to
@@ -1037,29 +1060,7 @@ module MU
               ok = false
             end
           else
-            user = {
-              "name" => cluster['name'],
-              "cloud" => "Google",
-              "project" => cluster["project"],
-              "credentials" => cluster["credentials"],
-              "type" => "service"
-            }
-            if user["name"].length < 6
-              user["name"] += Password.pronounceable(6)
-            end
-            configurator.insertKitten(user, "users", true)
-            cluster['dependencies'] ||= []
-            cluster['service_account'] = MU::Config::Ref.get(
-              type: "users",
-              cloud: "Google",
-              name: cluster["name"],
-              project: cluster["project"],
-              credentials: cluster["credentials"]
-            )
-            cluster['dependencies'] << {
-              "type" => "user",
-              "name" => user["name"]
-            }
+            cluster = MU::Cloud.resourceClass("Google", "User").genericServiceAccount(cluster, configurator)
           end
           if cluster['dependencies']
@@ -1110,7 +1111,7 @@ module MU
               }
               if !match
                 MU.log "No version matching #{cluster['kubernetes']['version']} available, will try floating minor revision", MU::WARN
-                cluster['kubernetes']['version'].sub!(/^(\d+\.\d+\.).*/i, '\1')
+                cluster['kubernetes']['version'].sub!(/^(\d+\.\d+)\..*/i, '\1')
                 master_versions.each { |v|
                   if v.match(/^#{Regexp.quote(cluster['kubernetes']['version'])}/)
                     match = true
@@ -1155,9 +1156,13 @@ module MU
             end
           end
-          cluster['instance_type'] = MU::Cloud::Google::Server.validateInstanceType(cluster["instance_type"], cluster["region"], project: cluster['project'], credentials: cluster['credentials'])
+          cluster['instance_type'] = MU::Cloud.resourceClass("Google", "Server").validateInstanceType(cluster["instance_type"], cluster["region"], project: cluster['project'], credentials: cluster['credentials'])
           ok = false if cluster['instance_type'].nil?
+          if !MU::Master.kubectl
+            MU.log "Since I can't find a kubectl executable, you will have to handle all service account, user, and role bindings manually!", MU::WARN
+          end
           ok
         end
@@ -1204,7 +1209,8 @@ module MU
           labels["name"] = MU::Cloud::Google.nameStr(@mu_name)
           labelset = MU::Cloud::Google.container(:SetLabelsRequest).new(
-            resource_labels: labels
+            resource_labels: labels,
+            label_fingerprint: cloud_desc.label_fingerprint
           )
           MU::Cloud::Google.container(credentials: @config['credentials']).set_project_location_cluster_resource_labels(@cloud_id, labelset)
         end
@@ -1223,6 +1229,7 @@ module MU
           @@server_config[credentials][az] = MU::Cloud::Google.container(credentials: credentials).get_project_location_server_config(parent_arg)
           @@server_config[credentials][az]
         end
+        private_class_method :defaults
         def writeKubeConfig
           kube_conf = @deploy.deploy_dir+"/kubeconfig-#{@config['name']}"
@@ -1247,7 +1254,7 @@ module MU
           # Take this opportunity to ensure that the 'client' service account
           # used by certificate authentication exists and has appropriate
           # privilege
-          if @username and @password
+          if @username and @password and MU::Master.kubectl
             File.open(client_binding, "w"){ |k|
               k.puts <<-EOF
 kind: ClusterRoleBinding