RubyGems - cloud-mu - Versions diffs - 3.1.2 → 3.2.0 - Mend

cloud-mu 3.1.2 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (201) hide show

checksums.yaml +4 -4
data/Dockerfile +15 -3
data/ansible/roles/mu-windows/README.md +33 -0
data/ansible/roles/mu-windows/defaults/main.yml +2 -0
data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
data/ansible/roles/mu-windows/files/config.xml +76 -0
data/ansible/roles/mu-windows/handlers/main.yml +2 -0
data/ansible/roles/mu-windows/meta/main.yml +53 -0
data/ansible/roles/mu-windows/tasks/main.yml +36 -0
data/ansible/roles/mu-windows/tests/inventory +2 -0
data/ansible/roles/mu-windows/tests/test.yml +5 -0
data/ansible/roles/mu-windows/vars/main.yml +2 -0
data/bin/mu-adopt +10 -13
data/bin/mu-azure-tests +57 -0
data/bin/mu-cleanup +2 -4
data/bin/mu-configure +52 -0
data/bin/mu-deploy +3 -3
data/bin/mu-findstray-tests +25 -0
data/bin/mu-gen-docs +2 -4
data/bin/mu-load-config.rb +2 -3
data/bin/mu-node-manage +15 -16
data/bin/mu-run-tests +135 -37
data/cloud-mu.gemspec +22 -20
data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
data/cookbooks/mu-tools/libraries/helper.rb +3 -2
data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
data/cookbooks/mu-tools/recipes/eks.rb +2 -2
data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
data/cookbooks/mu-tools/resources/disk.rb +1 -1
data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
data/extras/clean-stock-amis +25 -19
data/extras/generate-stock-images +1 -0
data/extras/image-generators/AWS/win2k12.yaml +18 -13
data/extras/image-generators/AWS/win2k16.yaml +18 -13
data/extras/image-generators/AWS/win2k19.yaml +21 -0
data/extras/image-generators/Google/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +1 -1
data/modules/mommacat.ru +6 -16
data/modules/mu.rb +165 -111
data/modules/mu/adoption.rb +401 -68
data/modules/mu/cleanup.rb +199 -306
data/modules/mu/cloud.rb +100 -1632
data/modules/mu/cloud/database.rb +49 -0
data/modules/mu/cloud/dnszone.rb +46 -0
data/modules/mu/cloud/machine_images.rb +212 -0
data/modules/mu/cloud/providers.rb +81 -0
data/modules/mu/cloud/resource_base.rb +920 -0
data/modules/mu/cloud/server.rb +40 -0
data/modules/mu/cloud/server_pool.rb +1 -0
data/modules/mu/cloud/ssh_sessions.rb +228 -0
data/modules/mu/cloud/winrm_sessions.rb +237 -0
data/modules/mu/cloud/wrappers.rb +165 -0
data/modules/mu/config.rb +171 -1767
data/modules/mu/config/alarm.rb +2 -6
data/modules/mu/config/bucket.rb +4 -4
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/collection.rb +4 -4
data/modules/mu/config/container_cluster.rb +9 -4
data/modules/mu/config/database.rb +83 -104
data/modules/mu/config/database.yml +1 -2
data/modules/mu/config/dnszone.rb +6 -6
data/modules/mu/config/doc_helpers.rb +516 -0
data/modules/mu/config/endpoint.rb +4 -4
data/modules/mu/config/firewall_rule.rb +103 -4
data/modules/mu/config/folder.rb +4 -4
data/modules/mu/config/function.rb +3 -3
data/modules/mu/config/group.rb +4 -4
data/modules/mu/config/habitat.rb +4 -4
data/modules/mu/config/loadbalancer.rb +60 -14
data/modules/mu/config/log.rb +4 -4
data/modules/mu/config/msg_queue.rb +4 -4
data/modules/mu/config/nosqldb.rb +4 -4
data/modules/mu/config/notifier.rb +3 -3
data/modules/mu/config/ref.rb +365 -0
data/modules/mu/config/role.rb +4 -4
data/modules/mu/config/schema_helpers.rb +509 -0
data/modules/mu/config/search_domain.rb +4 -4
data/modules/mu/config/server.rb +97 -70
data/modules/mu/config/server.yml +1 -0
data/modules/mu/config/server_pool.rb +5 -9
data/modules/mu/config/storage_pool.rb +1 -1
data/modules/mu/config/tail.rb +200 -0
data/modules/mu/config/user.rb +4 -4
data/modules/mu/config/vpc.rb +70 -27
data/modules/mu/config/vpc.yml +0 -1
data/modules/mu/defaults/AWS.yaml +83 -60
data/modules/mu/defaults/Azure.yaml +1 -0
data/modules/mu/defaults/Google.yaml +3 -2
data/modules/mu/deploy.rb +30 -26
data/modules/mu/groomer.rb +17 -2
data/modules/mu/groomers/ansible.rb +188 -41
data/modules/mu/groomers/chef.rb +116 -55
data/modules/mu/logger.rb +127 -148
data/modules/mu/master.rb +389 -2
data/modules/mu/master/chef.rb +3 -4
data/modules/mu/master/ldap.rb +3 -3
data/modules/mu/master/ssl.rb +12 -3
data/modules/mu/mommacat.rb +217 -2612
data/modules/mu/mommacat/daemon.rb +397 -0
data/modules/mu/mommacat/naming.rb +473 -0
data/modules/mu/mommacat/search.rb +495 -0
data/modules/mu/mommacat/storage.rb +722 -0
data/modules/mu/{clouds → providers}/README.md +1 -1
data/modules/mu/{clouds → providers}/aws.rb +271 -112
data/modules/mu/{clouds → providers}/aws/alarm.rb +5 -3
data/modules/mu/{clouds → providers}/aws/bucket.rb +26 -22
data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +33 -67
data/modules/mu/{clouds → providers}/aws/collection.rb +24 -23
data/modules/mu/{clouds → providers}/aws/container_cluster.rb +681 -721
data/modules/mu/providers/aws/database.rb +1744 -0
data/modules/mu/{clouds → providers}/aws/dnszone.rb +64 -63
data/modules/mu/{clouds → providers}/aws/endpoint.rb +22 -27
data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +214 -244
data/modules/mu/{clouds → providers}/aws/folder.rb +7 -7
data/modules/mu/{clouds → providers}/aws/function.rb +17 -22
data/modules/mu/{clouds → providers}/aws/group.rb +23 -23
data/modules/mu/{clouds → providers}/aws/habitat.rb +17 -14
data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +57 -48
data/modules/mu/{clouds → providers}/aws/log.rb +15 -12
data/modules/mu/{clouds → providers}/aws/msg_queue.rb +17 -16
data/modules/mu/{clouds → providers}/aws/nosqldb.rb +18 -11
data/modules/mu/{clouds → providers}/aws/notifier.rb +11 -6
data/modules/mu/{clouds → providers}/aws/role.rb +112 -86
data/modules/mu/{clouds → providers}/aws/search_domain.rb +39 -33
data/modules/mu/{clouds → providers}/aws/server.rb +835 -1133
data/modules/mu/{clouds → providers}/aws/server_pool.rb +56 -60
data/modules/mu/{clouds → providers}/aws/storage_pool.rb +24 -42
data/modules/mu/{clouds → providers}/aws/user.rb +21 -22
data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
data/modules/mu/{clouds → providers}/aws/vpc.rb +523 -929
data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
data/modules/mu/{clouds → providers}/azure.rb +29 -9
data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
data/modules/mu/{clouds → providers}/azure/server.rb +95 -48
data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
data/modules/mu/{clouds → providers}/docker.rb +0 -0
data/modules/mu/{clouds → providers}/google.rb +67 -30
data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
data/modules/mu/{clouds → providers}/google/container_cluster.rb +84 -77
data/modules/mu/{clouds → providers}/google/database.rb +10 -20
data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
data/modules/mu/{clouds → providers}/google/function.rb +139 -167
data/modules/mu/{clouds → providers}/google/group.rb +29 -34
data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
data/modules/mu/{clouds → providers}/google/loadbalancer.rb +18 -20
data/modules/mu/{clouds → providers}/google/role.rb +92 -58
data/modules/mu/{clouds → providers}/google/server.rb +242 -155
data/modules/mu/{clouds → providers}/google/server_pool.rb +25 -44
data/modules/mu/{clouds → providers}/google/user.rb +95 -31
data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
data/modules/tests/bucket.yml +4 -0
data/modules/tests/centos6.yaml +11 -0
data/modules/tests/centos7.yaml +11 -0
data/modules/tests/centos8.yaml +12 -0
data/modules/tests/ecs.yaml +23 -0
data/modules/tests/includes-and-params.yaml +2 -1
data/modules/tests/rds.yaml +108 -0
data/modules/tests/regrooms/aws-iam.yaml +201 -0
data/modules/tests/regrooms/bucket.yml +19 -0
data/modules/tests/regrooms/rds.yaml +123 -0
data/modules/tests/server-with-scrub-muisms.yaml +1 -0
data/modules/tests/super_simple_bok.yml +1 -3
data/modules/tests/win2k12.yaml +17 -5
data/modules/tests/win2k16.yaml +25 -0
data/modules/tests/win2k19.yaml +25 -0
data/requirements.txt +1 -0
data/spec/mu/clouds/azure_spec.rb +2 -2
metadata +232 -154
data/extras/image-generators/AWS/windows.yaml +0 -18
data/modules/mu/clouds/aws/database.rb +0 -1985

data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb RENAMED

@@ -129,13 +129,13 @@ module MU
             if launch_desc["storage"]
               launch_desc["storage"].each { |vol|
-                mapping, cfm_mapping = MU::Cloud::AWS::Server.convertBlockDeviceMapping(vol)
+                mapping, cfm_mapping = MU::Cloud.resourceClass("AWS", "Server").convertBlockDeviceMapping(vol)
                 if cfm_mapping.size > 0
                   MU::Cloud::CloudFormation.setCloudFormationProp(@cfm_template[@cfm_launch_name], "BlockDeviceMappings", cfm_mapping)
                 end
               }
             end
-            MU::Cloud::AWS::Server.ephemeral_mappings.each { |mapping|
+            MU::Cloud.resourceClass("AWS", "Server.ephemeral_mappings").each { |mapping|
               MU::Cloud::CloudFormation.setCloudFormationProp(@cfm_template[@cfm_launch_name], "BlockDeviceMappings", { "DeviceName" => mapping[:device_name], "VirtualName" => mapping[:virtual_name] })
             }
@@ -263,7 +263,7 @@ module MU
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
-          MU::Cloud::AWS::ServerPool.schema(config)
+          MU::Cloud.resourceClass("AWS", "ServerPool").schema(config)
         end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::servers}, bare and unvalidated.
@@ -271,14 +271,14 @@ module MU
         # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(server, configurator)
-          MU::Cloud::AWS::ServerPool.validateConfig(server, configurator)
+          MU::Cloud.resourceClass("AWS", "ServerPool").validateConfig(server, configurator)
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
         def self.isGlobal?
-          MU::Cloud::AWS::ServerPool.isGlobal?
+          MU::Cloud.resourceClass("AWS", "ServerPool").isGlobal?
         end
       end

data/modules/mu/{clouds → providers}/cloudformation/vpc.rb RENAMED

@@ -240,8 +240,6 @@ module MU
           {}
         end
-        protected
         # Subnets are almost a first-class resource. So let's kinda sorta treat
         # them like one. This should only be invoked on objects that already
         # exists in the cloud layer.
@@ -288,13 +286,13 @@ module MU
         # Placeholder. This is a NOOP for CloudFormation, which doesn't build
         # resources directly.
-        def self.find(*args)
+        def self.find(**args)
           MU.log "find() not implemented for CloudFormation layer", MU::DEBUG
           nil
         end
         # Placeholder. This is a NOOP for CloudFormation, which doesn't build
         # resources directly.
-        def self.cleanup(*args)
+        def self.cleanup(**args)
           MU.log "cleanup() not implemented for CloudFormation layer", MU::DEBUG
           nil
         end
@@ -303,7 +301,7 @@ module MU
         # @param config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
         def self.schema(config)
-          MU::Cloud::AWS::VPC.schema(config)
+          MU::Cloud.resourceClass("AWS", "VPC").schema(config)
         end
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::servers}, bare and unvalidated.
@@ -311,14 +309,14 @@ module MU
         # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
         def self.validateConfig(server, configurator)
-          MU::Cloud::AWS::VPC.validateConfig(server, configurator)
+          MU::Cloud.resourceClass("AWS", "VPC").validateConfig(server, configurator)
         end
         # Does this resource type exist as a global (cloud-wide) artifact, or
         # is it localized to a region/zone?
         # @return [Boolean]
         def self.isGlobal?
-          MU::Cloud::AWS::VPC.isGlobal?
+          MU::Cloud.resourceClass("AWS", "VPC").isGlobal?
         end
       end #class

data/modules/mu/{clouds → providers}/docker.rb RENAMED

File without changes

data/modules/mu/{clouds → providers}/google.rb RENAMED

@@ -52,6 +52,22 @@ module MU
         [:url]
       end
+      # Is this a "real" cloud provider, or a stub like CloudFormation?
+      def self.virtual?
+        false
+      end
+      # Most of our resource implementation +find+ methods have to mangle their
+      # args to make sure they've extracted a project or location argument from
+      # other available information. This does it for them.
+      # @return [Hash]
+      def self.findLocationArgs(**args)
+        args[:project] ||= args[:habitat]
+        args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
+        args[:location] ||= args[:region] || args[:availability_zone] || "-"
+        args
+      end
       # A hook that is always called just before any of the instance method of
       # our resource implementations gets invoked, so that we can ensure that
       # repetitive setup tasks (like resolving +:resource_group+ for Azure
@@ -141,10 +157,9 @@ module MU
       def self.habitat(cloudobj, nolookup: false, deploy: nil)
         @@habmap ||= {}
 # XXX whaddabout config['habitat'] HNNNGH
         return nil if !cloudobj.cloudclass.canLiveIn.include?(:Habitat)
-# XXX users are assholes because they're valid two different ways ugh ugh
+# XXX these are assholes because they're valid two different ways ugh ugh
         return nil if [MU::Cloud::Google::Group, MU::Cloud::Google::Folder].include?(cloudobj.cloudclass)
         if cloudobj.config and cloudobj.config['project']
           if nolookup
@@ -154,7 +169,6 @@ module MU
             return @@habmap[cloudobj.config['project']]
           end
           deploy ||= cloudobj.deploy if cloudobj.respond_to?(:deploy)
           projectobj = projectLookup(cloudobj.config['project'], deploy, raise_on_fail: false)
           if projectobj
@@ -222,7 +236,7 @@ module MU
       # @param sibling_only [Boolean]
       # @return [MU::Config::Habitat,nil]
       def self.projectLookup(name, deploy = MU.mommacat, raise_on_fail: true, sibling_only: false)
-        project_obj = deploy.findLitterMate(type: "habitats", name: name) if deploy
+        project_obj = deploy.findLitterMate(type: "habitats", name: name) if deploy if !caller.grep(/`findLitterMate'/) # XXX the dumbest
         if !project_obj and !sibling_only
           resp = MU::MommaCat.findStray(
@@ -328,6 +342,7 @@ module MU
       # etc)
       # @param deploy_id [MU::MommaCat]
       def self.cleanDeploy(deploy_id, credentials: nil, noop: false)
+        removeDeploySecretsAndRoles(deploy_id, noop: noop, credentials: credentials)
       end
       # Plant a Mu deploy secret into a storage bucket somewhere for so our kittens can consume it
@@ -363,7 +378,7 @@ module MU
         cfg = credConfig(credentials)
         return if !cfg or !cfg['project']
         flags["project"] ||= cfg['project']
-        name = deploy_id+"-secret"
         resp = MU::Cloud::Google.storage(credentials: credentials).list_objects(
           adminBucketName(credentials),
           prefix: deploy_id
@@ -420,7 +435,7 @@ module MU
 MU.log e.message, MU::WARN, details: e.inspect
           if e.inspect.match(/body: "Not Found"/)
             raise MuError, "Google admin bucket #{adminBucketName(credentials)} or key #{name} does not appear to exist or is not visible with #{credentials ? credentials : "default"} credentials"
-          elsif e.message.match(/notFound: |Unknown user:/)
+          elsif e.message.match(/notFound: |Unknown user:|conflict: /)
             if retries < 5
               sleep 5
               retries += 1
@@ -429,7 +444,7 @@ MU.log e.message, MU::WARN, details: e.inspect
               raise e
             end
           elsif e.inspect.match(/The metadata for object "null" was edited during the operation/)
-            MU.log e.message+" - Google admin bucket #{adminBucketName(credentials)}/#{name} with #{credentials ? credentials : "default"} credentials", MU::WARN, details: aclobj
+            MU.log e.message+" - Google admin bucket #{adminBucketName(credentials)}/#{name} with #{credentials ? credentials : "default"} credentials", MU::DEBUG, details: aclobj
             sleep 10
             retry
           else
@@ -539,8 +554,8 @@ MU.log e.message, MU::WARN, details: e.inspect
             begin
               listRegions(credentials: credentials)
               listInstanceTypes(credentials: credentials)
-              listProjects(credentials)
-            rescue ::Google::Apis::ClientError => e
+              listHabitats(credentials)
+            rescue ::Google::Apis::ClientError
               MU.log "Found machine credentials #{@@svc_account_name}, but these don't appear to have sufficient permissions or scopes", MU::WARN, details: scopes
               @@authorizers.delete(credentials)
               return nil
@@ -691,13 +706,26 @@ MU.log e.message, MU::WARN, details: e.inspect
         nil
       end
+      @allprojects = []
       # List all Google Cloud Platform projects available to our credentials
-      def self.listProjects(credentials = nil)
+      def self.listHabitats(credentials = nil, use_cache: true)
         cfg = credConfig(credentials)
-        return [] if !cfg or !cfg['project']
+        return [] if !cfg
+        if cfg['restrict_to_habitats'] and cfg['restrict_to_habitats'].is_a?(Array)
+          cfg['restrict_to_habitats'] << cfg['project'] if cfg['project']
+          return cfg['restrict_to_habitats'].uniq
+        end
+        if @allprojects and !@allprojects.empty? and use_cache
+          return @allprojects
+        end
         result = MU::Cloud::Google.resource_manager(credentials: credentials).list_projects
         result.projects.reject! { |p| p.lifecycle_state == "DELETE_REQUESTED" }
-        result.projects.map { |p| p.project_id }
+        @allprojects = result.projects.map { |p| p.project_id }
+        if cfg['ignore_habitats'] and cfg['ignore_habitats'].is_a?(Array)
+          @allprojects.reject! { |p| cfg['ignore_habitats'].include?(p) }
+        end
+        @allprojects
       end
       @@regions = {}
@@ -717,7 +745,6 @@ MU.log e.message, MU::WARN, details: e.inspect
             raise e
           end
-          regions = []
           result.items.each { |region|
             @@regions[region.name] = []
             region.zones.each { |az|
@@ -846,7 +873,7 @@ MU.log e.message, MU::WARN, details: e.inspect
           if subclass.nil?
             begin
               @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: use_scopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials, auth_error_quiet: true)
-            rescue Signet::AuthorizationError => e
+            rescue Signet::AuthorizationError
               MU.log "Falling back to read-only access to DirectoryService API for credential set '#{credentials}'", MU::WARN
               @@admin_directory_api[credentials] ||= MU::Cloud::Google::GoogleEndpoint.new(api: "AdminDirectoryV1::DirectoryService", scopes: readscopes, masquerade: MU::Cloud::Google.credConfig(credentials)['masquerade_as'], credentials: credentials)
               @@readonly[credentials] ||= {}
@@ -1003,8 +1030,10 @@ MU.log e.message, MU::WARN, details: e.inspect
           "default"
         end
+        with_id ||= creds['org'] if creds['org']
         return @@orgmap[credname] if @@orgmap.has_key?(credname)
         resp = MU::Cloud::Google.resource_manager(credentials: credname).search_organizations
         if resp and resp.organizations
           # XXX no idea if it's possible to be a member of multiple orgs
           if !with_id
@@ -1012,7 +1041,8 @@ MU.log e.message, MU::WARN, details: e.inspect
             return resp.organizations.first
           else
             resp.organizations.each { |org|
-              if org.name == with_id
+              if org.name == with_id or org.display_name == with_id or
+                 org.name == "organizations/#{with_id}"
                 @@orgmap[credname] = org
                 return org
               end
@@ -1052,8 +1082,6 @@ MU.log e.message, MU::WARN, details: e.inspect
         @@customer_ids_cache[credentials]
       end
-      private
       # Wrapper class for Google APIs, so that we can catch some common
       # transient endpoint errors without having to spray rescues all over the
       # codebase.
@@ -1109,12 +1137,13 @@ MU.log e.message, MU::WARN, details: e.inspect
         # @param filter [String]: The Compute API filter string to use to isolate appropriate resources
         def delete(type, project, region = nil, noop = false, filter = "description eq #{MU.deploy_id}", credentials: nil)
           list_sym = "list_#{type.sub(/y$/, "ie")}s".to_sym
+          credentials ||= @credentials
           resp = nil
           begin
             if region
-              resp = MU::Cloud::Google.compute(credentials: @credentials).send(list_sym, project, region, filter: filter, mu_gcp_enable_apis: false)
+              resp = MU::Cloud::Google.compute(credentials: credentials).send(list_sym, project, region, filter: filter, mu_gcp_enable_apis: false)
             else
-              resp = MU::Cloud::Google.compute(credentials: @credentials).send(list_sym, project, filter: filter, mu_gcp_enable_apis: false)
+              resp = MU::Cloud::Google.compute(credentials: credentials).send(list_sym, project, filter: filter, mu_gcp_enable_apis: false)
             end
           rescue ::Google::Apis::ClientError => e
@@ -1137,9 +1166,9 @@ MU.log e.message, MU::WARN, details: e.inspect
                     resp = nil
                     failed = false
                     if region
-                      resp = MU::Cloud::Google.compute(credentials: @credentials).send(delete_sym, project, region, obj.name)
+                      resp = MU::Cloud::Google.compute(credentials: credentials).send(delete_sym, project, region, obj.name)
                     else
-                      resp = MU::Cloud::Google.compute(credentials: @credentials).send(delete_sym, project, obj.name)
+                      resp = MU::Cloud::Google.compute(credentials: credentials).send(delete_sym, project, obj.name)
                     end
                     if resp.error and resp.error.errors and resp.error.errors.size > 0
@@ -1195,11 +1224,19 @@ MU.log e.message, MU::WARN, details: e.inspect
             retval = nil
             retries = 0
             wait_backoff = 5
-            if next_page_token
-              if arguments.size == 1 and arguments.first.is_a?(Hash)
-                arguments[0][:page_token] = next_page_token
-              else
-                arguments << { :page_token => next_page_token }
+            if next_page_token
+              if method_sym != :list_entry_log_entries
+                if arguments.size == 1 and arguments.first.is_a?(Hash)
+                  arguments[0][:page_token] = next_page_token
+                else
+                  arguments << { :page_token => next_page_token }
+                end
+              elsif arguments.first.class == ::Google::Apis::LoggingV2::ListLogEntriesRequest
+                arguments[0] = ::Google::Apis::LoggingV2::ListLogEntriesRequest.new(
+                  resource_names: arguments.first.resource_names,
+                  filter: arguments.first.filter,
+                  page_token: next_page_token
+                )
               end
             end
             begin
@@ -1318,7 +1355,6 @@ MU.log e.message, MU::WARN, details: e.inspect
             if retval.class.name.match(/.*?::Operation$/)
               retries = 0
-              orig_target = retval.name
               # Check whether the various types of +Operation+ responses say
               # they're done, without knowing which specific API they're from
@@ -1390,7 +1426,7 @@ MU.log e.message, MU::WARN, details: e.inspect
               # take advantage.
               # XXX might want to do something similar for delete ops? just the
               # but where we wait for the operation to definitely be done
-              had_been_found = false
+#              had_been_found = false
               if method_sym.to_s.match(/^(insert|create|patch)_/)
                 get_method = method_sym.to_s.gsub(/^(insert|patch|create_disk|create)_/, "get_").to_sym
                 cloud_id = if retval.respond_to?(:target_link)
@@ -1417,7 +1453,7 @@ MU.log e.message, MU::WARN, details: e.inspect
 #if method_sym == :insert_instance
 #MU.log "actual_resource", MU::WARN, details: actual_resource
 #end
-                had_been_found = true
+#                had_been_found = true
                 if actual_resource.respond_to?(:status) and
                   ["PROVISIONING", "STAGING", "PENDING", "CREATING", "RESTORING"].include?(actual_resource.status)
                   retries = 0
@@ -1440,6 +1476,7 @@ MU.log e.message, MU::WARN, details: e.inspect
             if overall_retval
               if method_sym.to_s.match(/^list_(.*)/)
                 require 'google/apis/iam_v1'
+                require 'google/apis/logging_v2'
                 what = Regexp.last_match[1].to_sym
                 whatassign = (Regexp.last_match[1]+"=").to_sym
                 if overall_retval.class == ::Google::Apis::IamV1::ListServiceAccountsResponse
@@ -1451,7 +1488,7 @@ MU.log e.message, MU::WARN, details: e.inspect
                     newarray = retval.public_send(what) + overall_retval.public_send(what)
                     overall_retval.public_send(whatassign, newarray)
                   end
-                else
+                elsif !retval.respond_to?(:next_page_token) or retval.next_page_token.nil? or retval.next_page_token.empty?
                   MU.log "Not sure how to append #{method_sym.to_s} results to #{overall_retval.class.name} (apparently #{what.to_s} and #{whatassign.to_s} aren't it), returning first page only", MU::WARN, details: retval
                   return retval
                 end

data/modules/mu/{clouds → providers}/google/bucket.rb RENAMED

@@ -34,7 +34,7 @@ module MU
         # Called automatically by {MU::Deploy#createResources}
         def groom
-          @project_id = MU::Cloud::Google.projectLookup(@config['project'], @deploy).cloudobj.cloud_id
+          @project_id = MU::Cloud::Google.projectLookup(@config['project'], @deploy).cloud_id
           current = cloud_desc
           changed = false
@@ -143,15 +143,14 @@ module MU
         # Remove all buckets associated with the currently loaded deployment.
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
-        # @param region [String]: The cloud provider region
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
+        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
-          resp = MU::Cloud::Google.storage(credentials: credentials).list_buckets(flags['project'])
+          resp = MU::Cloud::Google.storage(credentials: credentials).list_buckets(flags['habitat'])
           if resp and resp.items
             resp.items.each { |bucket|
-              if bucket.labels and bucket.labels["mu-id"] == MU.deploy_id.downcase
+              if bucket.labels and bucket.labels["mu-id"] == MU.deploy_id.downcase and (ignoremaster or bucket.labels['mu-master-ip'] == MU.mu_public_ip.gsub(/\./, "_"))
                 MU.log "Deleting Cloud Storage bucket #{bucket.name}"
                 if !noop
                   MU::Cloud::Google.storage(credentials: credentials).delete_bucket(bucket.name)
@@ -172,8 +171,7 @@ module MU
         # Locate an existing bucket.
         # @return [OpenStruct]: The cloud provider's complete descriptions of matching bucket.
         def self.find(**args)
-          args[:project] ||= args[:habitat]
-          args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
+          args = MU::Cloud::Google.findLocationArgs(args)
           found = {}
           if args[:cloud_id]
@@ -198,7 +196,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "Google",
             "credentials" => @config['credentials'],
@@ -245,7 +243,7 @@ module MU
                   grantees[binding.role] << { "id" => grantee }
                 elsif grantee.match(/^serviceAccount:(.*)/)
                   sa_name = Regexp.last_match[1]
-                  if MU::Cloud::Google::User.cannedServiceAcctName?(sa_name)
+                  if MU::Cloud.resourceClass("Google", "User").cannedServiceAcctName?(sa_name)
                     grantees[binding.role] << { "id" => grantee }
                   else
                     grantees[binding.role] << MU::Config::Ref.get(
@@ -300,14 +298,14 @@ module MU
         end
         # Cloud-specific configuration properties.
-        # @param config [MU::Config]: The calling MU::Config object
+        # @param _config [MU::Config]: The calling MU::Config object
         # @return [Array<Array,Hash>]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
-        def self.schema(config)
+        def self.schema(_config)
           toplevel_required = []
           schema = {
             "storage_class" => {
               "type" => "string",
-              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY"],
+              "enum" => ["MULTI_REGIONAL", "REGIONAL", "STANDARD", "NEARLINE", "COLDLINE", "DURABLE_REDUCED_AVAILABILITY", "ARCHIVE"],
               "default" => "STANDARD"
             },
             "bucket_wide_acls" => {
@@ -322,9 +320,9 @@ module MU
         # Cloud-specific pre-processing of {MU::Config::BasketofKittens::bucket}, bare and unvalidated.
         # @param bucket [Hash]: The resource to process and validate
-        # @param configurator [MU::Config]: The overall deployment configurator of which this resource is a member
+        # @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
         # @return [Boolean]: True if validation succeeded, False otherwise
-        def self.validateConfig(bucket, configurator)
+        def self.validateConfig(bucket, _configurator)
           ok = true
           bucket['project'] ||= MU::Cloud::Google.defaultProject(bucket['credentials'])

data/modules/mu/{clouds → providers}/google/container_cluster.rb RENAMED

@@ -250,7 +250,7 @@ module MU
           @config['master_az'] = @config['region']
           parent_arg = "projects/"+@config['project']+"/locations/"+@config['master_az']
-          cluster = MU::Cloud::Google.container(credentials: @config['credentials']).create_project_location_cluster(
+          MU::Cloud::Google.container(credentials: @config['credentials']).create_project_location_cluster(
             parent_arg,
             requestobj
           )
@@ -277,11 +277,9 @@ module MU
           me = cloud_desc
-          parent_arg = "projects/"+@config['project']+"/locations/"+me.location
           # Enable/disable basic auth
           authcfg = {}
-          action = nil
           if @config['master_user'] and (me.master_auth.username != @config['master_user'] or !me.master_auth.password)
             authcfg[:username] = @config['master_user']
             authcfg[:password] = Password.pronounceable(16..18)
@@ -368,15 +366,24 @@ module MU
             }
           end
+          # map from GKE Kuberentes addon parameter names to our BoK equivalent
+          # fields so we can check all these programmatically
+          addon_map = {
+            :horizontal_pod_autoscaling => 'horizontal_pod_autoscaling',
+            :http_load_balancing => 'http_load_balancing',
+            :kubernetes_dashboard => 'dashboard',
+            :network_policy_config => 'network_policy_addon'
+          }
           if @config['kubernetes']
-            if (me.addons_config.horizontal_pod_autoscaling.disabled and @config['kubernetes']['horizontal_pod_autoscaling']) or
-               (!me.addons_config.horizontal_pod_autoscaling and !@config['kubernetes']['horizontal_pod_autoscaling']) or
-               (me.addons_config.http_load_balancing.disabled and @config['kubernetes']['http_load_balancing']) or
-               (!me.addons_config.http_load_balancing and !@config['kubernetes']['http_load_balancing']) or
-               (me.addons_config.kubernetes_dashboard.disabled and @config['kubernetes']['dashboard']) or
-               (!me.addons_config.kubernetes_dashboard and !@config['kubernetes']['dashboard']) or
-               (me.addons_config.network_policy_config.disabled and @config['kubernetes']['network_policy_addon']) or
-               (!me.addons_config.network_policy_config and !@config['kubernetes']['network_policy_addon'])
+            have_changes = false
+            addon_map.each_pair { |param, bok_param|
+              if (me.addons_config.send(param).disabled and @config['kubernetes'][bok_param]) or
+                 (!me.addons_config.send(param) and !@config['kubernetes'][bok_param])
+                have_changes = true
+              end
+            }
+            if have_changes
               updates << { :desired_addons_config => MU::Cloud::Google.container(:AddonsConfig).new(
                 horizontal_pod_autoscaling: MU::Cloud::Google.container(:HorizontalPodAutoscaling).new(
                   disabled: !@config['kubernetes']['horizontal_pod_autoscaling']
@@ -467,13 +474,10 @@ module MU
           MU.log %Q{How to interact with your GKE cluster\nkubectl --kubeconfig "#{kube_conf}" get events --all-namespaces\nkubectl --kubeconfig "#{kube_conf}" get all\nkubectl --kubeconfig "#{kube_conf}" create -f some_k8s_deploy.yml\nkubectl --kubeconfig "#{kube_conf}" get nodes}, MU::SUMMARY
         end
         # Locate an existing ContainerCluster or ContainerClusters and return an array containing matching GCP resource descriptors for those that match.
         # @return [Array<Hash<String,OpenStruct>>]: The cloud provider's complete descriptions of matching ContainerClusters
         def self.find(**args)
-          args[:project] ||= args[:habitat]
-          args[:project] ||= MU::Cloud::Google.defaultProject(args[:credentials])
-          location = args[:region] || args[:availability_zone] || "-"
+          args = MU::Cloud::Google.findLocationArgs(args)
           found = {}
@@ -486,7 +490,7 @@ module MU
             found[args[:cloud_id]] = resp if resp
           else
             resp = begin
-              MU::Cloud::Google.container(credentials: args[:credentials]).list_project_location_clusters("projects/#{args[:project]}/locations/#{location}")
+              MU::Cloud::Google.container(credentials: args[:credentials]).list_project_location_clusters("projects/#{args[:project]}/locations/#{args[:location]}")
             rescue ::Google::Apis::ClientError => e
               raise e if !e.message.match(/forbidden:/)
             end
@@ -503,7 +507,7 @@ module MU
         # Reverse-map our cloud description into a runnable config hash.
         # We assume that any values we have in +@config+ are placeholders, and
         # calculate our own accordingly based on what's live in the cloud.
-        def toKitten(rootparent: nil, billing: nil, habitats: nil)
+        def toKitten(**_args)
           bok = {
             "cloud" => "Google",
@@ -562,22 +566,24 @@ module MU
             bok['kubernetes']['network_policy_addon'] = true
           end
-          if cloud_desc.ip_allocation_policy.use_ip_aliases
-            bok['ip_aliases'] = true
-          end
-          if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-            bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
-          end
-          if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-            bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
-          end
+          if cloud_desc.ip_allocation_policy
+            if cloud_desc.ip_allocation_policy.use_ip_aliases
+              bok['ip_aliases'] = true
+            end
+            if cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+              bok['pod_ip_block'] = cloud_desc.ip_allocation_policy.cluster_ipv4_cidr_block
+            end
+            if cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+              bok['services_ip_block'] = cloud_desc.ip_allocation_policy.services_ipv4_cidr_block
+            end
-          if cloud_desc.ip_allocation_policy.create_subnetwork
-            bok['custom_subnet'] = {
-              "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
-            }
-            if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
-              bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+            if cloud_desc.ip_allocation_policy.create_subnetwork
+              bok['custom_subnet'] = {
+                "name" => (cloud_desc.ip_allocation_policy.subnetwork_name || cloud_desc.subnetwork)
+              }
+              if cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+                bok['custom_subnet']['node_ip_block'] = cloud_desc.ip_allocation_policy.node_ipv4_cidr_block
+              end
             end
           end
@@ -651,7 +657,7 @@ module MU
           end
           if bok['service_account']
-            found = MU::Cloud::Google::User.find(
+            found = MU::Cloud.resourceClass("Google", "User").find(
               credentials: bok['credentials'],
               project: bok['project'],
               cloud_id: bok['service_account']
@@ -739,24 +745,25 @@ module MU
         # @param region [String]: The cloud provider region in which to operate
         # @return [void]
         def self.cleanup(noop: false, ignoremaster: false, region: MU.curRegion, credentials: nil, flags: {})
-          skipsnapshots = flags["skipsnapshots"]
-          flags["project"] ||= MU::Cloud::Google.defaultProject(credentials)
-          return if !MU::Cloud::Google::Habitat.isLive?(flags["project"], credentials)
+          flags["habitat"] ||= MU::Cloud::Google.defaultProject(credentials)
+          return if !MU::Cloud.resourceClass("Google", "Habitat").isLive?(flags["habitat"], credentials)
           clusters = []
           # Make sure we catch regional *and* zone clusters
-          found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['project']}/locations/#{region}")
+          found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['habitat']}/locations/#{region}")
           clusters.concat(found.clusters) if found and found.clusters
           MU::Cloud::Google.listAZs(region).each { |az|
-            found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['project']}/locations/#{az}")
+            found = MU::Cloud::Google.container(credentials: credentials).list_project_location_clusters("projects/#{flags['habitat']}/locations/#{az}")
             clusters.concat(found.clusters) if found and found.clusters
           }
           clusters.uniq.each { |cluster|
             if !cluster.resource_labels or (
                  !cluster.name.match(/^#{Regexp.quote(MU.deploy_id)}\-/i) and
-                 cluster.resource_labels['mu-id'] != MU.deploy_id.downcase
+                 (cluster.resource_labels['mu-id'] != MU.deploy_id.downcase or
+                  (!ignoremaster and cluster.resource_labels['mu-master-ip'] != MU.mu_public_ip.gsub(/\./, "_"))
+                 )
                )
               next
             end
@@ -810,10 +817,10 @@ module MU
               "type" => "integer",
               "description" => "The number of local SSD disks to be attached to workers. See https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits"
             },
-            "ssh_user" => MU::Cloud::Google::Server.schema(config)[1]["ssh_user"],
-            "metadata" => MU::Cloud::Google::Server.schema(config)[1]["metadata"],
-            "service_account" => MU::Cloud::Google::Server.schema(config)[1]["service_account"],
-            "scopes" => MU::Cloud::Google::Server.schema(config)[1]["scopes"],
+            "ssh_user" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["ssh_user"],
+            "metadata" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["metadata"],
+            "service_account" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["service_account"],
+            "scopes" => MU::Cloud.resourceClass("Google", "Server").schema(config)[1]["scopes"],
             "private_cluster" => {
               "description" => "Set a GKE cluster to be private, that is segregated into its own hidden VPC.",
               "type" => "object",
@@ -1014,6 +1021,25 @@ module MU
             cluster['ip_aliases'] = true
           end
+          # try to stake out some nice /21s for our networking config
+          if cluster['ip_aliases'] and cluster["vpc"] and cluster["vpc"]["id"]
+            habarg = if cluster["vpc"]["habitat"] and cluster["vpc"]["habitat"]["id"]
+              cluster["vpc"]["habitat"]["id"]
+            else
+              cluster["project"]
+            end
+            found = MU::MommaCat.findStray("Google", "vpcs", cloud_id: cluster["vpc"]["id"], credentials: cluster["credentials"], habitats: [habarg], dummy_ok: true)
+            if found and found.size == 1
+              myvpc = found.first
+# XXX this might not make sense with custom_subnet
+              cluster['pod_ip_block'] ||= myvpc.getUnusedAddressBlock(max_bits: 21)
+              cluster['services_ip_block'] ||= myvpc.getUnusedAddressBlock(exclude: [cluster['pod_ip_block']], max_bits: 21)
+              if cluster['tpu']
+                cluster['tpu_ip_block'] ||= myvpc.getUnusedAddressBlock(exclude: [cluster['pod_ip_block'], cluster['services_ip_block']], max_bits: 21)
+              end
+            end
+          end
           if cluster['service_account']
             cluster['service_account']['cloud'] = "Google"
             cluster['service_account']['habitat'] ||= MU::Config::Ref.get(
@@ -1023,12 +1049,9 @@ module MU
               type: "habitats"
             )
             if cluster['service_account']['name'] and
-               !cluster['service_account']['id']
-              cluster['dependencies'] ||= []
-              cluster['dependencies'] << {
-                "type" => "user",
-                "name" => cluster['service_account']['name']
-              }
+               !cluster['service_account']['id'] and
+               !cluster['service_account']['deploy_id']
+              MU::Config.addDependency(cluster, cluster['service_account']['name'], "user")
             end
             found = MU::Config::Ref.get(cluster['service_account'])
             # XXX verify that found.kitten fails when it's supposed to
@@ -1037,29 +1060,7 @@ module MU
               ok = false
             end
           else
-            user = {
-              "name" => cluster['name'],
-              "cloud" => "Google",
-              "project" => cluster["project"],
-              "credentials" => cluster["credentials"],
-              "type" => "service"
-            }
-            if user["name"].length < 6
-              user["name"] += Password.pronounceable(6)
-            end
-            configurator.insertKitten(user, "users", true)
-            cluster['dependencies'] ||= []
-            cluster['service_account'] = MU::Config::Ref.get(
-              type: "users",
-              cloud: "Google",
-              name: cluster["name"],
-              project: cluster["project"],
-              credentials: cluster["credentials"]
-            )
-            cluster['dependencies'] << {
-              "type" => "user",
-              "name" => user["name"]
-            }
+            cluster = MU::Cloud.resourceClass("Google", "User").genericServiceAccount(cluster, configurator)
           end
           if cluster['dependencies']
@@ -1110,7 +1111,7 @@ module MU
               }
               if !match
                 MU.log "No version matching #{cluster['kubernetes']['version']} available, will try floating minor revision", MU::WARN
-                cluster['kubernetes']['version'].sub!(/^(\d+\.\d+\.).*/i, '\1')
+                cluster['kubernetes']['version'].sub!(/^(\d+\.\d+)\..*/i, '\1')
                 master_versions.each { |v|
                   if v.match(/^#{Regexp.quote(cluster['kubernetes']['version'])}/)
                     match = true
@@ -1155,9 +1156,13 @@ module MU
             end
           end
-          cluster['instance_type'] = MU::Cloud::Google::Server.validateInstanceType(cluster["instance_type"], cluster["region"], project: cluster['project'], credentials: cluster['credentials'])
+          cluster['instance_type'] = MU::Cloud.resourceClass("Google", "Server").validateInstanceType(cluster["instance_type"], cluster["region"], project: cluster['project'], credentials: cluster['credentials'])
           ok = false if cluster['instance_type'].nil?
+          if !MU::Master.kubectl
+            MU.log "Since I can't find a kubectl executable, you will have to handle all service account, user, and role bindings manually!", MU::WARN
+          end
           ok
         end
@@ -1204,7 +1209,8 @@ module MU
           labels["name"] = MU::Cloud::Google.nameStr(@mu_name)
           labelset = MU::Cloud::Google.container(:SetLabelsRequest).new(
-            resource_labels: labels
+            resource_labels: labels,
+            label_fingerprint: cloud_desc.label_fingerprint
           )
           MU::Cloud::Google.container(credentials: @config['credentials']).set_project_location_cluster_resource_labels(@cloud_id, labelset)
         end
@@ -1223,6 +1229,7 @@ module MU
           @@server_config[credentials][az] = MU::Cloud::Google.container(credentials: credentials).get_project_location_server_config(parent_arg)
           @@server_config[credentials][az]
         end
+        private_class_method :defaults
         def writeKubeConfig
           kube_conf = @deploy.deploy_dir+"/kubeconfig-#{@config['name']}"
@@ -1247,7 +1254,7 @@ module MU
           # Take this opportunity to ensure that the 'client' service account
           # used by certificate authentication exists and has appropriate
           # privilege
-          if @username and @password
+          if @username and @password and MU::Master.kubectl
             File.open(client_binding, "w"){ |k|
               k.puts <<-EOF
 kind: ClusterRoleBinding