From 7290aaf3e91a59203c4618ca3099d73e41ef8533 Mon Sep 17 00:00:00 2001
From: smallteeths <503630985@qq.com>
Date: Fri, 31 May 2024 10:37:45 +0800
Subject: [PATCH] feat(cloud provider) Add sts credential for aliyun

---
 shell/assets/translations-cn/en-us.yaml      |  7 ++++-
 shell/assets/translations-cn/zh-hans.yaml    |  6 ++++
 shell/assets/translations-cn/zh-hant-tw.yaml |  5 +++
 shell/assets/translations-cn/zh-hant.yaml    |  5 +++
 shell/assets/translations/en-us.yaml         |  3 ++
 shell/assets/translations/zh-hans.yaml       |  3 ++
 shell/cloud-credential/aliyun.vue            | 32 ++++++++++++++++++--
 shell/config/labels-annotations.js           | 22 ++++++++------
 shell/edit/cloudcredential.vue               |  8 +++++
 9 files changed, 77 insertions(+), 14 deletions(-)

diff --git a/shell/assets/translations-cn/en-us.yaml b/shell/assets/translations-cn/en-us.yaml
index 9271e29ec50..93627220536 100644
--- a/shell/assets/translations-cn/en-us.yaml
+++ b/shell/assets/translations-cn/en-us.yaml
@@ -1213,8 +1213,10 @@ cluster:
         label: Access Key
         placeholder: Your Aliyun Access Key
       secretKey:
-        label: SecretKey
+        label: Secret Key
         placeholder: Your Aliyun Secret Key
+      stsToken:
+        label: Set to STS Token
     tke:
       accessKeyId:
         label: Access Key ID
@@ -4790,6 +4792,9 @@ rbac:
       global-read-only:
         description: A read-only administrator can access all resources in all downstream clusters, but cannot access the local cluster
         label: Read-Only Administrator
+      cloud-provider-sts-user:
+        label: Cloud Provider STS User
+        description: Allow users to create ACK clusters using STS cloud credentials; currently, STS User only supports ACK.
     notBound: 'No users bound <i class="icon icon-checkmark" style="margin-left: 5px"></i>'
     unableToCheck: Unable to check if any user is bound to the role(s). Please try again.
     usersBound: |-
diff --git a/shell/assets/translations-cn/zh-hans.yaml b/shell/assets/translations-cn/zh-hans.yaml
index 369102edc87..58273fbc0ad 100644
--- a/shell/assets/translations-cn/zh-hans.yaml
+++ b/shell/assets/translations-cn/zh-hans.yaml
@@ -1216,6 +1216,9 @@ cluster:
       secretKey:
         label: SecretKey
         placeholder: 你的阿里云密文密钥
+        aliyun:
+      stsToken:
+        label: 设置为 STS Token
     tke:
       accessKeyId:
         label: 访问密钥 ID
@@ -4766,6 +4769,9 @@ rbac:
       global-read-only:
         description: 只读管理员可以访问所有下游集群中的所有资源，但不能访问local集群
         label: 只读管理员
+      cloud-provider-sts-user:
+        label: 集群驱动安全令牌角色
+        description: 允许用户通过 STS 云凭证创建 ACK 集群，目前 STS User 只支持 ACK。
     notBound: '没有绑定的用户 <i class="icon icon-checkmark" style="margin-left: 5px"></i>'
     unableToCheck: 无法检查是否存在绑定了该角色的用户，请重试。
     usersBound: |-
diff --git a/shell/assets/translations-cn/zh-hant-tw.yaml b/shell/assets/translations-cn/zh-hant-tw.yaml
index fa06eb62580..9b57757f916 100644
--- a/shell/assets/translations-cn/zh-hant-tw.yaml
+++ b/shell/assets/translations-cn/zh-hant-tw.yaml
@@ -1216,6 +1216,8 @@ cluster:
       secretKey:
         label: SecretKey
         placeholder: 你的阿里雲密文密鑰
+      stsToken:
+        label: 設置為 STS Token
     tke:
       accessKeyId:
         label: 訪問密鑰 ID
@@ -4767,6 +4769,9 @@ rbac:
       global-read-only:
         description: 只讀管理員可以訪問所有下游集群中的所有資源，但不能訪問local集群
         label: 只讀管理員
+      cloud-provider-sts-user:
+        label: 集群驅動安全令牌角色
+        description: 允許用戶通過 STS 雲憑證創建 ACK 集群，目前 STS User 只支持 ACK。
     notBound: '沒有綁定的用戶 <i class="icon icon-checkmark" style="margin-left: 5px"></i>'
     unableToCheck: 無法檢查是否存在綁定了該角色的用戶，請重試。
     usersBound: |-
diff --git a/shell/assets/translations-cn/zh-hant.yaml b/shell/assets/translations-cn/zh-hant.yaml
index 1fbaa466edb..149d2fe0368 100644
--- a/shell/assets/translations-cn/zh-hant.yaml
+++ b/shell/assets/translations-cn/zh-hant.yaml
@@ -1216,6 +1216,8 @@ cluster:
       secretKey:
         label: SecretKey
         placeholder: 你的阿里雲密文密鑰
+      stsToken:
+        label: 設置為 STS Token
     tke:
       accessKeyId:
         label: 訪問密鑰 ID
@@ -4767,6 +4769,9 @@ rbac:
       global-read-only:
         description: 只讀管理員可以訪問所有下游集羣中的所有資源，但不能訪問local集羣
         label: 只讀管理員
+      cloud-provider-sts-user:
+        label: 集群驅動安全令牌角色
+        description: 允許用戶通過 STS 雲憑證創建 ACK 集群，目前 STS User 只支持 ACK。
     notBound: '沒有綁定的用戶 <i class="icon icon-checkmark" style="margin-left: 5px"></i>'
     unableToCheck: 無法檢查是否存在綁定了該角色的用戶，請重試。
     usersBound: |-
diff --git a/shell/assets/translations/en-us.yaml b/shell/assets/translations/en-us.yaml
index f7bfb25b76e..16b9044e54c 100644
--- a/shell/assets/translations/en-us.yaml
+++ b/shell/assets/translations/en-us.yaml
@@ -4672,6 +4672,9 @@ rbac:
         label: Login Access
       clustertemplaterevisions-create:
         label: Create RKE Template Revisions
+      cloud-provider-sts-user:
+        label: Cloud Provider STS User
+        description: Allow users to create ACK clusters using STS cloud credentials; currently, STS User only supports ACK.
 
 resourceDetail:
   detailTop:
diff --git a/shell/assets/translations/zh-hans.yaml b/shell/assets/translations/zh-hans.yaml
index d19db5b9a19..12a493b6786 100644
--- a/shell/assets/translations/zh-hans.yaml
+++ b/shell/assets/translations/zh-hans.yaml
@@ -4637,6 +4637,9 @@ rbac:
         label: 登录访问
       clustertemplaterevisions-create:
         label: 创建 RKE 模板修订版
+      cloud-provider-sts-user:
+        label: 集群驱动安全令牌角色
+        description: 允许用户通过 STS 云凭证创建 ACK 集群，目前 STS User 只支持 ACK。
 
 resourceDetail:
   detailTop:
diff --git a/shell/cloud-credential/aliyun.vue b/shell/cloud-credential/aliyun.vue
index 2716fe657d0..e753b7dee79 100644
--- a/shell/cloud-credential/aliyun.vue
+++ b/shell/cloud-credential/aliyun.vue
@@ -1,19 +1,32 @@
 <script>
 import Loading from '@shell/components/Loading';
+import { CAPI } from '@shell/config/labels-annotations';
 import CreateEditView from '@shell/mixins/create-edit-view';
+import { mapGetters } from 'vuex';
 import LabeledInput from '@components/Form/LabeledInput/LabeledInput.vue';
+import { RadioButton } from '@components/Form/Radio';
 
 export default {
-  components: { Loading, LabeledInput },
-  mixins:     [CreateEditView],
+  components: {
+    Loading, LabeledInput, RadioButton
+  },
+  mixins: [CreateEditView],
 
   fetch() {
   },
 
   data() {
-    return {};
+    return { stsToken: false };
+  },
+
+  mounted() {
+    if (this.value.annotations[CAPI.CREDENTIAL_DRIVER_ALIYUN_SST] === 'true') {
+      this.stsToken = true;
+    }
   },
 
+  computed: { ...mapGetters({ t: 'i18n/t' }) },
+
   watch: {
     'value.decodedData.accessKeyId'(neu) {
       this.$emit('validationChanged', !!neu);
@@ -44,6 +57,10 @@ export default {
         return false;
       }
     },
+    listeners() {
+      this.stsToken = !this.stsToken;
+      this.$emit('setAliyunSTSTokenAnno', this.stsToken);
+    }
   }
 };
 </script>
@@ -71,5 +88,14 @@ export default {
       :mode="mode"
       @input="value.setData('accessKeySecret', $event);"
     />
+    <div class="mt-10">
+      <RadioButton
+        :val="true"
+        name="stsToken"
+        :value="stsToken"
+        :label="t('cluster.credential.aliyun.stsToken.label')"
+        @input="listeners"
+      />
+    </div>
   </div>
 </template>
diff --git a/shell/config/labels-annotations.js b/shell/config/labels-annotations.js
index 4536434ef9a..8c4a07a6cef 100644
--- a/shell/config/labels-annotations.js
+++ b/shell/config/labels-annotations.js
@@ -46,19 +46,21 @@ export const MACHINE_ROLES = {
 };
 
 export const CAPI = {
-  DEPLOYMENT_NAME:      'cluster.x-k8s.io/deployment-name',
-  CREDENTIAL_DRIVER:    'provisioning.cattle.io/driver',
-  CLUSTER_NAMESPACE:    'cluster.x-k8s.io/cluster-namespace',
-  FORCE_MACHINE_REMOVE: 'provisioning.cattle.io/force-machine-remove',
-  MACHINE_NAME:         'cluster.x-k8s.io/machine',
-  DELETE_MACHINE:       'cluster.x-k8s.io/delete-machine',
-  PROVIDER:             'provider.cattle.io',
-  SECRET_AUTH:          'v2prov-secret-authorized-for-cluster',
-  SECRET_WILL_DELETE:   'v2prov-authorized-secret-deletes-on-cluster-removal',
+  DEPLOYMENT_NAME:              'cluster.x-k8s.io/deployment-name',
+  CREDENTIAL_DRIVER:            'provisioning.cattle.io/driver',
+  CLUSTER_NAMESPACE:            'cluster.x-k8s.io/cluster-namespace',
+  FORCE_MACHINE_REMOVE:         'provisioning.cattle.io/force-machine-remove',
+  MACHINE_NAME:                 'cluster.x-k8s.io/machine',
+  DELETE_MACHINE:               'cluster.x-k8s.io/delete-machine',
+  PROVIDER:                     'provider.cattle.io',
+  SECRET_AUTH:                  'v2prov-secret-authorized-for-cluster',
+  SECRET_WILL_DELETE:           'v2prov-authorized-secret-deletes-on-cluster-removal',
   /**
    * Annotation for overriding the cluster provider,
    */
-  UI_CUSTOM_PROVIDER:   'ui.rancher/provider'
+  UI_CUSTOM_PROVIDER:           'ui.rancher/provider',
+  // PANDARIA
+  CREDENTIAL_DRIVER_ALIYUN_SST: 'provisioning.cattle.io/pandaria-aliyun-sst',
 };
 
 export const CATALOG = {
diff --git a/shell/edit/cloudcredential.vue b/shell/edit/cloudcredential.vue
index abe2bd343a1..d7e0a9ec6fc 100644
--- a/shell/edit/cloudcredential.vue
+++ b/shell/edit/cloudcredential.vue
@@ -247,6 +247,13 @@ export default {
 
       return this.$store.getters['i18n/withFallback'](`secret.initials."${ type }"`, null, fallback);
     },
+
+    setAliyunSTSTokenAnno(value) {
+      this.value.setAnnotation(CAPI.CREDENTIAL_DRIVER_ALIYUN_SST, 'false');
+      if (value && this.driverName === 'aliyun') {
+        this.value.setAnnotation(CAPI.CREDENTIAL_DRIVER_ALIYUN_SST, 'true');
+      }
+    }
   },
 };
 </script>
@@ -283,6 +290,7 @@ export default {
           :value="value"
           :mode="mode"
           :hide-sensitive-data="hideSensitiveData"
+          @setAliyunSTSTokenAnno="setAliyunSTSTokenAnno"
         />
       </keep-alive>
     </CruResource>