From 7db0fe2a39f245c0148c2cfaf42b1ce529a9d15f Mon Sep 17 00:00:00 2001
From: LilyFaFa <21621231@zju.edu.cn>
Date: Wed, 20 Jun 2018 23:07:00 +0800
Subject: [PATCH] add RAM model for ALIcloud

---
 pkg/model/alimodel/BUILD.bazel |   2 +
 pkg/model/alimodel/context.go  |  21 +++++
 pkg/model/alimodel/ram.go      | 147 +++++++++++++++++++++++++++++++++
 3 files changed, 170 insertions(+)
 create mode 100644 pkg/model/alimodel/ram.go

diff --git a/pkg/model/alimodel/BUILD.bazel b/pkg/model/alimodel/BUILD.bazel
index 4c54174422b20..b83e62b7eb81f 100644
--- a/pkg/model/alimodel/BUILD.bazel
+++ b/pkg/model/alimodel/BUILD.bazel
@@ -9,6 +9,7 @@ go_library(
         "external_access.go",
         "firewall.go",
         "network.go",
+        "ram.go",
         "sshkey.go",
     ],
     importpath = "k8s.io/kops/pkg/model/alimodel",
@@ -20,6 +21,7 @@ go_library(
         "//upup/pkg/fi:go_default_library",
         "//upup/pkg/fi/cloudup/alitasks:go_default_library",
         "//upup/pkg/fi/fitasks:go_default_library",
+        "//vendor/github.com/denverdino/aliyungo/ram:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
     ],
 )
diff --git a/pkg/model/alimodel/context.go b/pkg/model/alimodel/context.go
index 8adce5b6150b4..ca40f10997d30 100644
--- a/pkg/model/alimodel/context.go
+++ b/pkg/model/alimodel/context.go
@@ -17,6 +17,8 @@ limitations under the License.
 package alimodel
 
 import (
+	"strings"
+
 	"github.com/golang/glog"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/model"
@@ -67,3 +69,22 @@ func (c *ALIModelContext) GetNameForSecurityGroup(role kops.InstanceGroupRole) s
 		return ""
 	}
 }
+
+func (c *ALIModelContext) GetNameForRAM(role kops.InstanceGroupRole) string {
+	name := ""
+	switch role {
+	case kops.InstanceGroupRoleMaster:
+		name = "masters." + c.ClusterName()
+	case kops.InstanceGroupRoleBastion:
+		name = "bastions." + c.ClusterName()
+	case kops.InstanceGroupRoleNode:
+		name = "nodes." + c.ClusterName()
+
+	default:
+		glog.Fatalf("unknown InstanceGroup Role: %q", role)
+		return ""
+	}
+
+	name = strings.Replace(name, ".", "-", -1)
+	return name
+}
diff --git a/pkg/model/alimodel/ram.go b/pkg/model/alimodel/ram.go
new file mode 100644
index 0000000000000..4109baacc44fe
--- /dev/null
+++ b/pkg/model/alimodel/ram.go
@@ -0,0 +1,147 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package alimodel
+
+import (
+	"encoding/json"
+
+	"github.com/denverdino/aliyungo/ram"
+
+	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/cloudup/alitasks"
+)
+
+const PolicyType = string(ram.Custom)
+
+type RAMModelBuilder struct {
+	*ALIModelContext
+
+	Lifecycle *fi.Lifecycle
+}
+
+type AssumeRolePolicyDocument struct {
+	Statement []AssumeRolePolicyItem
+	Version   string
+}
+
+type AssumeRolePolicyItem struct {
+	Action    string
+	Effect    string
+	Principal AssumeRolePolicyPrincpal
+}
+
+type AssumeRolePolicyPrincpal struct {
+	Service []string
+}
+
+var _ fi.ModelBuilder = &RAMModelBuilder{}
+
+func (b *RAMModelBuilder) Build(c *fi.ModelBuilderContext) error {
+	rolePolicyDocument := b.CreateRolePolicyDocument()
+	policyDocument := b.CreatePolicyDocument()
+	// Collect the roles in use
+	var roles []kops.InstanceGroupRole
+	for _, ig := range b.InstanceGroups {
+		found := false
+		for _, r := range roles {
+			if r == ig.Spec.Role {
+				found = true
+			}
+		}
+		if !found {
+			roles = append(roles, ig.Spec.Role)
+		}
+	}
+
+	// Generate RAM objects etc for each role
+	for _, role := range roles {
+		name := b.GetNameForRAM(role)
+
+		var ramRole *alitasks.RAMRole
+		{
+			ramRole = &alitasks.RAMRole{
+				Name:                     s(name),
+				Lifecycle:                b.Lifecycle,
+				AssumeRolePolicyDocument: s(rolePolicyDocument),
+			}
+			c.AddTask(ramRole)
+		}
+
+		var ramPolicy *alitasks.RAMPolicy
+		{
+			policyType := PolicyType
+			ramPolicy = &alitasks.RAMPolicy{
+				Name:           s(name),
+				Lifecycle:      b.Lifecycle,
+				PolicyDocument: s(policyDocument),
+				RamRole:        ramRole,
+				PolicyType:     s(policyType),
+			}
+			c.AddTask(ramPolicy)
+		}
+	}
+
+	return nil
+}
+
+func (b *RAMModelBuilder) CreateRolePolicyDocument() string {
+	princpal := AssumeRolePolicyPrincpal{Service: []string{"ecs.aliyuncs.com"}}
+
+	policydocument := AssumeRolePolicyDocument{
+		Statement: []AssumeRolePolicyItem{
+			{Action: "sts:AssumeRole", Effect: "Allow", Principal: princpal},
+		},
+		Version: "1",
+	}
+	rolePolicy, _ := json.Marshal(policydocument)
+	return string(rolePolicy)
+}
+
+func (b *RAMModelBuilder) CreatePolicyDocument() string {
+	policydocument := ram.PolicyDocument{
+		Statement: []ram.PolicyItem{
+			{
+				Action:   "oss:List*",
+				Effect:   "Allow",
+				Resource: "*",
+			},
+
+			{
+				Action:   "oss:Get*",
+				Effect:   "Allow",
+				Resource: "*",
+			},
+
+			{
+				Action:   "ecs:Describe*",
+				Effect:   "Allow",
+				Resource: "*",
+			},
+
+			{
+				Action:   "slb:Describe*",
+				Effect:   "Allow",
+				Resource: "*",
+			},
+		},
+		Version: "1",
+	}
+
+	rolePolicy, _ := json.Marshal(policydocument)
+	return string(rolePolicy)
+}