一、创建组
二、授权
docker exec -it `docker ps -a |grep hal | awk '{print $1}'` bash
hal config security authz ldap edit \
--url 'ldap://10.4.7.12:389/dc=yht,dc=cn' \
--manager-dn 'cn=admin,dc=yht,dc=cn' \
--manager-password '123' \
--user-dn-pattern 'cn={0}' \
--group-search-base 'ou=devops' \
--group-search-filter 'uniqueMember={0}' \
--group-role-attributes 'cn' \
--user-search-filter 'cn={0}'
hal config security authz edit --type ldap
hal config security authz enablecat /home/spinnaker/.hal/config
三、发布
hal deploy apply
四、测试
cat > ingress.yaml <<'aof'
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: spinnaker-service
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: spinnaker.fiat.com
http:
paths:
- path: /
backend:
serviceName: spin-fiat
servicePort: 7003
aof
kubectl apply -f ingress.yaml cat > /etc/nginx/conf.d/bakend.conf <<'eof'
upstream default_backend_traefik {
server 10.4.7.12:80 max_fails=3 fail_timeout=10s;
server 10.4.7.13:80 max_fails=3 fail_timeout=10s;
}
eofcat > /etc/nginx/conf.d/fiat.conf <<'eof'
server {
server_name spinnaker.fiat.com;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
eof
nginx -s reload五、调试
1、先执行第一条同步,再执行第二条调试
2、需要先登陆spinnaker才能执行第二条
3、devops指ldap里的ou名
curl -X POST http://spinnaker.fiat.com/roles/sync
curl http://spinnaker.fiat.com/authorize/devops