一、创建组

二、授权

docker exec -it `docker ps -a |grep hal | awk '{print $1}'` bash
hal config security authz ldap edit \
    --url 'ldap://10.4.7.12:389/dc=yht,dc=cn' \
    --manager-dn 'cn=admin,dc=yht,dc=cn' \
    --manager-password '123' \
    --user-dn-pattern 'cn={0}' \
    --group-search-base 'ou=devops' \
    --group-search-filter 'uniqueMember={0}' \
    --group-role-attributes 'cn' \
    --user-search-filter 'cn={0}'
hal config security authz edit --type ldap
hal config security authz enable

cat /home/spinnaker/.hal/config

三、发布

hal deploy apply

四、测试

cat > ingress.yaml <<'aof'
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker-service
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: spinnaker.fiat.com
    http:
     paths:
     - path: /
       backend:
          serviceName: spin-fiat
          servicePort: 7003
aof
kubectl apply -f ingress.yaml 

cat > /etc/nginx/conf.d/bakend.conf <<'eof'
upstream default_backend_traefik {
    server 10.4.7.12:80    max_fails=3 fail_timeout=10s;
    server 10.4.7.13:80    max_fails=3 fail_timeout=10s;
}
eof

cat > /etc/nginx/conf.d/fiat.conf <<'eof'
server {
    server_name spinnaker.fiat.com;
    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}
eof
nginx -s reload

五、调试

1、先执行第一条同步，再执行第二条调试 2、需要先登陆spinnaker才能执行第二条 3、devops指ldap里的ou名

curl -X POST http://spinnaker.fiat.com/roles/sync 
curl http://spinnaker.fiat.com/authorize/devops