Devenv: Universal jwt_proxy environment (#53377)

* change hostname to env.grafana.local to not collide with any custom host.docker.internal settings * add WSL2 documentation * update general documentation * cleanup
2024-11-27 03:11:01 -06:00 · 2022-08-09 17:02:36 +02:00 · 2022-08-09 17:02:36 +02:00 · 3ac4415d6d
commit 3ac4415d6d
parent e73e3cac11
3 changed files with 52 additions and 21 deletions
--- a/devenv/docker/blocks/jwt_proxy/cloak.sql
+++ b/devenv/docker/blocks/jwt_proxy/cloak.sql
@ -1687,8 +1687,8 @@ a5a8fed6-0bca-4646-9946-2fe84175353b	t	f	account	0	f	d0b8b6b6-2a02-412c-84d1-716
 77ff47f8-f578-477d-8c06-e70a846332f5	t	f	broker	0	f	589951e9-e77f-4d1d-90cd-796848190eff	\N	f	\N	f	grafana	openid-connect	0	f	f	${client_broker}	f	client-secret	\N	\N	\N	t	f	f	f
 805aebc8-9d01-42b6-bcce-6ce48ca63ef0	t	f	security-admin-console	0	t	27d2217e-9934-4971-93b8-77969e47ecf7	/admin/grafana/console/	f	\N	f	grafana	openid-connect	0	f	f	${client_security-admin-console}	f	client-secret	${authAdminUrl}	\N	\N	t	f	f	f
 6bd2d943-9800-4839-9ddc-03c04930cd9f	t	f	admin-cli	0	t	da0811c3-5031-4f35-9dc5-441050461a37	\N	f	\N	f	grafana	openid-connect	0	f	f	${client_admin-cli}	f	client-secret	\N	\N	\N	f	f	t	f
-09b79548-8426-4c0e-8e0b-7488467532c7	t	t	grafana-oauth	0	f	d17b9ea9-bcb1-43d2-b132-d339e55872a8	http://127.0.0.1:8087	f	http://127.0.0.1:8087	f	grafana	openid-connect	-1	f	f	\N	f	client-secret	http://127.0.0.1:8087	\N	\N	t	f	t	f
 169f1dea-80f0-4a99-8509-9abb70ab0a5c	t	t	sample-iframe-project	0	t	c2ada58a-760e-40d7-8ddc-9ea69b465af2	\N	f	http://localhost:4200	f	grafana	openid-connect	-1	f	f	\N	f	client-secret	http://localhost:4200	\N	\N	t	f	t	f
+09b79548-8426-4c0e-8e0b-7488467532c7	t	t	grafana-oauth	0	f	d17b9ea9-bcb1-43d2-b132-d339e55872a8	http://env.grafana.local:8087	f	http://env.grafana.local:8087	f	grafana	openid-connect	-1	f	f	\N	f	client-secret	http://env.grafana.local:8087	\N	\N	t	f	t	f
 \.


@ -3159,8 +3159,8 @@ eed689c6-49da-4d91-98eb-cd495bcc07a3	/realms/master/account/*
 a5a8fed6-0bca-4646-9946-2fe84175353b	/realms/grafana/account/*
 230081b5-9161-45c3-9e08-9eda5412f7f7	/realms/grafana/account/*
 805aebc8-9d01-42b6-bcce-6ce48ca63ef0	/admin/grafana/console/*
-09b79548-8426-4c0e-8e0b-7488467532c7	http://127.0.0.1:8088/oauth2/callback
 169f1dea-80f0-4a99-8509-9abb70ab0a5c	http://localhost:4200/*
+09b79548-8426-4c0e-8e0b-7488467532c7	http://env.grafana.local:8088/oauth2/callback
 \.


@ -3435,8 +3435,8 @@ COPY public.username_login_failure (realm_id, username, failed_login_not_before,
 COPY public.web_origins (client_id, value) FROM stdin;
 2f521d09-7304-4b5e-a94b-7cc7300b8b50	+
 805aebc8-9d01-42b6-bcce-6ce48ca63ef0	+
-09b79548-8426-4c0e-8e0b-7488467532c7	http://127.0.0.1:8087
 169f1dea-80f0-4a99-8509-9abb70ab0a5c	http://localhost:4200
+09b79548-8426-4c0e-8e0b-7488467532c7	http://env.grafana.local:8087
 \.


--- a/devenv/docker/blocks/jwt_proxy/docker-compose.yaml
+++ b/devenv/docker/blocks/jwt_proxy/docker-compose.yaml
@ -33,22 +33,25 @@
    image: docker.io/bitnami/oauth2-proxy:7.3.0
    container_name: oauthproxy
    command: [
-    "--cookie-secret=yI-CWT5s4sBR2Zd0DDJJlTYc0aQ3jwGH15jYA18ZAQA=",
-    "--upstream=http://localhost:3000",
-    "--provider=keycloak",
-    "--client-id=grafana-oauth",
-    "--client-secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8",
-    "--login-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/auth",
-    "--redeem-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/token",
-    "--profile-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
-    "--validate-url=http://127.0.0.1:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
-    "--cookie-secure=false",
-    "--http-address=0.0.0.0:8088",
-    "--redirect-url=http://127.0.0.1:8088/oauth2/callback",
-    "--pass-access-token=true",
-    "--email-domain=*",
+      "--cookie-secret=yI-CWT5s4sBR2Zd0DDJJlTYc0aQ3jwGH15jYA18ZAQA=",
+      "--upstream=http://env.grafana.local:3000",
+      "--provider=keycloak",
+      "--client-id=grafana-oauth",
+      "--client-secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8",
+      "--login-url=http://env.grafana.local:8087/auth/realms/grafana/protocol/openid-connect/auth",
+      "--redeem-url=http://env.grafana.local:8087/auth/realms/grafana/protocol/openid-connect/token",
+      "--profile-url=http://env.grafana.local:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
+      "--validate-url=http://env.grafana.local:8087/auth/realms/grafana/protocol/openid-connect/userinfo",
+      "--cookie-secure=false",
+      "--http-address=0.0.0.0:8088",
+      "--redirect-url=http://env.grafana.local:8088/oauth2/callback",
+      "--pass-access-token=true",
+      "--email-domain=*",
    ]
-    network_mode: "host"
    depends_on:
      - oauthkeycloak
+    extra_hosts:
+      - "env.grafana.local:host-gateway"
+    ports:
+      - 8088:8088
    restart: unless-stopped
--- a/devenv/docker/blocks/jwt_proxy/readme.md
+++ b/devenv/docker/blocks/jwt_proxy/readme.md
@ -11,7 +11,7 @@ Here is the conf you need to add to your configuration file (conf/custom.ini):

 ```ini
 [auth]
-signout_redirect_url = http://127.0.0.1:8088/oauth2/sign_out
+signout_redirect_url = http://env.grafana.local:8088/oauth2/sign_out

 [auth.jwt]
 enabled = true
@ -21,14 +21,20 @@ username_claim = login
 email_claim = email
 jwk_set_file = devenv/docker/blocks/oauth/jwks.json
 cache_ttl = 60m
-expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
+expected_claims = {"iss": "http://env.grafana.local:8087/auth/realms/grafana", "azp": "grafana-oauth"}
 auto_sign_up = true
 ```

+Add *env.grafana.local* to /etc/hosts (Mac/Linux) or C:\Windows\System32\drivers\etc\hosts (Windows):
+```ini
+127.0.0.1   env.grafana.local
+::1         env.grafana.local
+```
+
 Access Grafana through: 

 ```sh
-http://127.0.0.1:8088
+http://env.grafana.local:8088
 ```

 ## Devenv setup jwt auth iframe embedding
@ -85,3 +91,25 @@ $ docker rmi $(docker images | grep 'keycloack')
 $ ./docker-build-keycloack-m1-image.sh
 ```
 1. Start from beginning of this readme
+
+## Docker for Windows Users
+
+### Docker for Windows with WSL 2
+
+Port forwarding needs to be set up between the WSL 2 VM (which runs Grafana, in my case it is Ubuntu) and the host system. (https://docs.microsoft.com/en-us/windows/wsl/networking)
+
+Run the following commands from an elevated PowerShell prompt:
+1. Change the default WSL 2 distribution if necessary
+```powershell
+wsl --list # Find the default
+wsl -s Ubuntu # Change the default
+```
+2. Open port 3000 between the Windows host and the WSL 2 VM
+```powershell
+$hostAddr = '0.0.0.0';
+$wslHostAddr = wsl hostname -I;
+iex "netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=$hostAddr"
+iex "netsh interface portproxy add v4tov4 listenport=3000 listenaddress=$hostAddr connectport=3000 connectaddress=$wslHostAddr"
+```
+
+Tested on Win 11 Home, Ubuntu and Docker for Windows v4.11.1 (84025).