fix(codespaces): fix reverse proxy warning and enable CSP (#2184)

gounthar · web-flow · commit 68fa6d15d079 · 2026-04-21T15:48:52.000+02:00
Jenkins showed "reverse proxy set up is broken" in Codespaces because
codespacesURL.sh only edits the host-side jenkins.yaml, which is never
read at runtime — the baked-in image copy is used instead.

The discovery container (find-name.sh) already modifies
/var/jenkins_home/jenkins.yaml and triggers a JCasc reload, so it is
the right place to also set the correct root URL.

Changes:
- docker-compose.yaml: pass CODESPACE_NAME and
  GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN into the discovery container
- find-name.sh: when those vars are present, update
  unclassified.location.url to the Codespaces forwarding URL and
  suppress the ReverseProxySetupMonitor admin warning
- jenkins.yaml: add security.contentSecurityPolicy with a permissive
  but defined policy to clear the CSP administrative monitor warning

Signed-off-by: Bruno Verachten &lt;gounthar@gmail.com&gt;
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -30,6 +30,9 @@ services:
     stdin_open: true
     tty: true
     entrypoint: sh -c "/usr/local/bin/find-name.sh"
+    environment:
+      - CODESPACE_NAME=${CODESPACE_NAME:-}
+      - GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN=${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN:-}
     profiles:
       - maven
       - python
diff --git a/dockerfiles/agent-discovery/find-name.sh b/dockerfiles/agent-discovery/find-name.sh
@@ -31,6 +31,15 @@ cat /var/jenkins_home/jenkins.yaml
 # Hopefully, Jenkins will load this JCasc configuration after we change the value
 # We will modify this file later on with the name of the agent machine, but this change has to happen as soon as possible, so Jenkins knows the token to reload the configuration later on, once we have found the agent machine name.
 
+# If running in GitHub Codespaces, update the Jenkins root URL so the reverse proxy check passes
+if [ -n "${CODESPACE_NAME:-}" ] && [ -n "${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN:-}" ]; then
+    JENKINS_URL="https://${CODESPACE_NAME}-8080.${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN}/"
+    export JENKINS_URL
+    yq eval -i '.unclassified.location.url = env(JENKINS_URL)' /var/jenkins_home/jenkins.yaml
+    yq eval -i '(.jenkins.disabledAdministrativeMonitors // []) as $m | .jenkins.disabledAdministrativeMonitors = ($m + ["hudson.diagnosis.ReverseProxySetupMonitor"] | unique)' /var/jenkins_home/jenkins.yaml
+    echo "✅ Codespaces detected — Jenkins URL set to: ${JENKINS_URL}"
+fi
+
 # Get the IP address of the host machine
 # The hostname -I command is used to print all network addresses of the host.
 # The awk command is used to print the first field (the first IP address).
diff --git a/dockerfiles/jenkins.yaml b/dockerfiles/jenkins.yaml
@@ -40,6 +40,15 @@ credentials:
               privateKey: ${readFile:/ssh-dir/jenkins_agent_ed}
           scope: SYSTEM
           username: "jenkins"
+security:
+  contentSecurityPolicy:
+    header: >-
+      sandbox allow-same-origin allow-scripts allow-popups allow-forms;
+      default-src 'self';
+      img-src 'self' data:;
+      style-src 'self' 'unsafe-inline';
+      script-src 'self' 'unsafe-inline';
+      font-src 'self';
 unclassified:
   location:
     url: "http://127.0.0.1:8080/"
