A follow up changes to improve CloudRun deployment

Author: olesho

Readme.md

@@ -227,16 +227,35 @@ Example: 1 hour session ≈ $0.50-1.00
 
 The `cloudbuild.yaml` provides:
 1. Submodule initialization
-2. Docker image build
+2. Docker image build with caching
 3. Container Registry push
 4. Cloud Run deployment
 5. Traffic routing
 
-Trigger builds via:
+### Build Commands
+
 ```bash
+# Normal build (with cache) - recommended for development
 gcloud builds submit --config cloudbuild.yaml
+
+# Force rebuild without cache - use when dependencies change
+gcloud builds submit --config cloudbuild.yaml --substitutions=_NO_CACHE=true
+
+# Automated deployment with Twilio TURN server setup
+./deploy.sh
 ```
 
+### Cache Control
+
+The build system uses Docker layer caching by default to reduce build times and costs:
+- **With cache**: ~5-10 minutes, lower cost
+- **Without cache**: ~30+ minutes, higher cost (~$3-5 per build)
+
+Use `_NO_CACHE=true` only when:
+- Dependencies have changed significantly
+- Base images need updating
+- Debugging build issues
+
 ## 📚 Additional Resources
 
 - [kernel-images Documentation](https://github.com/onkernel/kernel-images)

cloudbuild.yaml

@@ -1,4 +1,8 @@
 # Cloud Build configuration for kernel-browser
+# Usage: gcloud builds submit --substitutions=_NO_CACHE=true (to disable cache)
+substitutions:
+  _NO_CACHE: 'false'
+
 steps:
   # Step 1: Verify kernel-images directory exists
   - name: 'gcr.io/cloud-builders/docker'
@@ -17,22 +21,36 @@ steps:
     args:
       - '-c'
       - |
-        echo "Attempting to pull previous image for caching..."
-        docker pull us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest || echo "No previous image found for caching"
+        if [ "${_NO_CACHE}" = "true" ]; then
+          echo "⚠️ Cache disabled by _NO_CACHE=true flag"
+        else
+          echo "Attempting to pull previous image for caching..."
+          docker pull us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest || echo "No previous image found for caching"
+        fi
 
   # Step 3: Build the Docker image with caching (using cloudrun Dockerfile)
   - name: 'gcr.io/cloud-builders/docker'
+    entrypoint: 'bash'
     args:
-      - 'build'
-      - '--file'
-      - 'Dockerfile.cloudrun'
-      - '--cache-from'
-      - 'us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest'
-      - '--build-arg'
-      - 'CACHE_BUST=$BUILD_ID'
-      - '--tag'
-      - 'us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest'
-      - '.'
+      - '-c'
+      - |
+        if [ "${_NO_CACHE}" = "true" ]; then
+          echo "🔨 Building without cache..."
+          docker build \
+            --file Dockerfile.cloudrun \
+            --no-cache \
+            --build-arg CACHE_BUST=$BUILD_ID \
+            --tag us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest \
+            .
+        else
+          echo "🚀 Building with cache from previous image..."
+          docker build \
+            --file Dockerfile.cloudrun \
+            --cache-from us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest \
+            --build-arg CACHE_BUST=$BUILD_ID \
+            --tag us-docker.pkg.dev/$PROJECT_ID/gcr.io/kernel-browser:latest \
+            .
+        fi
     timeout: '3600s'  # Allow 1 hour for build (it's a large image)
 
   # Step 4: Push the image to Artifact Registry
@@ -48,12 +66,14 @@ steps:
       - '-c'
       - |
         # Check if Twilio secrets exist and choose appropriate service file
-        if gcloud secrets describe twilio-account-sid --project=$PROJECT_ID >/dev/null 2>&1 && \
-           gcloud secrets describe twilio-auth-token --project=$PROJECT_ID >/dev/null 2>&1; then
-          echo "Using service-secrets.yaml with Secret Manager references"
+        echo "Checking for Twilio secrets..."
+        if gcloud secrets describe twilio-account-sid --project=$PROJECT_ID && \
+           gcloud secrets describe twilio-auth-token --project=$PROJECT_ID; then
+          echo "✅ Twilio secrets found! Using service-secrets.yaml with Secret Manager references"
           cp service-secrets.yaml temp-service.yaml
         else
-          echo "Using standard service.yaml (secrets not configured)"
+          echo "⚠️ Twilio secrets NOT found. Using standard service.yaml (secrets not configured)"
+          echo "To use Twilio TURN servers, run: ./deploy.sh to set up secrets"
           cp service.yaml temp-service.yaml
         fi
         

cloudrun-wrapper.sh

@@ -13,6 +13,12 @@ export HEIGHT=768
 export WIDTH=1024
 export NEKO_BIND=:8081
 
+# WebRTC Cloud Run configuration - force relay-only mode
+export NEKO_WEBRTC_ICE_LITE=true
+export NEKO_WEBRTC_ICE_POLICY=relay
+export NEKO_WEBRTC_MDNS=false
+export NEKO_WEBRTC_ICE_INTERFACES=""
+
 # Get fresh Twilio TURN credentials if available
 if [ -f /twilio-credential-updater.sh ]; then
     echo "[cloudrun-wrapper] Getting fresh Twilio TURN credentials..."
@@ -51,6 +57,9 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
     
+    # Configure log files to use /tmp for non-root execution
+    access_log /tmp/cloudrun-nginx-access.log;
+    
     # Create temp directories for nginx (non-root execution)
     client_body_temp_path /tmp/nginx_client_temp;
     proxy_temp_path /tmp/nginx_proxy_temp;
@@ -120,6 +129,7 @@ http {
         # Chrome DevTools Protocol HTTP endpoints
         location /json {
             proxy_pass http://127.0.0.1:9223/json;
+            proxy_http_version 1.1;
             proxy_set_header Host \$host;
             proxy_set_header X-Real-IP \$remote_addr;
             proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
@@ -129,6 +139,7 @@ http {
         # Chrome DevTools Protocol HTTP endpoints (with trailing slash)
         location /json/ {
             proxy_pass http://127.0.0.1:9223/json/;
+            proxy_http_version 1.1;
             proxy_set_header Host \$host;
             proxy_set_header X-Real-IP \$remote_addr;
             proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;

deploy.sh

@@ -149,6 +149,29 @@ setup_secrets() {
         --project="$PROJECT_ID" \
         --quiet
 
+    # Grant Cloud Build service account permission to view secrets (needed for cloudbuild.yaml)
+    local project_number=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
+    local cb_sa_email="${project_number}@cloudbuild.gserviceaccount.com"
+    
+    info "Granting Secret Manager viewer access to Cloud Build service account..."
+    gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+        --member="serviceAccount:$cb_sa_email" \
+        --role="roles/secretmanager.viewer" \
+        --project="$PROJECT_ID" \
+        --quiet
+    
+    gcloud secrets add-iam-policy-binding twilio-account-sid \
+        --member="serviceAccount:$cb_sa_email" \
+        --role="roles/secretmanager.secretAccessor" \
+        --project="$PROJECT_ID" \
+        --quiet
+    
+    gcloud secrets add-iam-policy-binding twilio-auth-token \
+        --member="serviceAccount:$cb_sa_email" \
+        --role="roles/secretmanager.secretAccessor" \
+        --project="$PROJECT_ID" \
+        --quiet
+    
     # Set flag to use secrets-enabled service.yaml
     export USE_SECRETS=true
 

nginx.conf

@@ -76,6 +76,7 @@ http {
         # Chrome DevTools Protocol HTTP endpoints
         location /json {
             proxy_pass http://127.0.0.1:9223;
+            proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

service-secrets.yaml

@@ -36,8 +36,8 @@ spec:
           limits:
             # 2 CPU cores (within quota limits)
             cpu: "2"
-            # 4GiB memory (within quota limits)
-            memory: "4Gi"
+            # 2GiB memory (reduced to prevent DevTools crashes)
+            memory: "2Gi"
           requests:
             cpu: "1"
             memory: "2Gi"

supervisor/services-cloudrun/neko.conf

@@ -7,4 +7,4 @@ priority=15
 stdout_logfile=/var/log/supervisord/neko/neko.log
 stdout_logfile_maxbytes=50MB
 redirect_stderr=true
-environment=HOME="/home/kernel",USER="kernel",DISPLAY=":1",NEKO_WEBRTC_ICESERVERS_FRONTEND="",NEKO_WEBRTC_ICESERVERS_BACKEND=""
+environment=HOME="/home/kernel",USER="kernel",DISPLAY=":1"

twilio/update-twilio-credentials.sh

@@ -91,6 +91,7 @@ spec:
     spec:
       containers:
       - name: kernel-browser
+        image: us-docker.pkg.dev/${PROJECT_ID}/gcr.io/kernel-browser:latest
         env:
         - name: NEKO_ICESERVERS
           value: '${ice_servers}'