serverless deploy

[trett]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @trett, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the RSS Reader application to be cloud-native and optimized for deployment on Google Cloud Run. The changes encompass a complete deployment guide, a shift from stateful session management to stateless JWT authentication, and the externalization of background tasks to leverage cloud scheduling services. Additionally, the Docker image has been streamlined for efficiency, and local observability tools have been removed in favor of cloud-managed alternatives, enhancing the application's suitability for a serverless architecture.

Highlights

• Google Cloud Run Deployment Guide: A new comprehensive guide (DEPLOY.md) has been added, detailing the steps to deploy the RSS Reader application to Google Cloud Run, including setting up Cloud SQL and Cloud Scheduler for background tasks.
• Transition to JWT-based Authentication: The in-memory SessionManager has been replaced with a stateless JwtManager, utilizing JWTs for user authentication. This change is more suitable for serverless and horizontally scalable environments.
• Externalized Background Job Processing: The internal UpdateTask for periodically updating RSS feeds has been removed. A new JobController endpoint was introduced, allowing external services like Google Cloud Scheduler to trigger feed updates via an authenticated HTTP request.
• Optimized Docker Image for Cloud Run: The Docker build process has been updated to use a gcr.io/distroless/java21 base image and a custom ENTRYPOINT, resulting in smaller, more secure, and faster-starting containers ideal for serverless platforms.
• Removed Local Observability Stack: The local Prometheus and Grafana setup, along with their OpenTelemetry dependencies, have been removed from the application's local development environment and build.sbt. This indicates a shift towards cloud-native monitoring solutions.
• Database Connection Pool Tuning: The HikariCP connection pool settings were adjusted, reducing the maximum pool size and setting the minimum idle connections to zero, which is more appropriate for the bursty nature of serverless functions.

Changelog

• DEPLOY.md
  • Added a new deployment guide for Google Cloud Run, detailing infrastructure setup, configuration, and deployment steps.
• README.md
  • Updated the project description to reflect its containerized and Cloud Run optimized nature, including AI-powered summaries.
  • Removed the 'Observability' feature section, along with mentions of OpenTelemetry, Prometheus, and Grafana from the tech stack.
  • Revised the 'Running Locally with Docker' section, removing Prometheus and Grafana details.
  • Updated the 'Deployment' section to reference the new DEPLOY.md for Cloud Run specifics and clarified image building and pushing instructions.
• build.sbt
  • Updated the project version to '2.4.4-gcr' and added a gitCommitHash.
  • Changed the Docker base image to gcr.io/distroless/java21 and customized Docker commands for a more optimized entrypoint.
  • Removed OpenTelemetry-related dependencies and Java options.
  • Added jwt-circe and postgres-socket-factory dependencies.
• client/site.webmanifest
  • Updated icon paths to include an '/images/' prefix.
• collector-config.yaml
  • Added a new OpenTelemetry Collector configuration file for Google Managed Prometheus.
• scripts/local-docker/docker-compose.yml
  • Updated the server image tag to use a Git commit hash.
  • Removed the Prometheus and Grafana services, along with their associated environment variables and volumes.
• server/src/main/resources/application.conf
  • Modified server port configuration to prioritize PORT environment variable.
  • Added new configuration sections for jobs.token and jwt.secret.
• server/src/main/scala/ru.trett/rss/server/config/AppConfig.scala
  • Added JobConfig and JwtConfig to the application configuration structure.
• server/src/main/scala/ru/trett/rss/server/Server.scala
  • Adjusted IORuntimeConfig to disable CPU starvation checks.
  • Removed OpenTelemetry imports and related metric registration logic.
  • Replaced SessionManager with JwtManager for authentication.
  • Removed the UpdateTask background service and integrated JobController for external job triggering.
  • Modified HikariCP connection pool settings, reducing maximumPoolSize and setting minimumIdle to zero.
  • Updated routes and unprotectedRoutes to use JwtManager and include JobController routes.
• server/src/main/scala/ru/trett/rss/server/authorization/AuthFilter.scala
  • Modified AuthFilter to use JwtManager for session verification instead of SessionManager.
• server/src/main/scala/ru/trett/rss/server/authorization/JwtManager.scala
  • Added a new JwtManager class for creating and verifying JWTs, replacing the in-memory session management.
• server/src/main/scala/ru/trett/rss/server/authorization/SessionManager.scala
  • Removed the SessionManager class, which previously handled in-memory session storage.
• server/src/main/scala/ru/trett/rss/server/controllers/JobController.scala
  • Added a new JobController class to handle authenticated HTTP requests for triggering background feed updates.
• server/src/main/scala/ru/trett/rss/server/controllers/LoginController.scala
  • Modified LoginController to use JwtManager for creating session tokens and setting them as cookies.
  • Removed the local logout endpoint, as logout is now handled by clearing the JWT cookie.
• server/src/main/scala/ru/trett/rss/server/controllers/LogoutController.scala
  • Modified LogoutController to simply clear the sessionId cookie upon logout, no longer interacting with a session manager.
• server/src/main/scala/ru/trett/rss/server/controllers/UserController.scala
  • Updated logging message for user settings updates.
• server/src/main/scala/ru/trett/rss/server/db/FlywayMigration.scala
  • Added connectRetries to Flyway configuration for improved database connection resilience.
• server/src/main/scala/ru/trett/rss/server/repositories/ChannelRepository.scala
  • Updated a comment in the insertChannel SQL query.
• server/src/main/scala/ru/trett/rss/server/repositories/FeedRepository.scala
  • Updated comments in getUnreadCount and getTotalUnreadCount SQL queries.
• server/src/main/scala/ru/trett/rss/server/services/UpdateTask.scala
  • Removed the UpdateTask class, which previously managed scheduled background feed updates.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the application for serverless deployment on Google Cloud Run, including a deployment guide, stateless JWTs, and moving background tasks to an HTTP endpoint. However, it introduces critical security vulnerabilities. Most notably, the JWT secret management uses a hardcoded default secret, which could lead to full account takeover. The new job update endpoint also has a 'fail-open' authentication check, allowing unauthorized access if the security token is not explicitly configured. These issues, along with other high-severity concerns in the deployment guide, must be addressed.

[trett]

/gemini review

[gemini-code-assist]

Code Review

This pull request refactors the application for serverless deployment on Google Cloud Run, optimizing the Docker build process and switching to stateless JWT authentication. However, it introduces several security vulnerabilities, including hardcoded secrets (a default database password), a potentially empty JWT secret, and a denial of service vulnerability in the job update mechanism due to improper handling of an empty job token. The changes are generally well-aligned with serverless best practices, but specific comments have been added regarding security and configuration in the new deployment documentation and the job controller.