diff --git a/charts/spectre/Chart.yaml b/charts/spectre/Chart.yaml index 61fb4072..c8345035 100644 --- a/charts/spectre/Chart.yaml +++ b/charts/spectre/Chart.yaml @@ -22,7 +22,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.5 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/spectre/README.md b/charts/spectre/README.md index 9829c50c..2ace1e6f 100644 --- a/charts/spectre/README.md +++ b/charts/spectre/README.md @@ -1,6 +1,6 @@ # spectre -![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.68.3](https://img.shields.io/badge/AppVersion-0.68.3-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.68.3](https://img.shields.io/badge/AppVersion-0.68.3-informational?style=flat-square) A Helm chart for deploying Chronicle Spectre Relay on Kubernetes @@ -25,10 +25,12 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes | chainType | string | `nil` | can be one of mainnet: `eth`, `arb`, `opt`, `gno`, `scr`, `zkevm`, `mantle`, or testnets: `gor`, `sep`, `ogor`, `mango`, `testnet-zkEVM-mango`, `mantle-testnet`, `scr-sepolia` | | configsUrl | string | `""` | config url for the app, if provided, will override the default config. can be an ipfs url or a http url | | entryPointOverride | list | `[]` | | +| env.normal | object | `{}` | | | environment | string | `"stage"` | CFG_ENVIRONMENT can be one of `stage` or `prod` | | ethConfig | object | `{}` | | | extraObjects | list | `[]` | Extra K8s manifests to deploy | | fullnameOverride | string | `"spectre"` | | +| image.digest | string | `"sha256:c87e4d6944941c09019102da22bbd458649f54488627b2acbff21a51112215af"` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/chronicleprotocol/spectre"` | | | image.tag | string | `""` | | @@ -58,11 +60,16 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes | readinessProbe.probeSpec.timeoutSeconds | int | `5` | | | replicaCount | int | `1` | | | resources | object | `{}` | | +| revisionHistoryLimit | int | `3` | | | rpcUrl | string | `nil` | rpcUrl for the target chain | -| securityContext | object | `{}` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.readOnlyRootFilesystem | bool | `true` | | | service.annotations | object | `{}` | | | service.ports.listen.port | int | `8080` | | | service.ports.listen.protocol | string | `"TCP"` | | +| service.ports.metrics.port | int | `9090` | | +| service.ports.metrics.protocol | string | `"TCP"` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | @@ -71,6 +78,7 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes | serviceMonitor.enabled | bool | `false` | If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator | | serviceMonitor.interval | string | `"60s"` | ServiceMonitor scrape interval | | serviceMonitor.labels | object | `{}` | Additional ServiceMonitor labels | +| serviceMonitor.metricRelabelings | list | `[]` | ServiceMonitor metricRelabelings | | serviceMonitor.namespace | string | `nil` | Alternative namespace for ServiceMonitor | | serviceMonitor.path | string | `"/metrics"` | Path to scrape | | serviceMonitor.port | string | `"metrics"` | port to scrape | @@ -79,6 +87,7 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes | serviceMonitor.scrapeTimeout | string | `"60s"` | ServiceMonitor scrape timeout | | serviceMonitor.tlsConfig | object | `{}` | ServiceMonitor TLS configuration | | tolerations | list | `[]` | | +| topologySpreadConstraints | list | `[]` | | | txType | string | `nil` | can be one of `legacy`or `eip1559` | ---------------------------------------------- diff --git a/charts/spectre/templates/deployment.yaml b/charts/spectre/templates/deployment.yaml index 3f68bfcc..13522f12 100644 --- a/charts/spectre/templates/deployment.yaml +++ b/charts/spectre/templates/deployment.yaml @@ -8,6 +8,7 @@ spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "spectre.selectorLabels" . | nindent 6 }} @@ -31,7 +32,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}{{ if .Values.image.tag }}:{{ .Values.image.tag }}{{ else if .Values.image.digest }}@{{ .Values.image.digest }}{{ else }}:{{ .Chart.AppVersion }}{{ end }}" {{- if .Values.entryPointOverride }} command: {{- range .Values.entryPointOverride }} @@ -83,7 +84,7 @@ spec: - name: CFG_CHAIN_TX_TYPE value: "{{ .Values.txType }}" - name: CFG_LOG_LEVEL - value: "{{ .Values.logLevel | default "debug" }}" + value: "{{ .Values.logLevel | default "info" }}" - name: CFG_LOG_FORMAT value: "{{ .Values.logFormat | default "text" }}" {{- if .Values.ethConfig }} @@ -106,19 +107,31 @@ spec: {{- include "helpers.list-env-variables" . | indent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.inlineConfig }} + {{- if or .Values.inlineConfig .Values.securityContext.readOnlyRootFilesystem }} volumeMounts: + {{- if .Values.securityContext.readOnlyRootFilesystem }} + - name: tmp + mountPath: /tmp + {{- end }} + {{- if .Values.inlineConfig }} - name: inline-config mountPath: /config.hcl subPath: config.hcl readOnly: true + {{- end }} {{- end }} - {{- if .Values.inlineConfig }} + {{- if or .Values.inlineConfig .Values.securityContext.readOnlyRootFilesystem }} volumes: + {{- if .Values.securityContext.readOnlyRootFilesystem }} + - name: tmp + emptyDir: {} + {{- end }} + {{- if .Values.inlineConfig }} - name: inline-config configMap: name: inline-config + {{- end }} {{- end }} {{- with .Values.nodeSelector }} @@ -133,3 +146,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/spectre/templates/tests/test-logs.yaml b/charts/spectre/templates/tests/test-logs.yaml index 9747054b..eb68b44c 100644 --- a/charts/spectre/templates/tests/test-logs.yaml +++ b/charts/spectre/templates/tests/test-logs.yaml @@ -16,5 +16,5 @@ spec: - -c - | echo 'Running tests'; - kubectl logs --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l 'app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "spectre.name" . }}' -o jsonpath='{.items[0].metadata.name}') | grep 'msg=Starting tag=RELAY' + kubectl logs --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l 'app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "spectre.name" . }}' -o jsonpath='{.items[0].metadata.name}') | grep -E 'msg=(Starting|"Relay started") tag=RELAY' restartPolicy: Never diff --git a/charts/spectre/values.yaml b/charts/spectre/values.yaml index 0f162b52..1cb3c484 100644 --- a/charts/spectre/values.yaml +++ b/charts/spectre/values.yaml @@ -9,6 +9,9 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" + # When set, pins the image by digest (e.g. "sha256:abc...") while tag remains + # empty. Set image.tag to override the default pinned digest. + digest: "sha256:c87e4d6944941c09019102da22bbd458649f54488627b2acbff21a51112215af" # -- CFG_ENVIRONMENT can be one of `stage` or `prod` environment: stage @@ -88,16 +91,29 @@ serviceAccount: podAnnotations: {} +# Pod-level security context. Left unset by default because the upstream spectre +# image currently runs as root (no USER in Dockerfile, distroless/base without +# :nonroot tag). Once the image is rebuilt as non-root, enable the block below. podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 + # runAsGroup: 65532 + # fsGroup: 65532 + # seccompProfile: + # type: RuntimeDefault + +# Container-level security context. The chart mounts an emptyDir at /tmp when +# readOnlyRootFilesystem is enabled because spectre creates /tmp/chronicle at +# startup. runAsNonRoot lives on podSecurityContext and is disabled pending an +# upstream image rebuild with a non-root USER. +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + +revisionHistoryLimit: 3 service: type: ClusterIP @@ -163,6 +179,14 @@ tolerations: [] affinity: {} +topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: spectre + serviceMonitor: # -- If true, a ServiceMonitor CRD is created for a prometheus operator # https://github.com/coreos/prometheus-operator