chronicleprotocol · WesleyCharlesBlake · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
diff --git a/charts/spectre/Chart.yaml b/charts/spectre/Chart.yaml
@@ -22,7 +22,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.5
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/spectre/README.md b/charts/spectre/README.md
@@ -1,6 +1,6 @@
 # spectre
 
-![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.68.3](https://img.shields.io/badge/AppVersion-0.68.3-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.68.3](https://img.shields.io/badge/AppVersion-0.68.3-informational?style=flat-square)
 
 A Helm chart for deploying Chronicle Spectre Relay on Kubernetes
 
@@ -25,10 +25,12 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes
 | chainType | string | `nil` | can be one of mainnet: `eth`, `arb`, `opt`, `gno`, `scr`, `zkevm`, `mantle`, or testnets: `gor`, `sep`, `ogor`, `mango`, `testnet-zkEVM-mango`, `mantle-testnet`, `scr-sepolia` |
 | configsUrl | string | `""` | config url for the app, if provided, will override the default config. can be an ipfs url or a http url |
 | entryPointOverride | list | `[]` |  |
+| env.normal | object | `{}` |  |
 | environment | string | `"stage"` | CFG_ENVIRONMENT can be one of `stage` or `prod` |
 | ethConfig | object | `{}` |  |
 | extraObjects | list | `[]` | Extra K8s manifests to deploy |
 | fullnameOverride | string | `"spectre"` |  |
+| image.digest | string | `"sha256:c87e4d6944941c09019102da22bbd458649f54488627b2acbff21a51112215af"` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/chronicleprotocol/spectre"` |  |
 | image.tag | string | `""` |  |
@@ -58,11 +60,16 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes
 | readinessProbe.probeSpec.timeoutSeconds | int | `5` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| revisionHistoryLimit | int | `3` |  |
 | rpcUrl | string | `nil` | rpcUrl for the target chain |
-| securityContext | object | `{}` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | service.annotations | object | `{}` |  |
 | service.ports.listen.port | int | `8080` |  |
 | service.ports.listen.protocol | string | `"TCP"` |  |
+| service.ports.metrics.port | int | `9090` |  |
+| service.ports.metrics.protocol | string | `"TCP"` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
@@ -71,6 +78,7 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes
 | serviceMonitor.enabled | bool | `false` | If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator |
 | serviceMonitor.interval | string | `"60s"` | ServiceMonitor scrape interval |
 | serviceMonitor.labels | object | `{}` | Additional ServiceMonitor labels |
+| serviceMonitor.metricRelabelings | list | `[]` | ServiceMonitor metricRelabelings |
 | serviceMonitor.namespace | string | `nil` | Alternative namespace for ServiceMonitor |
 | serviceMonitor.path | string | `"/metrics"` | Path to scrape |
 | serviceMonitor.port | string | `"metrics"` | port to scrape |
@@ -79,6 +87,7 @@ A Helm chart for deploying Chronicle Spectre Relay on Kubernetes
 | serviceMonitor.scrapeTimeout | string | `"60s"` | ServiceMonitor scrape timeout |
 | serviceMonitor.tlsConfig | object | `{}` | ServiceMonitor TLS configuration |
 | tolerations | list | `[]` |  |
+| topologySpreadConstraints | list | `[]` |  |
 | txType | string | `nil` | can be one of `legacy`or `eip1559` |
 
 ----------------------------------------------

diff --git a/charts/spectre/templates/deployment.yaml b/charts/spectre/templates/deployment.yaml
@@ -8,6 +8,7 @@ spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   selector:
     matchLabels:
       {{- include "spectre.selectorLabels" . | nindent 6 }}
@@ -31,7 +32,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}{{ if .Values.image.tag }}:{{ .Values.image.tag }}{{ else if .Values.image.digest }}@{{ .Values.image.digest }}{{ else }}:{{ .Chart.AppVersion }}{{ end }}"
           {{- if .Values.entryPointOverride }}
           command:
             {{- range .Values.entryPointOverride }}
@@ -83,7 +84,7 @@ spec:
             - name: CFG_CHAIN_TX_TYPE
               value: "{{ .Values.txType }}"
             - name: CFG_LOG_LEVEL
-              value: "{{ .Values.logLevel | default "debug" }}"
+              value: "{{ .Values.logLevel | default "info" }}"
             - name: CFG_LOG_FORMAT
               value: "{{ .Values.logFormat | default "text" }}"
           {{- if .Values.ethConfig }}
@@ -106,19 +107,31 @@ spec:
           {{- include "helpers.list-env-variables" . | indent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if .Values.inlineConfig }}
+          {{- if or .Values.inlineConfig .Values.securityContext.readOnlyRootFilesystem }}
           volumeMounts:
+            {{- if .Values.securityContext.readOnlyRootFilesystem }}
+            - name: tmp
+              mountPath: /tmp
+            {{- end }}
+            {{- if .Values.inlineConfig }}
             - name: inline-config
               mountPath: /config.hcl
               subPath: config.hcl
               readOnly: true
+            {{- end }}
           {{- end }}
 
-      {{- if .Values.inlineConfig }}
+      {{- if or .Values.inlineConfig .Values.securityContext.readOnlyRootFilesystem }}
       volumes:
+        {{- if .Values.securityContext.readOnlyRootFilesystem }}
+        - name: tmp
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.inlineConfig }}
         - name: inline-config
           configMap:
             name: inline-config
+        {{- end }}
       {{- end }}
 
       {{- with .Values.nodeSelector }}
@@ -133,3 +146,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/spectre/templates/tests/test-logs.yaml b/charts/spectre/templates/tests/test-logs.yaml
@@ -16,5 +16,5 @@ spec:
         - -c
         - |
           echo 'Running tests';
-          kubectl logs --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l 'app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "spectre.name" . }}' -o jsonpath='{.items[0].metadata.name}') | grep 'msg=Starting tag=RELAY'
+          kubectl logs --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l 'app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "spectre.name" . }}' -o jsonpath='{.items[0].metadata.name}') | grep -E 'msg=(Starting|"Relay started") tag=RELAY'
   restartPolicy: Never
diff --git a/charts/spectre/values.yaml b/charts/spectre/values.yaml
@@ -9,6 +9,9 @@ image:
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
+  # When set, pins the image by digest (e.g. "sha256:abc...") while tag remains
+  # empty. Set image.tag to override the default pinned digest.
+  digest: "sha256:c87e4d6944941c09019102da22bbd458649f54488627b2acbff21a51112215af"
 
 # -- CFG_ENVIRONMENT can be one of `stage` or `prod`
 environment: stage
@@ -88,16 +91,29 @@ serviceAccount:
 
 podAnnotations: {}
 
+# Pod-level security context. Left unset by default because the upstream spectre
+# image currently runs as root (no USER in Dockerfile, distroless/base without
+# :nonroot tag). Once the image is rebuilt as non-root, enable the block below.
 podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
+  # runAsGroup: 65532
+  # fsGroup: 65532
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+# Container-level security context. The chart mounts an emptyDir at /tmp when
+# readOnlyRootFilesystem is enabled because spectre creates /tmp/chronicle at
+# startup. runAsNonRoot lives on podSecurityContext and is disabled pending an
+# upstream image rebuild with a non-root USER.
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+
+revisionHistoryLimit: 3
 
 service:
   type: ClusterIP
@@ -163,6 +179,14 @@ tolerations: []
 
 affinity: {}
 
+topologySpreadConstraints: []
+  # - maxSkew: 1
+  #   topologyKey: kubernetes.io/hostname
+  #   whenUnsatisfiable: ScheduleAnyway
+  #   labelSelector:
+  #     matchLabels:
+  #       app.kubernetes.io/name: spectre
+
 serviceMonitor:
   # -- If true, a ServiceMonitor CRD is created for a prometheus operator
   # https://github.com/coreos/prometheus-operator