chore: rename release artifacts and image binary to nudgebee-node-agent#247
Merged
Conversation
- Dockerfile: build output, COPY destination, and ENTRYPOINT renamed from coroot-node-agent to nudgebee-node-agent. - release.yml: extract from /usr/bin/nudgebee-node-agent and publish release assets as nudgebee-node-agent-<version>-<arch>. Go module path (github.com/coroot/coroot-node-agent) and the ldflags version-injection path are unchanged — module rename is a separate refactor. Breaking change for any consumer that explicitly execs 'coroot-node-agent' as a container command/args/healthcheck, but our in-repo manifests/coroot-node-agent.yaml uses args-only so the ENTRYPOINT swap is transparent there. install.sh and the sample manifest still point at upstream releases/images and are not used by nudgebee container deploys; flagged for separate cleanup.
RamanKharchee
previously approved these changes
May 14, 2026
There was a problem hiding this comment.
Code Review
This pull request renames the application binary from coroot-node-agent to nudgebee-node-agent within the Dockerfile. The review feedback suggests updating the default WAL directory in the flags configuration to maintain consistency with the new branding and recommends using an absolute path for the ENTRYPOINT to ensure the binary is correctly located.
- flags/flags.go: WalDir default /tmp/coroot-node-agent -> /tmp/nudgebee-node-agent so the default spool directory matches the rebrand. /tmp doesn't survive reboots, so no migration concern; --wal-dir / WAL_DIR overrides are unaffected. - Dockerfile: ENTRYPOINT uses the absolute path /usr/bin/nudgebee-node-agent to drop the implicit PATH dependency.
11 tasks
* chore: add open-source governance files and clean repo hygiene
Add the project metadata required for an Apache-2 OSS release derived
from coroot/coroot-node-agent:
- NOTICE: attribution to upstream coroot/coroot-node-agent and
declaration that eBPF C code is GPL-2.0
- SECURITY.md: private disclosure policy
- CODE_OF_CONDUCT.md: Contributor Covenant 2.1
- CHANGELOG.md: keep-a-changelog seed
- LICENSES/GPL-2.0.txt: full GPL-2.0 text (eBPF probes)
Replace the two-line .gitignore with a real Go ignore covering build
artifacts, profiles, IDE state, and eBPF objects.
Remove two binaries accidentally committed to the repo root:
heap.prof (a stray pprof dump) and github-labeler-0.0.2 (an unrelated
third-party tool, 18.6 MB). The blobs remain in history and will be
purged in a separate filter-repo pass before the repo is made public.
* test: scrub real credentials and internal identifiers from L7 fixtures
The HTTP test fixtures in ebpftracer/l7/l7_test.go were captured from
live production traffic and contained:
- real (now-expired) AWS STS session credentials with our account ID
280501305789 embedded in the security-token blob
- a real Kubernetes ServiceAccount JWT that exposed our EKS cluster
OIDC issuer ID and the nudgebee-agent service-account name
- a real S3 path referencing internal bucket nudgebee-dev-loki-logs
- a captured Chatwoot session cookie and internal staging hostname
test.nudgebee.pollux.in
- internal pod IPs and a VictoriaMetrics remote-write body with
cluster/karpenter labels
Replace every fixture with synthetic data (AWS's documented
AKIAIOSFODNN7EXAMPLE access key, example.com hostnames, zeroed
signatures, fully redacted tokens). The parser assertions are updated
to match; the parsing path/host/method behaviour is unchanged.
Note: the blobs remain in git history and will be purged in a separate
filter-repo pass before the repo is made public.
* chore: rebrand self-identification strings to nudgebee-node-agent
When the agent identifies itself to other systems, it now says
"nudgebee-node-agent" instead of "coroot-node-agent":
- prom/remote_writer.go: Prometheus job label and outbound User-Agent
- logs/otel.go: OpenTelemetry service name and logger name
- install.sh: SYSTEM_NAME, systemd unit Description and Documentation;
also fix the download URL to point at github.com/nudgebee/node-agent
and match the release-workflow artifact pattern
<binary>-<semver>-<arch>
- Dockerfile.alpine: binary output name and runtime image paths
- test_pods_metrics.sh: make namespace, label, and base port
configurable via env vars (with nudgebee-friendly defaults)
containers/app.go is left alone for the upstream coroot-* entries
(they let us label coroot installs running alongside us), but
nudgebee-node-agent and nudgebee-cluster-agent are added so we
self-detect cleanly.
Note: this changes the `job` label on metrics from coroot-node-agent
to nudgebee-node-agent. Downstream dashboards and alerts must be
updated accordingly; this is also recorded in CHANGELOG.md.
* chore: rename DaemonSet manifest and update image reference
Rename manifests/coroot-node-agent.yaml to nudgebee-node-agent.yaml.
Update:
- Namespace: coroot -> nudgebee
- Labels and container/DaemonSet name -> nudgebee-node-agent
- Image: ghcr.io/coroot/coroot-node-agent -> ghcr.io/nudgebee/node-agent
- Pin to :latest with imagePullPolicy: IfNotPresent
Users with existing dashboards keyed on the old labels will need
to update their selectors.
* docs: rewrite README and CONTRIBUTING for the nudgebee open-source fork
README:
- Retitle to "Nudgebee Node Agent" with upstream attribution
- Update badges to point at the new module path
- Restructure features into "inherited from upstream" and "added in
this fork", calling out LLM observability, IP-to-FQDN resolver,
enhanced L7 detection, PSI metrics, and stability work
- Replace coroot install/docs links with our k8s manifest,
install.sh, and ghcr image references (keeping links to upstream
metric documentation where we haven't yet duplicated it)
- Add Security section pointing at SECURITY.md
- Reference NOTICE and the GPL-2.0 LICENSES/ entry for eBPF
CONTRIBUTING:
- Drop the "thank you for contributing to Coroot" wording
- Document the eBPF rebuild workflow (cd ebpftracer && make build) —
the main Dockerfile only runs go build, so this is easy to miss
- List Go and Linux/library requirements explicitly
- Brief module layout overview to orient new contributors
* chore: rebrand opt-out env vars and API-key flag help text
- proc/flags.go: accept both NUDGEBEE_EBPF_PROFILING /
NUDGEBEE_LOG_MONITORING / NUDGEBEE_EBPF_TRACES (canonical going
forward) and COROOT_* (backwards compatible) on the env of
monitored processes. The COROOT_* names are a public opt-out
contract that may already be set on user workloads; recognise
both to avoid forcing a same-day migration.
- containers/container.go: update the corresponding log message to
reference the new canonical name
- flags/flags.go: rewrite the --api-key flag help text from
"Coroot API key" to "API key for the upstream collector"
* chore: add OSS community files and harden CI
Community files (.github/):
- CODEOWNERS: default reviewers; closer review for eBPF + release surface
- PULL_REQUEST_TEMPLATE.md: forces contributors to declare eBPF
regeneration, secrets-in-fixtures check, and CHANGELOG updates
- ISSUE_TEMPLATE/bug.yml: structured bug report with redaction reminder
- ISSUE_TEMPLATE/feature.yml: feature-request form
- ISSUE_TEMPLATE/config.yml: disable blank issues; route security
reports to GitHub Security Advisories, questions to Discussions
- dependabot.yml: weekly gomod + actions + docker updates, with
grouped OTel/k8s/prometheus PRs to reduce noise
CI hardening (.github/workflows/ci.yml):
- Drop the historical /containers test exclusion. The only test in
containers/ is llm_test.go, 67 lines of pure provider-detection
logic with no system deps. Linux CI builds the package today via
the binary build step, so test coverage is the only thing missing.
- Add a separate "Secret scan" job running gitleaks-action against
full history (fetch-depth: 0). Prevents the kind of credentials
we just scrubbed from being reintroduced. .gitleaks.toml allowlist
covers the AWS-documented AKIAIOSFODNN7EXAMPLE key and the
EXAMPLE_*_REDACTED placeholders used in test fixtures.
- Set explicit `permissions: contents: read` for least-privilege.
* docs: add LLM observability and IP-to-FQDN resolver feature docs
Document the two headline nudgebee-original features. Both pages
mirror the structure used by upstream coroot docs: what it does, how
detection works, what metrics/labels are emitted, sample PromQL,
known limitations.
- docs/llm-observability.md: provider matrix, the three-signal
detection pipeline (DNS cache, TLS SNI, late HTTP-header tag),
OTel-GenAI-aligned metric names, cost model from
containers/llm_pricing.go, and the HTTP/2 mid-stream-join HPACK
limitation that requires a workload restart after agent rollout.
- docs/ip-fqdn-resolver.md: Service/Pod/Node resolution order,
Workload struct fields, ephemeral-workload aggregation,
informer-cache memory optimization, and CNI-rewrite limitation.
Update README to link both docs from the "Added in this fork" and
"Metrics" sections so they are discoverable from the entry point.
Also fix the Go Report Card badge to point at the actual module
path (github.com/coroot/coroot-node-agent), since we are intentionally
keeping the upstream module identity.
* chore: address PR #248 review feedback and fix secret-scan CI
Review comments from gemini-code-assist on PR #248:
- install.sh: extend the generated uninstall script to also stop +
disable the legacy coroot-node-agent systemd unit (if present) and
remove its binary, env file, and /var/lib state. Hosts migrating
from the upstream package no longer leave stale artifacts.
- manifests/nudgebee-node-agent.yaml: add Pod Security Admission
labels (enforce, audit, warn = privileged) to the `nudgebee`
namespace. The agent requires privileged + hostPID; without these
labels the DaemonSet is rejected on clusters that enforce PSA
(Kubernetes >= 1.25).
- manifests/nudgebee-node-agent.yaml: pin to `:1` (major-version
tag, auto-updated within compatible range) instead of `:latest`.
The release workflow already publishes major / major.minor / full
semver tags; document in a comment that production users should
pin to a fully qualified tag.
CI fix:
- .github/workflows/ci.yml: replace `gitleaks/gitleaks-action@v2`
with a direct gitleaks CLI install. The action requires a paid
licence when run on org-owned repositories ("nudgebee is an
organization. License key is required."); the CLI itself is
BSD-licensed and unrestricted.
- Scope the scan to only the commits introduced by the event
(PR: base..HEAD; push: before..after), so the historical secrets
queued for the upcoming git-filter-repo pass don't keep the job
red on every run.
* ci: re-instate /containers test exclusion (NVML symbol mismatch)
I dropped this exclusion in 71b95e9 on the assumption it was
vestigial, since the only test under containers/ (llm_test.go) is
pure provider-detection logic with no system deps. The fresh CI run
on PR #248 disproved that:
/tmp/go-build*/b1595/containers.test: symbol lookup error:
/tmp/go-build*/b1595/containers.test: undefined symbol:
nvmlDeviceSetMemClkVfOffset
FAIL github.com/coroot/coroot-node-agent/containers 0.001s
containers/ transitively imports gpu/, which imports
github.com/NVIDIA/go-nvml/pkg/nvml. The bindings resolve NVML
symbols (including very recent ones like
nvmlDeviceSetMemClkVfOffset that aren't in older libnvidia-ml.so)
at process start, which aborts the test binary on a runner without
a matching NVIDIA driver before any of our actual tests get to run.
Restore `grep -v '/containers$'` so CI is green; the real fix is to
move GPU code behind a build tag (e.g. `//go:build !nognml`) so
non-GPU builds can skip the dynamic-link surface entirely. Tracking
that as a follow-up.
RamanKharchee
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rebrands the build artifacts of the fork:
Out of scope
Blast radius
This is a breaking change for any consumer that explicitly execs `coroot-node-agent` inside the container (`command:`, `args:`, healthcheck, pre-stop hook, exec probe). Anything relying on the ENTRYPOINT (no explicit command override) is unaffected. The in-repo `manifests/coroot-node-agent.yaml` uses `args:` only, so it would keep working against the new image — but it still points at upstream's GHCR.
Follow-up
After merge, the existing v0.1.0 release will be destroyed and re-cut so the asset filenames + the binary inside the image are consistent under v0.1.0:
Test plan