Open-source readiness: legal, branding, docs, CI, community files#248
Merged
blue4209211 merged 10 commits intoMay 22, 2026
Merged
Conversation
Add the project metadata required for an Apache-2 OSS release derived from coroot/coroot-node-agent: - NOTICE: attribution to upstream coroot/coroot-node-agent and declaration that eBPF C code is GPL-2.0 - SECURITY.md: private disclosure policy - CODE_OF_CONDUCT.md: Contributor Covenant 2.1 - CHANGELOG.md: keep-a-changelog seed - LICENSES/GPL-2.0.txt: full GPL-2.0 text (eBPF probes) Replace the two-line .gitignore with a real Go ignore covering build artifacts, profiles, IDE state, and eBPF objects. Remove two binaries accidentally committed to the repo root: heap.prof (a stray pprof dump) and github-labeler-0.0.2 (an unrelated third-party tool, 18.6 MB). The blobs remain in history and will be purged in a separate filter-repo pass before the repo is made public.
The HTTP test fixtures in ebpftracer/l7/l7_test.go were captured from
live production traffic and contained:
- real (now-expired) AWS STS session credentials with our account ID
280501305789 embedded in the security-token blob
- a real Kubernetes ServiceAccount JWT that exposed our EKS cluster
OIDC issuer ID and the nudgebee-agent service-account name
- a real S3 path referencing internal bucket nudgebee-dev-loki-logs
- a captured Chatwoot session cookie and internal staging hostname
test.nudgebee.pollux.in
- internal pod IPs and a VictoriaMetrics remote-write body with
cluster/karpenter labels
Replace every fixture with synthetic data (AWS's documented
AKIAIOSFODNN7EXAMPLE access key, example.com hostnames, zeroed
signatures, fully redacted tokens). The parser assertions are updated
to match; the parsing path/host/method behaviour is unchanged.
Note: the blobs remain in git history and will be purged in a separate
filter-repo pass before the repo is made public.
When the agent identifies itself to other systems, it now says
"nudgebee-node-agent" instead of "coroot-node-agent":
- prom/remote_writer.go: Prometheus job label and outbound User-Agent
- logs/otel.go: OpenTelemetry service name and logger name
- install.sh: SYSTEM_NAME, systemd unit Description and Documentation;
also fix the download URL to point at github.com/nudgebee/node-agent
and match the release-workflow artifact pattern
<binary>-<semver>-<arch>
- Dockerfile.alpine: binary output name and runtime image paths
- test_pods_metrics.sh: make namespace, label, and base port
configurable via env vars (with nudgebee-friendly defaults)
containers/app.go is left alone for the upstream coroot-* entries
(they let us label coroot installs running alongside us), but
nudgebee-node-agent and nudgebee-cluster-agent are added so we
self-detect cleanly.
Note: this changes the `job` label on metrics from coroot-node-agent
to nudgebee-node-agent. Downstream dashboards and alerts must be
updated accordingly; this is also recorded in CHANGELOG.md.
Rename manifests/coroot-node-agent.yaml to nudgebee-node-agent.yaml. Update: - Namespace: coroot -> nudgebee - Labels and container/DaemonSet name -> nudgebee-node-agent - Image: ghcr.io/coroot/coroot-node-agent -> ghcr.io/nudgebee/node-agent - Pin to :latest with imagePullPolicy: IfNotPresent Users with existing dashboards keyed on the old labels will need to update their selectors.
README:
- Retitle to "Nudgebee Node Agent" with upstream attribution
- Update badges to point at the new module path
- Restructure features into "inherited from upstream" and "added in
this fork", calling out LLM observability, IP-to-FQDN resolver,
enhanced L7 detection, PSI metrics, and stability work
- Replace coroot install/docs links with our k8s manifest,
install.sh, and ghcr image references (keeping links to upstream
metric documentation where we haven't yet duplicated it)
- Add Security section pointing at SECURITY.md
- Reference NOTICE and the GPL-2.0 LICENSES/ entry for eBPF
CONTRIBUTING:
- Drop the "thank you for contributing to Coroot" wording
- Document the eBPF rebuild workflow (cd ebpftracer && make build) —
the main Dockerfile only runs go build, so this is easy to miss
- List Go and Linux/library requirements explicitly
- Brief module layout overview to orient new contributors
There was a problem hiding this comment.
Code Review
This pull request transforms the repository into the Nudgebee Node Agent, a fork of the Coroot node agent. Key enhancements include an LLM observability pipeline for monitoring AI API traffic, an IP-to-FQDN resolver for network flow enrichment, and support for Pressure Stall Information (PSI) metrics. The PR also updates the project's branding, documentation, and installation scripts. Reviewer feedback highlights opportunities to improve the uninstallation process by cleaning up legacy files, enhance security by adding Pod Security Admission labels to the Kubernetes namespace, and improve deployment reliability by avoiding the ":latest" image tag.
- proc/flags.go: accept both NUDGEBEE_EBPF_PROFILING /
NUDGEBEE_LOG_MONITORING / NUDGEBEE_EBPF_TRACES (canonical going
forward) and COROOT_* (backwards compatible) on the env of
monitored processes. The COROOT_* names are a public opt-out
contract that may already be set on user workloads; recognise
both to avoid forcing a same-day migration.
- containers/container.go: update the corresponding log message to
reference the new canonical name
- flags/flags.go: rewrite the --api-key flag help text from
"Coroot API key" to "API key for the upstream collector"
Community files (.github/):
- CODEOWNERS: default reviewers; closer review for eBPF + release surface
- PULL_REQUEST_TEMPLATE.md: forces contributors to declare eBPF
regeneration, secrets-in-fixtures check, and CHANGELOG updates
- ISSUE_TEMPLATE/bug.yml: structured bug report with redaction reminder
- ISSUE_TEMPLATE/feature.yml: feature-request form
- ISSUE_TEMPLATE/config.yml: disable blank issues; route security
reports to GitHub Security Advisories, questions to Discussions
- dependabot.yml: weekly gomod + actions + docker updates, with
grouped OTel/k8s/prometheus PRs to reduce noise
CI hardening (.github/workflows/ci.yml):
- Drop the historical /containers test exclusion. The only test in
containers/ is llm_test.go, 67 lines of pure provider-detection
logic with no system deps. Linux CI builds the package today via
the binary build step, so test coverage is the only thing missing.
- Add a separate "Secret scan" job running gitleaks-action against
full history (fetch-depth: 0). Prevents the kind of credentials
we just scrubbed from being reintroduced. .gitleaks.toml allowlist
covers the AWS-documented AKIAIOSFODNN7EXAMPLE key and the
EXAMPLE_*_REDACTED placeholders used in test fixtures.
- Set explicit `permissions: contents: read` for least-privilege.
Document the two headline nudgebee-original features. Both pages
mirror the structure used by upstream coroot docs: what it does, how
detection works, what metrics/labels are emitted, sample PromQL,
known limitations.
- docs/llm-observability.md: provider matrix, the three-signal
detection pipeline (DNS cache, TLS SNI, late HTTP-header tag),
OTel-GenAI-aligned metric names, cost model from
containers/llm_pricing.go, and the HTTP/2 mid-stream-join HPACK
limitation that requires a workload restart after agent rollout.
- docs/ip-fqdn-resolver.md: Service/Pod/Node resolution order,
Workload struct fields, ephemeral-workload aggregation,
informer-cache memory optimization, and CNI-rewrite limitation.
Update README to link both docs from the "Added in this fork" and
"Metrics" sections so they are discoverable from the entry point.
Also fix the Go Report Card badge to point at the actual module
path (github.com/coroot/coroot-node-agent), since we are intentionally
keeping the upstream module identity.
d3cfe2e to
6ff5c21
Compare
Review comments from gemini-code-assist on PR #248: - install.sh: extend the generated uninstall script to also stop + disable the legacy coroot-node-agent systemd unit (if present) and remove its binary, env file, and /var/lib state. Hosts migrating from the upstream package no longer leave stale artifacts. - manifests/nudgebee-node-agent.yaml: add Pod Security Admission labels (enforce, audit, warn = privileged) to the `nudgebee` namespace. The agent requires privileged + hostPID; without these labels the DaemonSet is rejected on clusters that enforce PSA (Kubernetes >= 1.25). - manifests/nudgebee-node-agent.yaml: pin to `:1` (major-version tag, auto-updated within compatible range) instead of `:latest`. The release workflow already publishes major / major.minor / full semver tags; document in a comment that production users should pin to a fully qualified tag. CI fix: - .github/workflows/ci.yml: replace `gitleaks/gitleaks-action@v2` with a direct gitleaks CLI install. The action requires a paid licence when run on org-owned repositories ("nudgebee is an organization. License key is required."); the CLI itself is BSD-licensed and unrestricted. - Scope the scan to only the commits introduced by the event (PR: base..HEAD; push: before..after), so the historical secrets queued for the upcoming git-filter-repo pass don't keep the job red on every run.
I dropped this exclusion in 71b95e9 on the assumption it was vestigial, since the only test under containers/ (llm_test.go) is pure provider-detection logic with no system deps. The fresh CI run on PR #248 disproved that: /tmp/go-build*/b1595/containers.test: symbol lookup error: /tmp/go-build*/b1595/containers.test: undefined symbol: nvmlDeviceSetMemClkVfOffset FAIL github.com/coroot/coroot-node-agent/containers 0.001s containers/ transitively imports gpu/, which imports github.com/NVIDIA/go-nvml/pkg/nvml. The bindings resolve NVML symbols (including very recent ones like nvmlDeviceSetMemClkVfOffset that aren't in older libnvidia-ml.so) at process start, which aborts the test binary on a runner without a matching NVIDIA driver before any of our actual tests get to run. Restore `grep -v '/containers$'` so CI is green; the real fix is to move GPU code behind a build tag (e.g. `//go:build !nognml`) so non-GPU builds can skip the dynamic-link surface entirely. Tracking that as a follow-up.
blue4209211
approved these changes
May 22, 2026
mayankpande88
added a commit
that referenced
this pull request
May 25, 2026
…nt (#247) * chore: rename release artifacts and image binary to nudgebee-node-agent - Dockerfile: build output, COPY destination, and ENTRYPOINT renamed from coroot-node-agent to nudgebee-node-agent. - release.yml: extract from /usr/bin/nudgebee-node-agent and publish release assets as nudgebee-node-agent-<version>-<arch>. Go module path (github.com/coroot/coroot-node-agent) and the ldflags version-injection path are unchanged — module rename is a separate refactor. Breaking change for any consumer that explicitly execs 'coroot-node-agent' as a container command/args/healthcheck, but our in-repo manifests/coroot-node-agent.yaml uses args-only so the ENTRYPOINT swap is transparent there. install.sh and the sample manifest still point at upstream releases/images and are not used by nudgebee container deploys; flagged for separate cleanup. * chore: apply review feedback on rename PR - flags/flags.go: WalDir default /tmp/coroot-node-agent -> /tmp/nudgebee-node-agent so the default spool directory matches the rebrand. /tmp doesn't survive reboots, so no migration concern; --wal-dir / WAL_DIR overrides are unaffected. - Dockerfile: ENTRYPOINT uses the absolute path /usr/bin/nudgebee-node-agent to drop the implicit PATH dependency. * Open-source readiness: legal, branding, docs, CI, community files (#248) * chore: add open-source governance files and clean repo hygiene Add the project metadata required for an Apache-2 OSS release derived from coroot/coroot-node-agent: - NOTICE: attribution to upstream coroot/coroot-node-agent and declaration that eBPF C code is GPL-2.0 - SECURITY.md: private disclosure policy - CODE_OF_CONDUCT.md: Contributor Covenant 2.1 - CHANGELOG.md: keep-a-changelog seed - LICENSES/GPL-2.0.txt: full GPL-2.0 text (eBPF probes) Replace the two-line .gitignore with a real Go ignore covering build artifacts, profiles, IDE state, and eBPF objects. Remove two binaries accidentally committed to the repo root: heap.prof (a stray pprof dump) and github-labeler-0.0.2 (an unrelated third-party tool, 18.6 MB). The blobs remain in history and will be purged in a separate filter-repo pass before the repo is made public. * test: scrub real credentials and internal identifiers from L7 fixtures The HTTP test fixtures in ebpftracer/l7/l7_test.go were captured from live production traffic and contained: - real (now-expired) AWS STS session credentials with our account ID 280501305789 embedded in the security-token blob - a real Kubernetes ServiceAccount JWT that exposed our EKS cluster OIDC issuer ID and the nudgebee-agent service-account name - a real S3 path referencing internal bucket nudgebee-dev-loki-logs - a captured Chatwoot session cookie and internal staging hostname test.nudgebee.pollux.in - internal pod IPs and a VictoriaMetrics remote-write body with cluster/karpenter labels Replace every fixture with synthetic data (AWS's documented AKIAIOSFODNN7EXAMPLE access key, example.com hostnames, zeroed signatures, fully redacted tokens). The parser assertions are updated to match; the parsing path/host/method behaviour is unchanged. Note: the blobs remain in git history and will be purged in a separate filter-repo pass before the repo is made public. * chore: rebrand self-identification strings to nudgebee-node-agent When the agent identifies itself to other systems, it now says "nudgebee-node-agent" instead of "coroot-node-agent": - prom/remote_writer.go: Prometheus job label and outbound User-Agent - logs/otel.go: OpenTelemetry service name and logger name - install.sh: SYSTEM_NAME, systemd unit Description and Documentation; also fix the download URL to point at github.com/nudgebee/node-agent and match the release-workflow artifact pattern <binary>-<semver>-<arch> - Dockerfile.alpine: binary output name and runtime image paths - test_pods_metrics.sh: make namespace, label, and base port configurable via env vars (with nudgebee-friendly defaults) containers/app.go is left alone for the upstream coroot-* entries (they let us label coroot installs running alongside us), but nudgebee-node-agent and nudgebee-cluster-agent are added so we self-detect cleanly. Note: this changes the `job` label on metrics from coroot-node-agent to nudgebee-node-agent. Downstream dashboards and alerts must be updated accordingly; this is also recorded in CHANGELOG.md. * chore: rename DaemonSet manifest and update image reference Rename manifests/coroot-node-agent.yaml to nudgebee-node-agent.yaml. Update: - Namespace: coroot -> nudgebee - Labels and container/DaemonSet name -> nudgebee-node-agent - Image: ghcr.io/coroot/coroot-node-agent -> ghcr.io/nudgebee/node-agent - Pin to :latest with imagePullPolicy: IfNotPresent Users with existing dashboards keyed on the old labels will need to update their selectors. * docs: rewrite README and CONTRIBUTING for the nudgebee open-source fork README: - Retitle to "Nudgebee Node Agent" with upstream attribution - Update badges to point at the new module path - Restructure features into "inherited from upstream" and "added in this fork", calling out LLM observability, IP-to-FQDN resolver, enhanced L7 detection, PSI metrics, and stability work - Replace coroot install/docs links with our k8s manifest, install.sh, and ghcr image references (keeping links to upstream metric documentation where we haven't yet duplicated it) - Add Security section pointing at SECURITY.md - Reference NOTICE and the GPL-2.0 LICENSES/ entry for eBPF CONTRIBUTING: - Drop the "thank you for contributing to Coroot" wording - Document the eBPF rebuild workflow (cd ebpftracer && make build) — the main Dockerfile only runs go build, so this is easy to miss - List Go and Linux/library requirements explicitly - Brief module layout overview to orient new contributors * chore: rebrand opt-out env vars and API-key flag help text - proc/flags.go: accept both NUDGEBEE_EBPF_PROFILING / NUDGEBEE_LOG_MONITORING / NUDGEBEE_EBPF_TRACES (canonical going forward) and COROOT_* (backwards compatible) on the env of monitored processes. The COROOT_* names are a public opt-out contract that may already be set on user workloads; recognise both to avoid forcing a same-day migration. - containers/container.go: update the corresponding log message to reference the new canonical name - flags/flags.go: rewrite the --api-key flag help text from "Coroot API key" to "API key for the upstream collector" * chore: add OSS community files and harden CI Community files (.github/): - CODEOWNERS: default reviewers; closer review for eBPF + release surface - PULL_REQUEST_TEMPLATE.md: forces contributors to declare eBPF regeneration, secrets-in-fixtures check, and CHANGELOG updates - ISSUE_TEMPLATE/bug.yml: structured bug report with redaction reminder - ISSUE_TEMPLATE/feature.yml: feature-request form - ISSUE_TEMPLATE/config.yml: disable blank issues; route security reports to GitHub Security Advisories, questions to Discussions - dependabot.yml: weekly gomod + actions + docker updates, with grouped OTel/k8s/prometheus PRs to reduce noise CI hardening (.github/workflows/ci.yml): - Drop the historical /containers test exclusion. The only test in containers/ is llm_test.go, 67 lines of pure provider-detection logic with no system deps. Linux CI builds the package today via the binary build step, so test coverage is the only thing missing. - Add a separate "Secret scan" job running gitleaks-action against full history (fetch-depth: 0). Prevents the kind of credentials we just scrubbed from being reintroduced. .gitleaks.toml allowlist covers the AWS-documented AKIAIOSFODNN7EXAMPLE key and the EXAMPLE_*_REDACTED placeholders used in test fixtures. - Set explicit `permissions: contents: read` for least-privilege. * docs: add LLM observability and IP-to-FQDN resolver feature docs Document the two headline nudgebee-original features. Both pages mirror the structure used by upstream coroot docs: what it does, how detection works, what metrics/labels are emitted, sample PromQL, known limitations. - docs/llm-observability.md: provider matrix, the three-signal detection pipeline (DNS cache, TLS SNI, late HTTP-header tag), OTel-GenAI-aligned metric names, cost model from containers/llm_pricing.go, and the HTTP/2 mid-stream-join HPACK limitation that requires a workload restart after agent rollout. - docs/ip-fqdn-resolver.md: Service/Pod/Node resolution order, Workload struct fields, ephemeral-workload aggregation, informer-cache memory optimization, and CNI-rewrite limitation. Update README to link both docs from the "Added in this fork" and "Metrics" sections so they are discoverable from the entry point. Also fix the Go Report Card badge to point at the actual module path (github.com/coroot/coroot-node-agent), since we are intentionally keeping the upstream module identity. * chore: address PR #248 review feedback and fix secret-scan CI Review comments from gemini-code-assist on PR #248: - install.sh: extend the generated uninstall script to also stop + disable the legacy coroot-node-agent systemd unit (if present) and remove its binary, env file, and /var/lib state. Hosts migrating from the upstream package no longer leave stale artifacts. - manifests/nudgebee-node-agent.yaml: add Pod Security Admission labels (enforce, audit, warn = privileged) to the `nudgebee` namespace. The agent requires privileged + hostPID; without these labels the DaemonSet is rejected on clusters that enforce PSA (Kubernetes >= 1.25). - manifests/nudgebee-node-agent.yaml: pin to `:1` (major-version tag, auto-updated within compatible range) instead of `:latest`. The release workflow already publishes major / major.minor / full semver tags; document in a comment that production users should pin to a fully qualified tag. CI fix: - .github/workflows/ci.yml: replace `gitleaks/gitleaks-action@v2` with a direct gitleaks CLI install. The action requires a paid licence when run on org-owned repositories ("nudgebee is an organization. License key is required."); the CLI itself is BSD-licensed and unrestricted. - Scope the scan to only the commits introduced by the event (PR: base..HEAD; push: before..after), so the historical secrets queued for the upcoming git-filter-repo pass don't keep the job red on every run. * ci: re-instate /containers test exclusion (NVML symbol mismatch) I dropped this exclusion in 71b95e9 on the assumption it was vestigial, since the only test under containers/ (llm_test.go) is pure provider-detection logic with no system deps. The fresh CI run on PR #248 disproved that: /tmp/go-build*/b1595/containers.test: symbol lookup error: /tmp/go-build*/b1595/containers.test: undefined symbol: nvmlDeviceSetMemClkVfOffset FAIL github.com/coroot/coroot-node-agent/containers 0.001s containers/ transitively imports gpu/, which imports github.com/NVIDIA/go-nvml/pkg/nvml. The bindings resolve NVML symbols (including very recent ones like nvmlDeviceSetMemClkVfOffset that aren't in older libnvidia-ml.so) at process start, which aborts the test binary on a runner without a matching NVIDIA driver before any of our actual tests get to run. Restore `grep -v '/containers$'` so CI is green; the real fix is to move GPU code behind a build tag (e.g. `//go:build !nognml`) so non-GPU builds can skip the dynamic-link surface entirely. Tracking that as a follow-up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on top of #247 (chore/rename-binary-to-nudgebee). After #247
merges, GitHub will auto-rebase this PR onto main.
Summary
Prepares the repo to be made public as an Apache-2.0 fork of
coroot/coroot-node-agent.
8 focused commits, grouped so reviewers can step through one concern
at a time:
baefecb.gitignore; drop stray binariesheap.prof+github-labeler-0.0.2ec667bbebpftracer/l7/l7_test.gofixturesb9c5508joblabel, User-Agent, OTel service, systemd unit, install.sh) — Go module path intentionally kept asgithub.com/coroot/coroot-node-agent56c03e725bb8fc4c24e3cNUDGEBEE_*opt-out env vars canonical; keepCOROOT_*for back-compatf9d9a4d.github/community files (CODEOWNERS, PR/issue templates, dependabot) + CI gitleaks job + drop historical/containerstest exclusion6ff5c21docs/llm-observability.md+docs/ip-fqdn-resolver.mdKey decisions
github.com/coroot/coroot-node-agent.We ship as a Docker image / manifest, not as a Go library, so
go installagainst our repo URL is not a supported user journey.Keeping the upstream path minimises rebase friction against
upstream forever.
char _license[] SEC("license") = "GPL";declaration inebpftracer/ebpf/ebpf.c(what the kernel verifier actuallychecks) plus the project-level
NOTICEandREADMEdeclarationsare sufficient. Per-file SPDX would only matter for REUSE
compliance / per-file license scanners, neither of which we
pursue today, and would add rebase friction against upstream
forever.
containers/app.gostillrecognises
coroot,coroot-ee,coroot-cluster-agent,coroot-operator; nudgebee equivalents are added on top.ebpftracer/l7/l7_test.gocontained a real AWS account ID, EKSOIDC cluster ID, AWS STS session credentials, a K8s ServiceAccount
JWT, a Chatwoot session cookie, and our staging hostname. Replaced
with
AKIAIOSFODNN7EXAMPLE,example.com, redaction placeholders.Parser assertions updated to match; behaviour unchanged.
NUDGEBEE_*env vars are canonical,COROOT_*still works.Operators that have already set
COROOT_LOG_MONITORING=disabledon their pods don't have to migrate same-day.
Still pending before flipping the repo public
scrubbed secret strings and the
heap.prof/github-labeler-0.0.2blobs are still in commit history.
git filter-repowill purgethem in a separate force-push to main; that step rewrites every
commit SHA and cannot be reviewed as a PR.
Discussions, Dependabot security alerts + secret scanning + CodeQL.
current tag stream, or reset to
v1.0.0).security@nudgebee.comis monitored.Test plan
gofmt -l .cleangoimports -l .cleango vet ./...(darwin:pinger/sdjournal/cilium-bpfare Linux-only and don't build, expected)
go test ./common/ ./ebpftracer/l7/ ./flags/passdocker buildsucceeds for amd64/arm64go test ./...,build, gitleaks)
:80/metrics, verifyjob="nudgebee-node-agent"label