test: Fail Fast if docker hub rate limited (#22081)

* test addons: add rate limit check for Docker Hub in TestAddons

* move docker rate limit check to detect package

* move to helpers_test

* replace skipAddonsIfDockerHubRateLimited with FailFastDockerHubRateLimited in TestAddons

* check both lowercase and upper for headers

* increase test timeout from 7m to 10m in functional test workflow

Author: medyagh

.github/workflows/functional_test.yml

@@ -87,8 +87,8 @@ jobs:
             driver: none
             cruntime: docker
             os: ubuntu-22.04
-            test-timeout: 9m
-          - name: qemu-docker-macos-15-x86_64
+            test-timeout: 10m
+          - name: qemu-docker-macos-13-x86_64
             driver: qemu
             cruntime: docker
             os: macos-15-intel

pkg/minikube/detect/dockerhub.go

@@ -0,0 +1,137 @@
+/*
+Copyright 2024 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package detect
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	dockerHubAuthURL      = "https://auth.docker.io/token"
+	dockerHubRegistryURL  = "https://registry-1.docker.io"
+	dockerHubPreviewRepo  = "ratelimitpreview/test"
+	dockerHubPreviewScope = "repository:ratelimitpreview/test:pull"
+)
+
+// DockerHubRateLimitRemaining returns the remaining Docker Hub pulls for the calling IP.
+// Based on https://docs.docker.com/docker-hub/usage/pulls/#view-pull-rate-and-limit
+// calling this func will NOT reduce number of remaining pulls.
+func DockerHubRateLimitRemaining(ctx context.Context) (int, error) {
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	token, err := dockerHubRateLimitToken(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	manifestURL := fmt.Sprintf("%s/v2/%s/manifests/latest", dockerHubRegistryURL, dockerHubPreviewRepo)
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, manifestURL, nil)
+	if err != nil {
+		return 0, fmt.Errorf("building rate limit request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/vnd.docker.distribution.manifest.v2+json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return 0, fmt.Errorf("querying rate limit: %w", err)
+	}
+	resp.Body.Close()
+
+	if resp.StatusCode == http.StatusTooManyRequests {
+		return 0, fmt.Errorf("docker hub rate limit exceeded (HTTP 429)")
+	}
+
+	// Go canonicalizes header keys, so both ratelimit-remaining and RateLimit-Remaining work.
+	remainingHeader := resp.Header.Get("RateLimit-Remaining")
+	if remainingHeader == "" {
+		remainingHeader = resp.Header.Get("ratelimit-remaining")
+	}
+	if remainingHeader == "" {
+		return 0, errors.New("docker hub RateLimit-Remaining header missing")
+	}
+
+	remaining, err := parseDockerHubRemaining(remainingHeader)
+	if err != nil {
+		return 0, err
+	}
+
+	return remaining, nil
+}
+
+// dockerHubRateLimitToken retrieves an authentication token from Docker Hub's authentication service.
+// for non-logged in dockers it will still return a token but with lower rate limits.
+func dockerHubRateLimitToken(ctx context.Context) (string, error) {
+	values := url.Values{}
+	values.Set("service", "registry.docker.io")
+	values.Set("scope", dockerHubPreviewScope)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, dockerHubAuthURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("building auth request: %w", err)
+	}
+	req.URL.RawQuery = values.Encode()
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("auth request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("auth request returned %d", resp.StatusCode)
+	}
+
+	var parsed struct {
+		Token string `json:"token"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&parsed); err != nil {
+		return "", fmt.Errorf("decoding auth response: %w", err)
+	}
+	if parsed.Token == "" {
+		return "", errors.New("empty token from Docker Hub auth response")
+	}
+	return parsed.Token, nil
+}
+
+// parseDockerHubRemaining extracts the remaining API rate limit count from a Docker Hub
+// RateLimit-Remaining header value.
+func parseDockerHubRemaining(headerVal string) (int, error) {
+	separators := func(r rune) bool {
+		return r == ';' || r == ','
+	}
+	for _, part := range strings.FieldsFunc(headerVal, separators) {
+		part = strings.TrimSpace(part)
+		if part == "" {
+			continue
+		}
+		if remaining, err := strconv.Atoi(part); err == nil {
+			return remaining, nil
+		}
+	}
+	return 0, fmt.Errorf("unable to find integer value in RateLimit-Remaining header %q", headerVal)
+}

pkg/minikube/detect/dockerhub_test.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2024 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package detect
+
+import "testing"
+
+func TestParseDockerHubRemaining(t *testing.T) {
+	tests := []struct {
+		name       string
+		header     string
+		want       int
+		shouldFail bool
+	}{
+		{
+			name:   "ExampleFromDocs",
+			header: "100;w=21600",
+			want:   100,
+		},
+		{
+			name:   "CommaSeparated",
+			header: "5000;w=60,burst=5000",
+			want:   5000,
+		},
+		{
+			name:   "Whitespace",
+			header: " 42 ; w=60 ",
+			want:   42,
+		},
+		{
+			name:       "NoNumericValue",
+			header:     "w=21600",
+			shouldFail: true,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := parseDockerHubRemaining(tc.header)
+			if tc.shouldFail {
+				if err == nil {
+					t.Fatalf("parseDockerHubRemaining(%q) expected error, got value %d", tc.header, got)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("parseDockerHubRemaining(%q) unexpected error: %v", tc.header, err)
+			}
+			if got != tc.want {
+				t.Fatalf("parseDockerHubRemaining(%q) = %d, want %d", tc.header, got, tc.want)
+			}
+		})
+	}
+}

test/integration/addons_test.go

@@ -48,6 +48,8 @@ import (
 
 // TestAddons tests addons that require no special environment in parallel
 func TestAddons(t *testing.T) {
+	FailFastDockerHubRateLimited(t)
+
 	profile := UniqueProfileName("addons")
 	ctx, cancel := context.WithTimeout(context.Background(), Minutes(40))
 	defer Cleanup(t, profile, cancel)

test/integration/helpers_test.go

@@ -44,6 +44,7 @@ import (
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/minikube/pkg/kapi"
+	"k8s.io/minikube/pkg/minikube/detect"
 )
 
 // RunResult stores the result of an cmd.Run call
@@ -704,3 +705,17 @@ func CopyDir(src, dst string) error {
 
 	return nil
 }
+
+// FailFast proactively stops the addon suite when Docker Hub is rate limited.
+func FailFastDockerHubRateLimited(t *testing.T) {
+	t.Helper()
+	remaining, err := detect.DockerHubRateLimitRemaining(t.Context())
+	if err != nil {
+		t.Logf("unable to check Docker Hub rate limit (continuing): %v", err)
+		return
+	}
+
+	if remaining <= 0 {
+		t.Fatalf("failing fast: Docker Hub rate limit reached (remaining=%d)", remaining)
+	}
+}