feat: Handle Secret Lookup Rate Limit errors

Author: adityathebe

api/context/context.go

@@ -5,14 +5,15 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/flanksource/canary-checker/api/external"
-	v1 "github.com/flanksource/canary-checker/api/v1"
-	"github.com/flanksource/canary-checker/pkg"
 	"github.com/flanksource/duty/connection"
 	dutyCtx "github.com/flanksource/duty/context"
 	"github.com/flanksource/duty/models"
 	"github.com/flanksource/duty/types"
 	"github.com/flanksource/gomplate/v3"
+
+	"github.com/flanksource/canary-checker/api/external"
+	v1 "github.com/flanksource/canary-checker/api/v1"
+	"github.com/flanksource/canary-checker/pkg"
 )
 
 var DefaultContext dutyCtx.Context

checks/kubernetes_resource.go

@@ -200,7 +200,7 @@ func (c *KubernetesResourceChecker) Check(ctx context.Context, check v1.Kubernet
 
 			ctx = _ctx.(context.Context)
 			checkCtx := context.New(ctx.Context, virtualCanary)
-			res, err := Exec(checkCtx)
+			res, err := RunChecksNoPersistence(checkCtx)
 			if err != nil {
 				return fmt.Errorf("error executing check: %w", err)
 			} else {

checks/runchecks.go

@@ -9,20 +9,37 @@ import (
 	"time"
 
 	"github.com/flanksource/artifacts"
+	dutyCtx "github.com/flanksource/duty/context"
+	"github.com/flanksource/duty/models"
+	"github.com/google/uuid"
+	gocache "github.com/patrickmn/go-cache"
+	"golang.org/x/time/rate"
+
 	"github.com/flanksource/canary-checker/api/context"
 	"github.com/flanksource/canary-checker/api/external"
 	v1 "github.com/flanksource/canary-checker/api/v1"
 	"github.com/flanksource/canary-checker/pkg"
 	"github.com/flanksource/canary-checker/pkg/utils"
-	"github.com/flanksource/duty/models"
-	"github.com/google/uuid"
-	gocache "github.com/patrickmn/go-cache"
+)
+
+const (
+	defaultSecretLookupFailureThreshold = 50
+	defaultSecretLookupFailureWindow    = 30 * time.Minute
 )
 
 var checksCache = gocache.New(5*time.Minute, 5*time.Minute)
 
+var secretLookupRateLimiter = rate.NewLimiter(
+	rate.Limit(float64(defaultSecretLookupFailureThreshold)/defaultSecretLookupFailureWindow.Seconds()),
+	defaultSecretLookupFailureThreshold,
+)
+
 var DisabledChecks []string
 
+type RunChecksMeta struct {
+	SecretLookupRateLimitSkipped int
+}
+
 func getDisabledChecks(ctx *context.Context) (map[string]struct{}, error) {
 	if val, ok := checksCache.Get("disabledChecks"); ok {
 		return val.(map[string]struct{}), nil
@@ -150,8 +167,13 @@ func sortChecksByDependency(checks []external.Check) ([]external.Check, error) {
 	return append(unnamedChecks, sorted...), nil
 }
 
-// Exec runs the actions specified and returns the results, without saving artifacts
-func Exec(ctx *context.Context) ([]*pkg.CheckResult, error) {
+// RunChecksNoPersistence executes checks and returns transformed results without persistence side effects.
+//
+// Unlike RunChecks, it does not perform canary deletion checks, dependency ordering,
+// artifact saving, or final result post-processing (e.g. resultMode handling).
+// It exports only check spec metrics (not per-result emitted metrics) and is intended
+// for embedded execution paths (e.g. topology lookups and kubernetesResource sub-checks).
+func RunChecksNoPersistence(ctx *context.Context) ([]*pkg.CheckResult, error) {
 	var results []*pkg.CheckResult
 	disabledChecks, err := getDisabledChecks(ctx)
 	if err != nil {
@@ -174,9 +196,11 @@ func Exec(ctx *context.Context) ([]*pkg.CheckResult, error) {
 
 		result := c.Run(ctx)
 		transformedResults := TransformResults(ctx, result)
-		results = append(results, transformedResults...)
-		ExportCheckMetrics(ctx, transformedResults, false)
+		_, filteredResults := filterSecretLookupRateLimitedResults(ctx, transformedResults)
+		results = append(results, filteredResults...)
+		ExportCheckMetrics(ctx, filteredResults, false)
 	}
+
 	return results, nil
 }
 
@@ -189,23 +213,24 @@ func hasDependencies(checks []external.Check) bool {
 	return false
 }
 
-func RunChecks(ctx *context.Context) ([]*pkg.CheckResult, error) {
+func RunChecks(ctx *context.Context) ([]*pkg.CheckResult, RunChecksMeta, error) {
 	var results []*pkg.CheckResult
+	meta := RunChecksMeta{}
 	disabledChecks, err := getDisabledChecks(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("error getting disabled checks: %v", err)
+		return nil, meta, fmt.Errorf("error getting disabled checks: %v", err)
 	}
 
 	// Check if canary is not marked deleted in DB
 	if ctx.DB() != nil && ctx.Canary.GetPersistedID() != "" {
 		var deletedAt sql.NullTime
 		err := ctx.DB().Table("canaries").Select("deleted_at").Where("id = ? and deleted_at < now()", ctx.Canary.GetPersistedID()).Scan(&deletedAt).Error
 		if err != nil {
-			return nil, fmt.Errorf("error getting canary: %v", err)
+			return nil, meta, fmt.Errorf("error getting canary: %v", err)
 		}
 
 		if deletedAt.Valid {
-			return nil, nil
+			return nil, meta, nil
 		}
 	}
 
@@ -215,7 +240,7 @@ func RunChecks(ctx *context.Context) ([]*pkg.CheckResult, error) {
 	if hasDependencies(checks) {
 		sortedChecks, err := sortChecksByDependency(checks)
 		if err != nil {
-			return nil, fmt.Errorf("failed to sort checks: %v", err)
+			return nil, meta, fmt.Errorf("failed to sort checks: %v", err)
 		}
 
 		for _, check := range sortedChecks {
@@ -241,11 +266,13 @@ func RunChecks(ctx *context.Context) ([]*pkg.CheckResult, error) {
 
 			result := singleRunner.Check(ctx, check)
 			transformedResults := TransformResults(ctx, result)
-			results = append(results, transformedResults...)
-			ExportCheckMetrics(ctx, transformedResults, true)
+			skippedCount, filteredResults := filterSecretLookupRateLimitedResults(ctx, transformedResults)
+			meta.SecretLookupRateLimitSkipped += skippedCount
+			results = append(results, filteredResults...)
+			ExportCheckMetrics(ctx, filteredResults, true)
 
-			if check.GetName() != "" && len(transformedResults) > 0 && transformedResults[0].Pass {
-				ctx.SetOutput(check.GetName(), transformedResults[0])
+			if check.GetName() != "" && len(filteredResults) > 0 && filteredResults[0].Pass {
+				ctx.SetOutput(check.GetName(), filteredResults[0])
 			}
 		}
 	} else {
@@ -259,16 +286,18 @@ func RunChecks(ctx *context.Context) ([]*pkg.CheckResult, error) {
 
 			result := c.Run(ctx)
 			transformedResults := TransformResults(ctx, result)
-			results = append(results, transformedResults...)
-			ExportCheckMetrics(ctx, transformedResults, true)
+			skippedCount, filteredResults := filterSecretLookupRateLimitedResults(ctx, transformedResults)
+			meta.SecretLookupRateLimitSkipped += skippedCount
+			results = append(results, filteredResults...)
+			ExportCheckMetrics(ctx, filteredResults, true)
 		}
 	}
 
 	if err := saveArtifacts(ctx, results); err != nil {
 		ctx.Errorf("error saving artifacts: %v", err)
 	}
 
-	return ProcessResults(ctx, results), nil
+	return ProcessResults(ctx, results), meta, nil
 }
 
 func saveArtifacts(ctx *context.Context, results pkg.Results) error {
@@ -356,6 +385,48 @@ func TransformResults(ctx *context.Context, in []*pkg.CheckResult) (out []*pkg.C
 	return out
 }
 
+func isSecretLookupRateLimitResult(result *pkg.CheckResult) bool {
+	if result == nil {
+		return false
+	}
+	if dutyCtx.IsSecretLookupRateLimited(result.ErrorObject) {
+		return true
+	}
+	return strings.Contains(strings.ToLower(result.Error), strings.ToLower(dutyCtx.ErrSecretLookupRateLimited.Error()))
+}
+
+func filterSecretLookupRateLimitedResults(ctx *context.Context, in []*pkg.CheckResult) (int, []*pkg.CheckResult) {
+	if len(in) == 0 {
+		return 0, in
+	}
+
+	skipped := 0
+	out := make([]*pkg.CheckResult, 0, len(in))
+
+	for _, result := range in {
+		if !isSecretLookupRateLimitResult(result) {
+			out = append(out, result)
+			continue
+		}
+
+		if secretLookupRateLimiter.Allow() {
+			skipped++
+			ctx.Warnf("skipping check result due to secret lookup rate limiting for check=%s (threshold=%d window=%s)", result.GetName(), defaultSecretLookupFailureThreshold, defaultSecretLookupFailureWindow.Round(time.Second))
+			continue
+		}
+
+		ctx.Warnf("secret lookup rate limit threshold exceeded for check=%s (threshold=%d window=%s), recording as failure", result.GetName(), defaultSecretLookupFailureThreshold, defaultSecretLookupFailureWindow.Round(time.Second))
+		result.Invalid = false
+		result.Pass = false
+		if result.Error == "" {
+			result.Error = "secret lookup repeatedly rate limited"
+		}
+		out = append(out, result)
+	}
+
+	return skipped, out
+}
+
 func ProcessResults(ctx *context.Context, results []*pkg.CheckResult) []*pkg.CheckResult {
 	if ctx.Canary.Spec.ResultMode == "" {
 		return results

cmd/run.go

@@ -67,7 +67,7 @@ var Run = &cobra.Command{
 				go func() {
 					defer wg.Done()
 
-					res, err := checks.RunChecks(apicontext.New(apicontext.DefaultContext.WithName(_config.Name), _config))
+					res, _, err := checks.RunChecks(apicontext.New(apicontext.DefaultContext.WithName(_config.Name), _config))
 					if err != nil {
 						log.Errorf("error running checks: %v", err)
 						return

go.mod

@@ -73,6 +73,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.39.0
 	gocloud.dev v0.44.0
 	golang.org/x/sync v0.19.0
+	golang.org/x/time v0.14.0
 	google.golang.org/api v0.262.0
 	google.golang.org/genproto v0.0.0-20260126211449-d11affda4bed
 	google.golang.org/grpc v1.78.0
@@ -219,7 +220,6 @@ require (
 	github.com/go-git/go-billy/v5 v5.7.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
-	github.com/go-json-experiment/json v0.0.0-20251027170946-4849db3c2f7e // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -307,10 +307,6 @@ require (
 	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kaptinlin/go-i18n v0.2.3 // indirect
-	github.com/kaptinlin/jsonpointer v0.4.9 // indirect
-	github.com/kaptinlin/jsonschema v0.6.8 // indirect
-	github.com/kaptinlin/messageformat-go v0.4.9 // indirect
 	github.com/kennygrant/sanitize v1.2.4 // indirect
 	github.com/kevinburke/ssh_config v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.3 // indirect
@@ -446,7 +442,6 @@ require (
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/term v0.39.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect

go.sum

@@ -1092,8 +1092,6 @@ github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFS
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-json-experiment/json v0.0.0-20251027170946-4849db3c2f7e h1:Lf/gRkoycfOBPa42vU2bbgPurFong6zXeFtPoxholzU=
-github.com/go-json-experiment/json v0.0.0-20251027170946-4849db3c2f7e/go.mod h1:uNVvRXArCGbZ508SxYYTC5v1JWoz2voff5pm25jU1Ok=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -1514,14 +1512,6 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/kaptinlin/go-i18n v0.2.3 h1:jyN/YOXXLcnGRBLdU+a8+6782B97fWE5aQqAHtvvk8Q=
-github.com/kaptinlin/go-i18n v0.2.3/go.mod h1:O+Ax4HkMO0Jt4OaP4E4WCx0PAADeWkwk8Jgt9bjAU1w=
-github.com/kaptinlin/jsonpointer v0.4.9 h1:o//bYf4PCvnMJIIX8bIg77KB6DO3wBPAabRyPRKh680=
-github.com/kaptinlin/jsonpointer v0.4.9/go.mod h1:9y0LgXavlmVE5FSHShY5LRlURJJVhbyVJSRWkilrTqA=
-github.com/kaptinlin/jsonschema v0.6.8 h1:CZt3HxwYCCVtAj50rys6Cg4Z/TWRUMd3U/ePV5FGXkw=
-github.com/kaptinlin/jsonschema v0.6.8/go.mod h1:ZXZ4K5KrRmCCF1i6dgvBsQifl+WTb8XShKj0NpQNrz8=
-github.com/kaptinlin/messageformat-go v0.4.9 h1:FR5j5n4aL4nG0afKn9vvANrKxLu7HjmbhJnw5ogIwAQ=
-github.com/kaptinlin/messageformat-go v0.4.9/go.mod h1:qZzrGrlvWDz2KyyvN3dOWcK9PVSRV1BnfnNU+zB/RWc=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
@@ -1737,8 +1727,6 @@ github.com/orcaman/concurrent-map/v2 v2.0.1/go.mod h1:9Eq3TG2oBe5FirmYWQfYO5iH1q
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=

pkg/api/run_now.go

@@ -49,7 +49,7 @@ func RunCanaryHandler(c echo.Context) error {
 	}
 
 	ctx := context.New(duty, *canary)
-	results, err := checks.RunChecks(ctx)
+	results, _, err := checks.RunChecks(ctx)
 	if err != nil {
 		return errorResponse(c, err, http.StatusInternalServerError)
 	}

pkg/jobs/canary/canary_jobs.go

@@ -3,6 +3,7 @@ package canary
 import (
 	"errors"
 	"fmt"
+	"math/rand"
 	"sync"
 	"time"
 
@@ -101,11 +102,15 @@ func (j CanaryJob) Run(ctx dutyjob.JobRuntime) error {
 		attribute.String("canary.namespace", j.Canary.Namespace),
 	)
 
-	results, err := checks.RunChecks(canaryCtx)
+	results, runMeta, err := checks.RunChecks(canaryCtx)
 	if err != nil {
 		return err
 	}
 
+	if runMeta.SecretLookupRateLimitSkipped > 0 {
+		maybeRescheduleAfterSecretLookupRateLimit(ctx.Context, j.DBCanary, j.Canary, runMeta.SecretLookupRateLimitSkipped)
+	}
+
 	// Get transformed checks before and after, and then delete the olds ones that are not in new set.
 	// NOTE: Webhook checks, although they are transformed, are handled entirely by the webhook caller
 	// and should not be deleted manually in here.
@@ -164,6 +169,28 @@ func (j CanaryJob) Run(ctx dutyjob.JobRuntime) error {
 	return nil
 }
 
+func maybeRescheduleAfterSecretLookupRateLimit(ctx context.Context, dbCanary pkg.Canary, canary v1.Canary, skipped int) {
+	nextRuntime, err := canary.NextRuntime(time.Now())
+	if err != nil || nextRuntime == nil {
+		ctx.Warnf("failed to compute next runtime for canary[%s/%s]: %v", canary.Namespace, canary.Name, err)
+		return
+	}
+
+	if time.Until(*nextRuntime) <= 5*time.Minute {
+		return
+	}
+
+	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
+	delay := time.Minute + time.Duration(rng.Intn(60))*time.Second
+	runAt := time.Now().Add(delay)
+	if err := TriggerAt(ctx, dbCanary, runAt); err != nil {
+		ctx.Warnf("failed to schedule earlier retry for canary[%s/%s] after %d skipped results: %v", canary.Namespace, canary.Name, skipped, err)
+		return
+	}
+
+	ctx.Infof("scheduled earlier retry for canary[%s/%s] in %s after %d secret lookup rate-limited skips", canary.Namespace, canary.Name, delay.Round(time.Second), skipped)
+}
+
 func SaveResults(ctx context.Context, results []*pkg.CheckResult) ([]string, map[string]string, error) {
 	var transformedChecksCreated []string
 	// Transformed checks have a delete strategy

pkg/jobs/canary/status.go

@@ -22,6 +22,10 @@ func UpdateCanaryStatusAndEvent(ctx context.Context, canary v1.Canary, results [
 		return
 	}
 
+	if len(results) == 0 {
+		return
+	}
+
 	// Skip function if canary is not sourced from Kubernetes CRD
 	if !strings.HasPrefix(canary.Annotations["source"], "kubernetes") {
 		return

pkg/topology/run.go

@@ -220,7 +220,7 @@ func lookup(ctx *ComponentContext, name string, spec v1.CanarySpec) ([]interface
 	// canaryCtx.Environment = ctx.
 	// canaryCtx.Logger = ctx.Logger
 
-	checkResults, err := checks.Exec(canaryCtx)
+	checkResults, err := checks.RunChecksNoPersistence(canaryCtx)
 	if err != nil {
 		return nil, err
 	}