Add capability for gradual rollout of transition mode

Author: philippta

certmagic.go

@@ -499,27 +499,3 @@ var (
 
 // Maximum size for the stack trace when recovering from panics.
 const stackTraceBufferSize = 1024 * 128
-
-const (
-	// Storage mode controls the format in which certificates are stored in `Storage`.
-	//
-	// Formats:
-	// - legacy: Store cert, privkey and meta as three separate storage items (.cert, .key, .json).
-	// - bundle: Store cert, privkey and meta as a single, bundled storage item (.bundle).
-	//
-	// Modes:
-	// - legacy:     Store and load certificates in legacy format.
-	// - transition: Store in legacy and bundle format, load as bundle with fallback to legacy format.
-	// - bundle:     Store and load certificates in bundle format.
-	//
-	// In the transition mode, failures around reads and writes of the bundle are soft.
-	// They should only log errors and try to work with the legacy format as fallback.
-	// Operations on the legacy format are hard-failures, implying that errors should be propagated up.
-	//
-	// The storage mode is controlled via the CERTMAGIC_STORAGE_MODE environment variable
-	StorageModeEnv = "CERTMAGIC_STORAGE_MODE"
-
-	StorageModeLegacy     = "legacy"
-	StorageModeTransition = "transition"
-	StorageModeBundle     = "bundle"
-)

config.go

@@ -32,7 +32,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"strings"
 	"time"
 
@@ -1272,7 +1271,7 @@ func (cfg *Config) checkStorage(ctx context.Context) error {
 // resources related to the certificate for domain.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) storageHasCertResources(ctx context.Context, issuer Issuer, domain string) bool {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(domain) {
 	case StorageModeTransition:
 		if cfg.storageHasCertResourcesBundle(ctx, issuer, domain) {
 			return true
@@ -1313,7 +1312,7 @@ func (cfg *Config) storageHasCertResourcesBundle(ctx context.Context, issuer Iss
 // issuer with the given issuer key.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) deleteSiteAssets(ctx context.Context, issuerKey, domain string) error {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(domain) {
 	case StorageModeTransition:
 		if err := cfg.deleteSiteAssetsBundle(ctx, issuerKey, domain); err != nil {
 			cfg.Logger.Warn("unable to delete certificate resource bundle",

config_test.go

@@ -158,7 +158,7 @@ func mustJSON(val any) []byte {
 // testStorageModeSetup creates a test config with the specified storage mode
 func testStorageModeSetup(t *testing.T, mode, storagePath string) (*Config, *ACMEIssuer) {
 	t.Helper()
-	t.Setenv(StorageModeEnv, mode)
+	ConfigureStorageMode(mode, 100)
 
 	am := &ACMEIssuer{CA: "https://example.com/acme/directory"}
 	cfg := &Config{
@@ -291,7 +291,7 @@ func TestStorageModeTransitionFallback(t *testing.T) {
 	cert := makeCertResource(am, domain, true)
 
 	// Save in legacy mode to simulate existing data
-	os.Setenv(StorageModeEnv, StorageModeLegacy)
+	ConfigureStorageMode(StorageModeLegacy, 0)
 	if err := cfg.saveCertResource(ctx, am, cert); err != nil {
 		t.Fatalf("Failed to save cert in legacy mode: %v", err)
 	}
@@ -301,7 +301,7 @@ func TestStorageModeTransitionFallback(t *testing.T) {
 	assertFileNotExists(t, ctx, cfg.Storage, StorageKeys.SiteBundle(issuerKey, domain))
 
 	// Switch to transition mode and verify fallback to legacy works
-	os.Setenv(StorageModeEnv, StorageModeTransition)
+	ConfigureStorageMode(StorageModeTransition, 100)
 	loaded, err := cfg.loadCertResource(ctx, am, domain)
 	if err != nil {
 		t.Fatalf("Failed to load cert in transition mode with fallback: %v", err)

crypto.go

@@ -30,7 +30,6 @@ import (
 	"fmt"
 	"hash/fnv"
 	"io/fs"
-	"os"
 	"sort"
 	"strings"
 
@@ -144,7 +143,7 @@ func fastHash(input []byte) string {
 // saveCertResource saves the certificate resource to disk.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) saveCertResource(ctx context.Context, issuer Issuer, cert CertificateResource) error {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(cert.NamesKey()) {
 	case StorageModeTransition:
 		if err := cfg.saveCertResourceBundle(ctx, issuer, cert); err != nil {
 			cfg.Logger.Warn("unable to store certificate resource bundle",
@@ -274,7 +273,7 @@ func (cfg *Config) loadCertResourceAnyIssuer(ctx context.Context, certNamesKey s
 // loadCertResource loads a certificate resource from the given issuer's storage location.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) loadCertResource(ctx context.Context, issuer Issuer, certNamesKey string) (CertificateResource, error) {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(certNamesKey) {
 	case StorageModeTransition:
 		certRes, err := cfg.loadCertResourceBundle(ctx, issuer, certNamesKey)
 		if err == nil {

maintain.go

@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"os"
 	"path"
 	"runtime"
 	"strings"
@@ -431,7 +430,7 @@ func (cfg *Config) storageHasNewerARI(ctx context.Context, cert Certificate) (bo
 // loadStoredACMECertificateMetadata loads the stored ACME certificate data.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) loadStoredACMECertificateMetadata(ctx context.Context, cert Certificate) (acme.Certificate, error) {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(cert.Names[0]) {
 	case StorageModeTransition:
 		acmecert, err := cfg.loadStoredACMECertificateMetadataBundle(ctx, cert)
 		if err == nil {
@@ -496,7 +495,7 @@ func (cfg *Config) loadStoredACMECertificateMetadataBundle(ctx context.Context,
 // NeedsRefresh() on the RenewalInfo first, and only call this if that returns true.
 // It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
 func (cfg *Config) updateARI(ctx context.Context, cert Certificate, logger *zap.Logger) (updatedCert Certificate, changed bool, err error) {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(cert.Names[0]) {
 	case StorageModeTransition:
 		updatedCert, changed, err = cfg.updateARILegacy(ctx, cert, logger)
 		if err == nil {
@@ -1046,7 +1045,7 @@ func deleteOldOCSPStaples(ctx context.Context, storage Storage, logger *zap.Logg
 }
 
 func deleteExpiredCerts(ctx context.Context, storage Storage, logger *zap.Logger, gracePeriod time.Duration) error {
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageMode {
 	case StorageModeTransition:
 		if err := deleteExpiredCertsBundle(ctx, storage, logger, gracePeriod); err != nil {
 			logger.Warn("unable to delete expired certs from bundle",
@@ -1321,7 +1320,7 @@ func (cfg *Config) moveCompromisedPrivateKey(ctx context.Context, cert Certifica
 	// Delete the storage containing the compromised key based on storage mode.
 	// We intentionally ignore delete errors since the file might not exist,
 	// and we avoid calling .Exists() before .Delete() to minimize storage roundtrips.
-	switch os.Getenv(StorageModeEnv) {
+	switch StorageModeForDomain(cert.Names[0]) {
 	case StorageModeTransition:
 		cfg.Storage.Delete(ctx, bundleKey)
 		cfg.Storage.Delete(ctx, privKeyStorageKey)

storagemode.go

@@ -0,0 +1,85 @@
+package certmagic
+
+import (
+	"hash/fnv"
+	"os"
+	"strconv"
+)
+
+const (
+	// Storage mode controls the format in which certificates are stored in `Storage`.
+	//
+	// Formats:
+	// - legacy: Store cert, privkey and meta as three separate storage items (.cert, .key, .json).
+	// - bundle: Store cert, privkey and meta as a single, bundled storage item (.bundle).
+	//
+	// Modes:
+	// - legacy:     Store and load certificates in legacy format.
+	// - transition: Store in legacy and bundle format, load as bundle with fallback to legacy format.
+	// - bundle:      Store and load certificates in bundle format.
+	//
+	// In the transition mode, failures around reads and writes of the bundle are soft.
+	// They should only log errors and try to work with the legacy format as fallback.
+	// Operations on the legacy format are hard-failures, implying that errors should be propagated up.
+	//
+	// The rollout percentage enables a phased migration by controlling which domains
+	// enter the transition phase. If a domain's deterministic bucket (0-99) is below
+	// the rollout percentage, it uses 'transition' mode (dual-write, bundle-read).
+	// Otherwise, it remains in 'legacy' mode.
+	//
+	// The logic for selection is:
+	//   if mode == StorageModeTransition:
+	//       useTransition = hash(domain)%100 < rollout
+	//       return useTransition ? StorageModeTransition : StorageModeLegacy
+	//
+	// The storage mode is controlled via the CERTMAGIC_STORAGE_MODE environment variable
+	StorageModeEnv = "CERTMAGIC_STORAGE_MODE"
+
+	StorageModeLegacy     = "legacy"
+	StorageModeTransition = "transition"
+	StorageModeBundle     = "bundle"
+
+	// StorageModeRolloutPercentEnv controls the percentage of domains that will use
+	// the bundle format when the storage mode is set to "transition".
+	// An empty rollout precent is equal to 0%.
+	StorageModeRolloutPercentEnv = "CERTMAGIC_STORAGE_MODE_ROLLOUT_PERCENT"
+)
+
+var (
+	StorageMode               string
+	StorageModeRolloutPercent int
+)
+
+func ConfigureStorageMode(mode string, rolloutPercent int) {
+	StorageMode = mode
+	StorageModeRolloutPercent = rolloutPercent
+}
+
+func init() {
+	mode := os.Getenv(StorageModeEnv)
+
+	// rolloutPercent becomes zero if env is unset or malformed
+	rolloutPercent, _ := strconv.Atoi(os.Getenv(StorageModeRolloutPercentEnv))
+
+	ConfigureStorageMode(mode, rolloutPercent)
+}
+
+func StorageModeForDomain(domain string) string {
+	if StorageMode == StorageModeBundle {
+		return StorageModeBundle
+	}
+	if StorageMode != StorageModeTransition {
+		return StorageModeLegacy
+	}
+	if RolloutBucketForDomain(domain) < StorageModeRolloutPercent {
+		return StorageModeTransition
+	} else {
+		return StorageModeLegacy
+	}
+}
+
+func RolloutBucketForDomain(domain string) int {
+	h := fnv.New32a()
+	h.Write([]byte(domain))
+	return int(h.Sum32() % 100)
+}