(Multiple) Floating IP Support

Cargo.toml

@@ -260,15 +260,15 @@ omicron-sled-agent = { path = "sled-agent" }
 omicron-test-utils = { path = "test-utils" }
 omicron-zone-package = "0.9.1"
 oxide-client = { path = "clients/oxide-client" }
-oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "258a8b59902dd36fc7ee5425e6b1fb5fc80d4649", features = [ "api", "std" ] }
+oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "d508dcd12cbfeb8b948c0cffe800899046322233", features = [ "api", "std" ] }
 once_cell = "1.18.0"
 openapi-lint = { git = "https://github.com/oxidecomputer/openapi-lint", branch = "main" }
 openapiv3 = "1.0"
 # must match samael's crate!
 openssl = "0.10"
 openssl-sys = "0.9"
 openssl-probe = "0.1.5"
-opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "258a8b59902dd36fc7ee5425e6b1fb5fc80d4649" }
+opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "d508dcd12cbfeb8b948c0cffe800899046322233" }
 oso = "0.27"
 owo-colors = "3.5.0"
 oximeter = { path = "oximeter/oximeter" }

common/src/api/external/mod.rs

@@ -751,6 +751,7 @@ pub enum ResourceType {
     Zpool,
     Vmm,
     Ipv4NatEntry,
+    FloatingIp,
 }
 
 // IDENTITY METADATA

illumos-utils/src/opte/port_manager.rs

@@ -20,6 +20,7 @@ use omicron_common::api::internal::shared::NetworkInterfaceKind;
 use omicron_common::api::internal::shared::SourceNatConfig;
 use oxide_vpc::api::AddRouterEntryReq;
 use oxide_vpc::api::DhcpCfg;
+use oxide_vpc::api::ExternalIpCfg;
 use oxide_vpc::api::IpCfg;
 use oxide_vpc::api::IpCidr;
 use oxide_vpc::api::Ipv4Cfg;
@@ -99,7 +100,8 @@ impl PortManager {
         &self,
         nic: &NetworkInterface,
         source_nat: Option<SourceNatConfig>,
-        external_ips: &[IpAddr],
+        ephemeral_ip: Option<IpAddr>,
+        floating_ips: &[IpAddr],
         firewall_rules: &[VpcFirewallRule],
         dhcp_config: DhcpCfg,
     ) -> Result<(Port, PortTicket), Error> {
@@ -111,13 +113,6 @@ impl PortManager {
         let boundary_services = default_boundary_services();
 
         // Describe the external IP addresses for this port.
-        //
-        // Note that we're currently only taking the first address, which is all
-        // that OPTE supports. The array is guaranteed to be limited by Nexus.
-        // See https://github.com/oxidecomputer/omicron/issues/1467
-        // See https://github.com/oxidecomputer/opte/issues/196
-        let external_ip = external_ips.get(0);
-
         macro_rules! ip_cfg {
             ($ip:expr, $log_prefix:literal, $ip_t:path, $cidr_t:path,
              $ipcfg_e:path, $ipcfg_t:ident, $snat_t:ident) => {{
@@ -152,25 +147,43 @@ impl PortManager {
                     }
                     None => None,
                 };
-                let external_ip = match external_ip {
-                    Some($ip_t(ip)) => Some((*ip).into()),
+                let ephemeral_ip = match ephemeral_ip {
+                    Some($ip_t(ip)) => Some(ip.into()),
                     Some(_) => {
                         error!(
                             self.inner.log,
-                            concat!($log_prefix, " external IP");
-                            "external_ip" => ?external_ip,
+                            concat!($log_prefix, " ephemeral IP");
+                            "ephemeral_ip" => ?ephemeral_ip,
                         );
                         return Err(Error::InvalidPortIpConfig);
                     }
                     None => None,
                 };
+                let floating_ips: Vec<_> = floating_ips
+                    .iter()
+                    .copied()
+                    .map(|ip| match ip {
+                        $ip_t(ip) => Ok(ip.into()),
+                        _ => {
+                            error!(
+                                self.inner.log,
+                                concat!($log_prefix, " ephemeral IP");
+                                "ephemeral_ip" => ?ephemeral_ip,
+                            );
+                            Err(Error::InvalidPortIpConfig)
+                        }
+                    })
+                    .collect::<Result<Vec<_>, _>>()?;
 
                 $ipcfg_e($ipcfg_t {
                     vpc_subnet,
                     private_ip: $ip.into(),
                     gateway_ip: gateway_ip.into(),
-                    snat,
-                    external_ips: external_ip,
+                    external_ips: ExternalIpCfg {
+                        ephemeral_ip,
+                        snat,
+                        floating_ips,
+                    },
                 })
             }}
         }

nexus/db-model/src/external_ip.rs

@@ -6,18 +6,21 @@
 //! services.
 
 use crate::impl_enum_type;
-use crate::schema::external_ip;
+use crate::schema::{external_ip, floating_ip};
 use crate::Name;
 use crate::SqlU16;
 use chrono::DateTime;
 use chrono::Utc;
+use db_macros::Resource;
 use diesel::Queryable;
 use diesel::Selectable;
 use ipnetwork::IpNetwork;
 use nexus_types::external_api::shared;
 use nexus_types::external_api::views;
 use omicron_common::address::NUM_SOURCE_NAT_PORTS;
 use omicron_common::api::external::Error;
+use omicron_common::api::external::IdentityMetadata;
+use serde::{Deserialize, Serialize};
 use std::convert::TryFrom;
 use std::net::IpAddr;
 use uuid::Uuid;
@@ -69,6 +72,30 @@ pub struct ExternalIp {
     pub ip: IpNetwork,
     pub first_port: SqlU16,
     pub last_port: SqlU16,
+    // Only Some(_) for instance Floating IPs
+    pub project_id: Option<Uuid>,
+}
+
+/// A view type constructed from `ExternalIp` used to represent Floating IP
+/// objects in user-facing APIs.
+///
+/// This View type fills a similar niche to `ProjectImage` etc.: we need to
+/// represent identity as non-nullable (ditto for parent project) so as to
+/// play nicely with authz and resource APIs.
+#[derive(
+    Queryable, Selectable, Clone, Debug, Resource, Serialize, Deserialize,
+)]
+#[diesel(table_name = floating_ip)]
+pub struct FloatingIp {
+    #[diesel(embed)]
+    pub identity: FloatingIpIdentity,
+
+    pub ip_pool_id: Uuid,
+    pub ip_pool_range_id: Uuid,
+    pub is_service: bool,
+    pub parent_id: Option<Uuid>,
+    pub ip: IpNetwork,
+    pub project_id: Uuid,
 }
 
 impl From<ExternalIp> for sled_agent_client::types::SourceNatConfig {
@@ -93,6 +120,7 @@ pub struct IncompleteExternalIp {
     is_service: bool,
     parent_id: Option<Uuid>,
     pool_id: Uuid,
+    project_id: Option<Uuid>,
     // Optional address requesting that a specific IP address be allocated.
     explicit_ip: Option<IpNetwork>,
     // Optional range when requesting a specific SNAT range be allocated.
@@ -114,6 +142,7 @@ impl IncompleteExternalIp {
             is_service: false,
             parent_id: Some(instance_id),
             pool_id,
+            project_id: None,
             explicit_ip: None,
             explicit_port_range: None,
         }
@@ -129,6 +158,7 @@ impl IncompleteExternalIp {
             is_service: false,
             parent_id: Some(instance_id),
             pool_id,
+            project_id: None,
             explicit_ip: None,
             explicit_port_range: None,
         }
@@ -138,6 +168,7 @@ impl IncompleteExternalIp {
         id: Uuid,
         name: &Name,
         description: &str,
+        project_id: Uuid,
         pool_id: Uuid,
     ) -> Self {
         Self {
@@ -149,11 +180,35 @@ impl IncompleteExternalIp {
             is_service: false,
             parent_id: None,
             pool_id,
+            project_id: Some(project_id),
             explicit_ip: None,
             explicit_port_range: None,
         }
     }
 
+    pub fn for_floating_explicit(
+        id: Uuid,
+        name: &Name,
+        description: &str,
+        project_id: Uuid,
+        explicit_ip: IpAddr,
+        pool_id: Uuid,
+    ) -> Self {
+        Self {
+            id,
+            name: Some(name.clone()),
+            description: Some(description.to_string()),
+            time_created: Utc::now(),
+            kind: IpKind::Floating,
+            is_service: false,
+            parent_id: None,
+            pool_id,
+            project_id: Some(project_id),
+            explicit_ip: Some(explicit_ip.into()),
+            explicit_port_range: None,
+        }
+    }
+
     pub fn for_service_explicit(
         id: Uuid,
         name: &Name,
@@ -171,6 +226,7 @@ impl IncompleteExternalIp {
             is_service: true,
             parent_id: Some(service_id),
             pool_id,
+            project_id: None,
             explicit_ip: Some(IpNetwork::from(address)),
             explicit_port_range: None,
         }
@@ -199,6 +255,7 @@ impl IncompleteExternalIp {
             is_service: true,
             parent_id: Some(service_id),
             pool_id,
+            project_id: None,
             explicit_ip: Some(IpNetwork::from(address)),
             explicit_port_range,
         }
@@ -220,6 +277,7 @@ impl IncompleteExternalIp {
             is_service: true,
             parent_id: Some(service_id),
             pool_id,
+            project_id: None,
             explicit_ip: None,
             explicit_port_range: None,
         }
@@ -235,6 +293,7 @@ impl IncompleteExternalIp {
             is_service: true,
             parent_id: Some(service_id),
             pool_id,
+            project_id: None,
             explicit_ip: None,
             explicit_port_range: None,
         }
@@ -272,6 +331,10 @@ impl IncompleteExternalIp {
         &self.pool_id
     }
 
+    pub fn project_id(&self) -> &Option<Uuid> {
+        &self.project_id
+    }
+
     pub fn explicit_ip(&self) -> &Option<IpNetwork> {
         &self.explicit_ip
     }
@@ -308,3 +371,78 @@ impl TryFrom<ExternalIp> for views::ExternalIp {
         Ok(views::ExternalIp { kind, ip: ip.ip.ip() })
     }
 }
+
+impl TryFrom<ExternalIp> for FloatingIp {
+    type Error = Error;
+
+    fn try_from(ip: ExternalIp) -> Result<Self, Self::Error> {
+        if ip.kind != IpKind::Floating {
+            return Err(Error::internal_error(
+                "attempted to convert non-floating external IP to floating",
+            ));
+        }
+        if ip.is_service {
+            return Err(Error::internal_error(
+                "Service IPs should not be exposed in the API",
+            ));
+        }
+
+        let project_id = ip.project_id.ok_or(Error::internal_error(
+            "database schema guarantees parent project for non-service FIP",
+        ))?;
+
+        let name = ip.name.ok_or(Error::internal_error(
+            "database schema guarantees ID metadata for non-service FIP",
+        ))?;
+
+        let description = ip.description.ok_or(Error::internal_error(
+            "database schema guarantees ID metadata for non-service FIP",
+        ))?;
+
+        let identity = FloatingIpIdentity {
+            id: ip.id,
+            name,
+            description,
+            time_created: ip.time_created,
+            time_modified: ip.time_modified,
+            time_deleted: ip.time_deleted,
+        };
+
+        Ok(FloatingIp {
+            ip: ip.ip,
+            identity,
+            project_id,
+            ip_pool_id: ip.ip_pool_id,
+            ip_pool_range_id: ip.ip_pool_range_id,
+            is_service: ip.is_service,
+            parent_id: ip.parent_id,
+        })
+    }
+}
+
+impl TryFrom<ExternalIp> for views::FloatingIp {
+    type Error = Error;
+
+    fn try_from(ip: ExternalIp) -> Result<Self, Self::Error> {
+        FloatingIp::try_from(ip).map(Into::into)
+    }
+}
+
+impl From<FloatingIp> for views::FloatingIp {
+    fn from(ip: FloatingIp) -> Self {
+        let identity = IdentityMetadata {
+            id: ip.identity.id,
+            name: ip.identity.name.into(),
+            description: ip.identity.description,
+            time_created: ip.identity.time_created,
+            time_modified: ip.identity.time_modified,
+        };
+
+        views::FloatingIp {
+            ip: ip.ip.ip(),
+            identity,
+            project_id: ip.project_id,
+            instance_id: ip.parent_id,
+        }
+    }
+}

nexus/db-model/src/schema.rs

@@ -524,6 +524,7 @@ table! {
         time_created -> Timestamptz,
         time_modified -> Timestamptz,
         time_deleted -> Nullable<Timestamptz>,
+
         ip_pool_id -> Uuid,
         ip_pool_range_id -> Uuid,
         is_service -> Bool,
@@ -532,6 +533,26 @@ table! {
         ip -> Inet,
         first_port -> Int4,
         last_port -> Int4,
+
+        project_id -> Nullable<Uuid>,
+    }
+}
+
+table! {
+    floating_ip (id) {
+        id -> Uuid,
+        name -> Text,
+        description -> Text,
+        time_created -> Timestamptz,
+        time_modified -> Timestamptz,
+        time_deleted -> Nullable<Timestamptz>,
+
+        ip_pool_id -> Uuid,
+        ip_pool_range_id -> Uuid,
+        is_service -> Bool,
+        parent_id -> Nullable<Uuid>,
+        ip -> Inet,
+        project_id -> Uuid,
     }
 }
 
@@ -1299,7 +1320,7 @@ table! {
 ///
 /// This should be updated whenever the schema is changed. For more details,
 /// refer to: schema/crdb/README.adoc
-pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(14, 0, 0);
+pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(15, 0, 0);
 
 allow_tables_to_appear_in_same_query!(
     system_update,