oxidecomputer · david-crespo · Aug 30, 2023 · Aug 28, 2023 · Aug 28, 2023 · Aug 29, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -305,6 +305,7 @@ sha3 = "0.10.8"
 shell-words = "1.1.0"
 signal-hook = "0.3"
 signal-hook-tokio = { version = "0.3", features = [ "futures-v0_3" ] }
+similar-asserts = "1.5.0"
 sled = "0.34"
 sled-agent-client = { path = "sled-agent-client" }
 sled-hardware = { path = "sled-hardware" }

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -117,6 +117,7 @@ petgraph.workspace = true
 pretty_assertions.workspace = true
 rcgen.workspace = true
 regex.workspace = true
+similar-asserts.workspace = true
 rustls = { workspace = true }
 subprocess.workspace = true
 term.workspace = true

diff --git a/nexus/db-model/src/ip_pool.rs b/nexus/db-model/src/ip_pool.rs
@@ -32,48 +32,41 @@ pub struct IpPool {
     #[diesel(embed)]
     pub identity: IpPoolIdentity,
 
-    /// If true, identifies that this IP pool is dedicated to "Control-Plane
-    /// Services", such as Nexus.
-    ///
-    /// Otherwise, this IP pool is intended for usage by customer VMs.
-    pub internal: bool,
-
     /// Child resource generation number, for optimistic concurrency control of
     /// the contained ranges.
     pub rcgen: i64,
 
-    /// Silo, if IP pool is associated with a particular silo. Must be null
-    /// if internal is true. Must be non-null if project_id is non-null. When
-    /// project_id is non-null, silo_id will (naturally) be the ID of the
-    /// project's silo.
+    /// Silo, if IP pool is associated with a particular silo. One special use
+    /// for this is  associating a pool with the internal silo oxide-internal,
+    /// which is used for internal services. If there is no silo ID, the
+    /// pool is considered a fleet-wide pool and will be used for allocating
+    /// instance IPs in silos that don't have their own pool.
     pub silo_id: Option<Uuid>,
 
-    /// Project, if IP pool is associated with a particular project. Must be
-    /// null if internal is true.
-    pub project_id: Option<Uuid>,
+    pub is_default: bool,
 }
 
 impl IpPool {
     pub fn new(
         pool_identity: &external::IdentityMetadataCreateParams,
-        internal: bool,
+        silo_id: Option<Uuid>,
+        is_default: bool,
     ) -> Self {
         Self {
             identity: IpPoolIdentity::new(
                 Uuid::new_v4(),
                 pool_identity.clone(),
             ),
-            internal,
             rcgen: 0,
-            silo_id: None,
-            project_id: None,
+            silo_id,
+            is_default,
         }
     }
 }
 
 impl From<IpPool> for views::IpPool {
     fn from(pool: IpPool) -> Self {
-        Self { identity: pool.identity() }
+        Self { identity: pool.identity(), silo_id: pool.silo_id }
     }
 }
 

diff --git a/nexus/db-model/src/schema.rs b/nexus/db-model/src/schema.rs
@@ -452,10 +452,9 @@ table! {
         time_created -> Timestamptz,
         time_modified -> Timestamptz,
         time_deleted -> Nullable<Timestamptz>,
-        internal -> Bool,
         rcgen -> Int8,
         silo_id -> Nullable<Uuid>,
-        project_id -> Nullable<Uuid>,
+        is_default -> Bool,
     }
 }
 
@@ -1131,7 +1130,7 @@ table! {
 ///
 /// This should be updated whenever the schema is changed. For more details,
 /// refer to: schema/crdb/README.adoc
-pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(3, 0, 0);
+pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(3, 0, 3);
 
 allow_tables_to_appear_in_same_query!(
     system_update,

diff --git a/nexus/db-queries/src/db/datastore/external_ip.rs b/nexus/db-queries/src/db/datastore/external_ip.rs
@@ -5,7 +5,6 @@
 //! [`DataStore`] methods on [`ExternalIp`]s.
 
 use super::DataStore;
-use crate::authz;
 use crate::context::OpContext;
 use crate::db;
 use crate::db::error::public_error_from_diesel_pool;
@@ -25,9 +24,7 @@ use nexus_types::identity::Resource;
 use omicron_common::api::external::CreateResult;
 use omicron_common::api::external::Error;
 use omicron_common::api::external::LookupResult;
-use omicron_common::api::external::Name as ExternalName;
 use std::net::IpAddr;
-use std::str::FromStr;
 use uuid::Uuid;
 
 impl DataStore {
@@ -55,14 +52,16 @@ impl DataStore {
         instance_id: Uuid,
         pool_name: Option<Name>,
     ) -> CreateResult<ExternalIp> {
-        let name = pool_name.unwrap_or_else(|| {
-            Name(ExternalName::from_str("default").unwrap())
-        });
-        let (.., pool) = self
-            .ip_pools_fetch_for(opctx, authz::Action::CreateChild, &name)
-            .await?;
-        let pool_id = pool.identity.id;
+        // If we have a pool name, look up the pool by name and return it
+        // as long as its scopes don't conflict with the current scope.
+        // Otherwise, not found.
+        let pool = match pool_name {
+            Some(name) => self.ip_pools_fetch(&opctx, &name).await?,
+            // If no name given, use the default logic
+            None => self.ip_pools_fetch_default(&opctx).await?,
+        };
 
+        let pool_id = pool.identity.id;
         let data =
             IncompleteExternalIp::for_ephemeral(ip_id, instance_id, pool_id);
         self.allocate_external_ip(opctx, data).await