WIP: implementing NIC update

bnaecker · bnaecker · commit bc3f12cb75c7 · 2025-12-19T16:29:17.000Z
diff --git a/nexus/tests/integration_tests/instances.rs b/nexus/tests/integration_tests/instances.rs
@@ -44,6 +44,7 @@ use nexus_test_utils::wait_for_producer;
 use nexus_types::external_api::params::IpAssignment;
 use nexus_types::external_api::params::PrivateIpStackCreate;
 use nexus_types::external_api::params::PrivateIpv4StackCreate;
+use nexus_types::external_api::params::PrivateIpv4StackUpdate;
 use nexus_types::external_api::params::PrivateIpv6StackCreate;
 use nexus_types::external_api::params::SshKeyCreate;
 use nexus_types::external_api::shared::IpKind;
@@ -3568,7 +3569,7 @@ async fn test_instance_update_network_interfaces(
             description: Some(new_description.clone()),
         },
         primary: false,
-        transit_ips: vec![],
+        ..Default::default()
     };
 
     // Verify we fail to update the NIC when the instance is running
@@ -3655,7 +3656,7 @@ async fn test_instance_update_network_interfaces(
             description: None,
         },
         primary: true,
-        transit_ips: vec![],
+        ..Default::default()
     };
     let updated_primary_iface1 = NexusRequest::object_put(
         client,
@@ -3753,7 +3754,7 @@ async fn test_instance_update_network_interfaces(
             description: None,
         },
         primary: true,
-        transit_ips: vec![],
+        ..Default::default()
     };
     let new_primary_iface = NexusRequest::object_put(
         client,
@@ -3849,6 +3850,21 @@ async fn test_instance_update_network_interfaces(
     assert_eq!(iface.identity.name, if_params[0].identity.name);
 }
 
+#[nexus_test]
+async fn cannot_make_new_primary_nic_lacking_ip_stack_for_external_addresses(
+    _cptestctx: &ControlPlaneTestContext,
+) {
+    todo!()
+}
+
+
+#[nexus_test]
+async fn cannot_remove_ip_stack_with_outstanding_external_ips_of_the_same_version(
+    _cptestctx: &ControlPlaneTestContext,
+) {
+    todo!()
+}
+
 #[nexus_test]
 async fn can_add_instance_network_interface_ip_stack(
     _cptestctx: &ControlPlaneTestContext,
@@ -3906,11 +3922,13 @@ async fn test_instance_update_network_interface_transit_ips(
             description: None,
         },
         primary: false,
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "1.1.1.1/32".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "1.1.1.1/32".parse().unwrap(),
+            ],
+        },
     };
 
     // Verify that a selection of transit IPs (mixture of private and global
@@ -3926,12 +3944,14 @@ async fn test_instance_update_network_interface_transit_ips(
     // Non-canonical form (e.g., host identifier is nonzero) subnets should
     // be rejected.
     let with_extra_bits = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            //  Invalid vvv
-            "172.30.255.255/24".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                //  Invalid vvv
+                "172.30.255.255/24".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -3948,11 +3968,13 @@ async fn test_instance_update_network_interface_transit_ips(
 
     // Multicast IP blocks should be rejected.
     let with_mc1 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "224.0.0.0/4".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "224.0.0.0/4".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -3968,11 +3990,13 @@ async fn test_instance_update_network_interface_transit_ips(
     );
 
     let with_mc2 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "230.20.20.128/32".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "230.20.20.128/32".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -3989,11 +4013,13 @@ async fn test_instance_update_network_interface_transit_ips(
 
     // Loopback ranges.
     let with_lo1 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "127.42.77.0/24".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "127.42.77.0/24".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -4009,11 +4035,13 @@ async fn test_instance_update_network_interface_transit_ips(
     );
 
     let with_lo2 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "127.0.0.1/32".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "127.0.0.1/32".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -4027,11 +4055,13 @@ async fn test_instance_update_network_interface_transit_ips(
 
     // Overlapping IP ranges should be rejected, as should identical ranges.
     let with_dup1 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "10.0.0.0/9".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "10.0.0.0/9".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -4047,11 +4077,13 @@ async fn test_instance_update_network_interface_transit_ips(
     );
 
     let with_dup2 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.0.0.0/9".parse().unwrap(),
-            "10.128.0.0/9".parse().unwrap(),
-            "10.128.32.0/24".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.0.0.0/9".parse().unwrap(),
+                "10.128.0.0/9".parse().unwrap(),
+                "10.128.32.0/24".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -4068,10 +4100,12 @@ async fn test_instance_update_network_interface_transit_ips(
 
     // Verify that we also catch more specific CIDRs appearing sooner in the list.
     let with_dup3 = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec![
-            "10.20.20.0/30".parse().unwrap(),
-            "10.0.0.0/8".parse().unwrap(),
-        ],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec![
+                "10.20.20.0/30".parse().unwrap(),
+                "10.0.0.0/8".parse().unwrap(),
+            ],
+        },
         ..base_update.clone()
     };
     let err = object_put_error(
@@ -4097,7 +4131,9 @@ async fn test_instance_update_network_interface_transit_ips(
     // As a final sanity test, we can still effectively remove spoof checking
     // using the unspecified network address.
     let allow_all = params::InstanceNetworkInterfaceUpdate {
-        transit_ips: vec!["0.0.0.0/0".parse().unwrap()],
+        ipv4: PrivateIpv4StackUpdate::Modify {
+            transit_ips: vec!["0.0.0.0/0".parse().unwrap()],
+        },
         ..base_update.clone()
     };
 
diff --git a/nexus/types/src/external_api/params.rs b/nexus/types/src/external_api/params.rs
@@ -957,6 +957,44 @@ pub struct InstanceNetworkInterfaceCreate {
     pub ip_config: PrivateIpStackCreate,
 }
 
+#[derive(Clone, Debug, Default, Deserialize, JsonSchema, Serialize)]
+#[serde(rename_all = "snake_case", tag = "type", content = "value")]
+pub enum PrivateIpv4StackUpdate {
+    #[default]
+    NoChange,
+    Remove,
+    Add(PrivateIpv4StackCreate),
+    Modify { transit_ips: Vec<Ipv4Net> },
+}
+
+#[derive(Clone, Debug, Default, Deserialize, JsonSchema, Serialize)]
+#[serde(rename_all = "snake_case", tag = "type", content = "value")]
+pub enum PrivateIpv6StackUpdate {
+    #[default]
+    NoChange,
+    Remove,
+    Add(PrivateIpv6StackCreate),
+    Modify { transit_ips: Vec<Ipv6Net> },
+}
+
+// Do nothing to a specific IP stack
+// Remove a specific IP stack
+// Add a specific IP stack
+// Modify the transit IPs of a stack
+//
+// Independently for IPv6 / IPv4, though we need to do a bunch of validation in
+// the database queries for that:
+//
+// - If adding, don't already have a stack of the same version (UPDATE ... SET
+// .. WHERE ip IS NULL, basically)
+// - If we're removing, we have a stack of the _other_ version so that the NIC
+//   is still valid, although the CHECK constraint we have should take care of
+//   that.
+//
+//  TODO(ben): We need to beef up the check for making a new primary NIC. That
+//  has to ensure that we have private IP stacks for all the external addresses
+//  the instance might have.
+
 /// Parameters for updating an `InstanceNetworkInterface`
 ///
 /// Note that modifying IP addresses for an interface is not yet supported, a
@@ -982,10 +1020,13 @@ pub struct InstanceNetworkInterfaceUpdate {
     #[serde(default)]
     pub primary: bool,
 
-    /// A set of additional networks that this interface may send and
-    /// receive traffic on.
+    /// Update the interface's VPC-private IPv4 stack.
+    #[serde(default)]
+    pub ipv4: PrivateIpv4StackUpdate,
+
+    /// Update the interface's VPC-private IPv6 stack.
     #[serde(default)]
-    pub transit_ips: Vec<IpNet>,
+    pub ipv6: PrivateIpv6StackUpdate,
 }
 
 /// How a VPC-private IP address is assigned to a network interface.
