Plan zone updates for target release (#8024)

Plumb the TUF repo representing the current `target_release` through the
policy and planner. Update one zone at a time to the control-plane
artifacts in that repo. Non-Nexus zones are updated first, then Nexus.

Author: plotnick

common/src/api/external/mod.rs

@@ -750,6 +750,10 @@ impl Generation {
         Generation(next_gen)
     }
 
+    pub const fn prev(&self) -> Option<Generation> {
+        if self.0 > 1 { Some(Generation(self.0 - 1)) } else { None }
+    }
+
     pub const fn as_u64(self) -> u64 {
         self.0
     }

dev-tools/reconfigurator-cli/tests/output/cmds-expunge-newly-added-external-dns-stderr

@@ -1160,6 +1160,7 @@ INFO sufficient InternalDns zones exist in plan, desired_count: 3, current_count
 INFO added zone to sled, sled_id: a88790de-5962-4871-8686-61c1fd5b7094, kind: ExternalDns
 INFO sufficient Nexus zones exist in plan, desired_count: 3, current_count: 3
 INFO sufficient Oximeter zones exist in plan, desired_count: 0, current_count: 0
+INFO some zones not yet up-to-date, sled_id: a88790de-5962-4871-8686-61c1fd5b7094
 INFO will ensure cockroachdb setting, setting: cluster.preserve_downgrade_option, value: DoNotModify
 generated blueprint 9c998c1d-1a7b-440a-ae0c-40f781dea6e2 based on parent blueprint 366b0b68-d80e-4bc1-abd3-dc69837847e0
 

dev-tools/reconfigurator-cli/tests/output/cmds-expunge-newly-added-external-dns-stdout

@@ -1379,6 +1379,7 @@ INFO added zone to sled, sled_id: d81c6a84-79b8-4958-ae41-ea46c9b19763, kind: In
 INFO sufficient ExternalDns zones exist in plan, desired_count: 3, current_count: 3
 INFO sufficient Nexus zones exist in plan, desired_count: 3, current_count: 3
 INFO sufficient Oximeter zones exist in plan, desired_count: 0, current_count: 0
+INFO some zones not yet up-to-date, sled_id: d81c6a84-79b8-4958-ae41-ea46c9b19763
 INFO will ensure cockroachdb setting, setting: cluster.preserve_downgrade_option, value: DoNotModify
 generated blueprint af934083-59b5-4bf6-8966-6fb5292c29e1 based on parent blueprint 58d5e830-0884-47d8-a7cd-b2b3751adeb4
 

dev-tools/reconfigurator-cli/tests/output/cmds-expunge-newly-added-internal-dns-stderr

@@ -22,6 +22,7 @@ use omicron_common::{
         DatasetConfig, DatasetManagementStatus, DiskManagementStatus,
         DiskVariant, OmicronPhysicalDiskConfig,
     },
+    update::ArtifactId,
     zpool_name::ZpoolName,
 };
 use omicron_uuid_kinds::{DatasetUuid, OmicronZoneUuid};
@@ -33,7 +34,7 @@ use serde::{Deserialize, Serialize};
 // depend on sled-hardware-types.
 pub use sled_hardware_types::Baseboard;
 use strum::EnumIter;
-use tufaceous_artifact::ArtifactHash;
+use tufaceous_artifact::{ArtifactHash, KnownArtifactKind};
 
 /// Identifies information about disks which may be attached to Sleds.
 #[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
@@ -590,13 +591,14 @@ impl OmicronZoneType {
 ///
 /// # String representations of this type
 ///
-/// There are no fewer than four string representations for this type, all
+/// There are no fewer than five string representations for this type, all
 /// slightly different from each other.
 ///
 /// 1. [`Self::zone_prefix`]: Used to construct zone names.
 /// 2. [`Self::service_prefix`]: Used to construct SMF service names.
 /// 3. [`Self::name_prefix`]: Used to construct `Name` instances.
 /// 4. [`Self::report_str`]: Used for reporting and testing.
+/// 5. [`Self::artifact_name`]: Used to match TUF artifact names.
 ///
 /// There is no `Display` impl to ensure that users explicitly choose the
 /// representation they want. (Please play close attention to this! The
@@ -715,6 +717,39 @@ impl ZoneKind {
             ZoneKind::Oximeter => "oximeter",
         }
     }
+
+    /// Return a string used as an artifact name for control-plane zones.
+    /// This is **not guaranteed** to be stable.
+    pub fn artifact_name(self) -> &'static str {
+        match self {
+            ZoneKind::BoundaryNtp => "ntp",
+            ZoneKind::Clickhouse => "clickhouse",
+            ZoneKind::ClickhouseKeeper => "clickhouse_keeper",
+            ZoneKind::ClickhouseServer => "clickhouse",
+            ZoneKind::CockroachDb => "cockroachdb",
+            ZoneKind::Crucible => "crucible-zone",
+            ZoneKind::CruciblePantry => "crucible-pantry-zone",
+            ZoneKind::ExternalDns => "external-dns",
+            ZoneKind::InternalDns => "internal-dns",
+            ZoneKind::InternalNtp => "ntp",
+            ZoneKind::Nexus => "nexus",
+            ZoneKind::Oximeter => "oximeter",
+        }
+    }
+
+    /// Return true if an artifact represents a control plane zone image
+    /// of this kind.
+    pub fn is_control_plane_zone_artifact(
+        self,
+        artifact_id: &ArtifactId,
+    ) -> bool {
+        artifact_id
+            .kind
+            .to_known()
+            .map(|kind| matches!(kind, KnownArtifactKind::Zone))
+            .unwrap_or(false)
+            && artifact_id.name == self.artifact_name()
+    }
 }
 
 /// Where Sled Agent should get the image for a zone.

dev-tools/reconfigurator-cli/tests/output/cmds-expunge-newly-added-internal-dns-stdout

@@ -2249,7 +2249,7 @@ mod tests {
             const SYSTEM_HASH: ArtifactHash = ArtifactHash([3; 32]);
 
             datastore
-                .update_tuf_repo_insert(
+                .tuf_repo_insert(
                     opctx,
                     &TufRepoDescription {
                         repo: TufRepoMeta {

nexus-sled-agent-shared/src/inventory.rs

@@ -7,7 +7,9 @@
 use super::DataStore;
 use crate::authz;
 use crate::context::OpContext;
-use crate::db::model::{SemverVersion, TargetRelease, TargetReleaseSource};
+use crate::db::model::{
+    Generation, SemverVersion, TargetRelease, TargetReleaseSource,
+};
 use async_bb8_diesel::AsyncRunQueryDsl as _;
 use diesel::insert_into;
 use diesel::prelude::*;
@@ -44,6 +46,25 @@ impl DataStore {
         Ok(current)
     }
 
+    /// Fetch a target release by generation number.
+    pub async fn target_release_get_generation(
+        &self,
+        opctx: &OpContext,
+        generation: Generation,
+    ) -> LookupResult<Option<TargetRelease>> {
+        opctx
+            .authorize(authz::Action::Read, &authz::TARGET_RELEASE_CONFIG)
+            .await?;
+        let conn = self.pool_connection_authorized(opctx).await?;
+        dsl::target_release
+            .select(TargetRelease::as_select())
+            .filter(dsl::generation.eq(generation))
+            .first_async(&*conn)
+            .await
+            .optional()
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
     /// Insert a new target release row and return it. It will only become
     /// the current target release if its generation is larger than any
     /// existing row.
@@ -189,7 +210,7 @@ mod test {
                 .parse()
                 .expect("SHA256('')");
         let repo = datastore
-            .update_tuf_repo_insert(
+            .tuf_repo_insert(
                 opctx,
                 &TufRepoDescription {
                     repo: TufRepoMeta {

nexus/db-queries/src/db/datastore/deployment.rs

@@ -17,18 +17,21 @@ use diesel::result::Error as DieselError;
 use nexus_db_errors::OptionalError;
 use nexus_db_errors::{ErrorHandler, public_error_from_diesel};
 use nexus_db_lookup::DbConnection;
-use nexus_db_model::{ArtifactHash, TufArtifact, TufRepo, TufRepoDescription};
+use nexus_db_model::{
+    ArtifactHash, TufArtifact, TufRepo, TufRepoDescription, to_db_typed_uuid,
+};
 use omicron_common::api::external::{
     self, CreateResult, DataPageParams, Generation, ListResultVec,
     LookupResult, LookupType, ResourceType, TufRepoInsertStatus,
 };
+use omicron_uuid_kinds::GenericUuid;
 use omicron_uuid_kinds::TufRepoKind;
 use omicron_uuid_kinds::TypedUuid;
 use swrite::{SWrite, swrite};
 use tufaceous_artifact::ArtifactVersion;
 use uuid::Uuid;
 
-/// The return value of [`DataStore::update_tuf_repo_insert`].
+/// The return value of [`DataStore::tuf_repo_insert`].
 ///
 /// This is similar to [`external::TufRepoInsertResponse`], but uses
 /// nexus-db-model's types instead of external types.
@@ -75,7 +78,7 @@ impl DataStore {
     /// `TufRepoDescription` if one was already found. (This is not an upsert,
     /// because if we know about an existing repo but with different contents,
     /// we reject that.)
-    pub async fn update_tuf_repo_insert(
+    pub async fn tuf_repo_insert(
         &self,
         opctx: &OpContext,
         description: &external::TufRepoDescription,
@@ -106,8 +109,40 @@ impl DataStore {
             })
     }
 
+    /// Returns a TUF repo description.
+    pub async fn tuf_repo_get_by_id(
+        &self,
+        opctx: &OpContext,
+        repo_id: TypedUuid<TufRepoKind>,
+    ) -> LookupResult<TufRepoDescription> {
+        opctx.authorize(authz::Action::Read, &authz::FLEET).await?;
+
+        use nexus_db_schema::schema::tuf_repo::dsl;
+
+        let conn = self.pool_connection_authorized(opctx).await?;
+        let repo = dsl::tuf_repo
+            .filter(dsl::id.eq(to_db_typed_uuid(repo_id)))
+            .select(TufRepo::as_select())
+            .first_async::<TufRepo>(&*conn)
+            .await
+            .map_err(|e| {
+                public_error_from_diesel(
+                    e,
+                    ErrorHandler::NotFoundByLookup(
+                        ResourceType::TufRepo,
+                        LookupType::ById(repo_id.into_untyped_uuid()),
+                    ),
+                )
+            })?;
+
+        let artifacts = artifacts_for_repo(repo.id.into(), &conn)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+        Ok(TufRepoDescription { repo, artifacts })
+    }
+
     /// Returns the TUF repo description corresponding to this system version.
-    pub async fn update_tuf_repo_get(
+    pub async fn tuf_repo_get_by_version(
         &self,
         opctx: &OpContext,
         system_version: SemverVersion,
@@ -140,7 +175,7 @@ impl DataStore {
     }
 
     /// Returns the list of all TUF repo artifacts known to the system.
-    pub async fn update_tuf_artifact_list(
+    pub async fn tuf_list_repos(
         &self,
         opctx: &OpContext,
         generation: Generation,
@@ -160,7 +195,7 @@ impl DataStore {
     }
 
     /// Returns the current TUF repo generation number.
-    pub async fn update_tuf_generation_get(
+    pub async fn tuf_get_generation(
         &self,
         opctx: &OpContext,
     ) -> LookupResult<Generation> {

nexus/db-queries/src/db/datastore/target_release.rs

@@ -1496,6 +1496,8 @@ mod test {
                 target_crucible_pantry_zone_count: CRUCIBLE_PANTRY_REDUNDANCY,
                 clickhouse_policy: None,
                 oximeter_read_policy: OximeterReadPolicy::new(1),
+                tuf_repo: None,
+                old_repo: None,
                 log,
             }
             .build()