D-058: full plane renumber -- clean fabric-grouped /22 scheme (2026-06-29)

Status: DECIDED (operator). Supersedes the D-057 minimal-delta placement of provider-vip at 10.12.24.0/22, and resolves R4 (oob). grep-before-assign: D-058 free (max prior D-057; D-054/055/056 are DOCFIX).

What: renumber the v1 plane scheme so CIDRs are contiguous /22 blocks grouped by fabric and ordered to match the layer model, instead of the historical scatter. This is a cloud-wide re-IP, intentionally larger than D-057, accepted by the operator for Roosevelt addressing fidelity. It is executed as a teardown/redeploy (no in-place re-CIDR), so there is no transient subnet overlap.

The map (authoritative)

Rotate rule (collision-safe): 8->12, 12->16, 16->20, 24->8, 64->60; 4/32/36 fixed. VLAN IDs unchanged (metal-internal VID 103, provider-vip VID 104). VIP triple becomes provider-vip .8.5x / metal-admin .12.5x / metal-internal .16.5x (octets 50-60). Host statics (.40-.43) follow each plane. metal-admin PXE-DHCP band -> 10.12.12.9-.11.

JUMPHOST ORDERING TRAP (must respect on the host)

The jumphost owns three gateways that move. provider-vip's NEW gateway 10.12.8.1 is metal-admin's OLD address. So on the jumphost, in this order:

1. move virbr2 (metal-admin) 10.12.8.1 -> 10.12.12.1
2. move virbr7 (oob) 10.12.64.1 -> 10.12.60.1
3. THEN add virbr1.104 (provider-vip) = 10.12.8.1 <-- only after step 1 frees .8.1 Adding virbr1.104=.8.1 while virbr2 still holds .8.1 is a same-subnet collision. In a clean rebuild the bridges are reconfigured as a set, but the free-then-claim order still applies. (Step 3 is the jumphost-provider-vip-gateway.md runbook.)

APEX / NetBox note (IaC discipline)

NetBox is the apex; this renumber's authoritative home is NetBox. BUT the committed netbox/ipv4-prefixes-import.py is itself stale (pre-D-052: only Metal/Provider/LBaaS-mgmt, provider VLAN VID 240, API VIPs at .224-.254 -- none of the 6-plane D-052/053 model). It must FIRST be brought current to D-052/053, THEN carry the D-058 scheme, before it can be the source of truth. Until that reconciliation, scripts/lib-net.sh is the working contract and already carries D-058. Do NOT hand-edit downstream MAAS for these values once NetBox is current -- regenerate.

DONE in this pack (renumbered + re-validated: both suites ALL PASS, d057-check PASS)

scripts/lib-net.sh (PLANE_CIDRS, PLANE_NAME, PLANE_GW, DATA_PLANE_CIDRS, METAL_INTERNAL_CIDR, PROVIDER_VIP_CIDR, VIPPREFIX* triple), scripts/carve-host-interfaces.sh, scripts/provider-vip-standup.sh, scripts/d057-bundle-check.py, bundle.yaml (11 VIP triples), both test suites + fixtures, provider-vip-maas-standup.md, jumphost-provider-vip-gateway.md, README.

COMMITTED-FOUNDATION CASCADE (still on the OLD scheme -- next sweep)

Apply the same rotate (8->12, 12->16, 16->20, 24->8, 64->60; 4/32/36 fixed). These are in the committed repo, not this pack, and several are prose runbooks -- sweep with care, NetBox-anchored:

• netbox/ipv4-prefixes-import.py (APEX -- de-stale to D-052/053 first, then D-058)
• netbox/README.md
• scripts/phase-00-maas-carve.sh (METAL_CIDR default 10.12.8 -> 10.12.12; ranges)
• scripts/lib-hosts.sh (VIRSH_POWER_ADDRESS 10.12.64.1 -> 10.12.60.1)
• scripts/review-bundle.py (stale pre-D-052 already -- R2; fold in with that)
• runbooks/phase-00-teardown-maas-reset.md, phase-01-bundle-deploy.md, phase-03-core-verify.md, phase-04-network-carve.md, phase-05-octavia-enablement.md, phase-08-workload-cluster-acceptance.md, appendix-A-troubleshooting.md
• docs/maas-as-built-reference.md, docs/design-decisions.md (append D-058), docs/v1-redeploy-changelog.md, docs/netbox-vip-queue.md
• tests/phase-00-carve/run-tests.sh, tests/phase-04/make_fixtures.py
• jumphost underlay: virbr2 -> 10.12.12.1, virbr7 -> 10.12.60.1 (see ordering trap)
• host-nginx :81 upstream: Horizon -> 10.12.8.58