feat: add connectors.iroh config block and validation#146
Merged
zachsmith1 merged 2 commits intomainfrom Apr 30, 2026
Merged
Conversation
Adds a new IrohConnectorConfig under connector.iroh that gates the upcoming iroh DNS discovery controller. When dnsEnabled is true the controller will publish "<recordPrefix>.<z32-endpoint-id>.<baseDomain>" TXT records into a downstream DNSZone for every Connector backed by an iroh-routed ConnectorClass. The block carries: - DNSEnabled (default false) - DownstreamCluster.KubeconfigSecretRef pointing at the cluster where DNSRecordSets are written - DNSZoneRef identifying the zone that owns the names - RecordPrefix (default "_iroh") and BaseDomain - TTLSeconds (default 30) Also introduces a Validate() entrypoint on NetworkServicesOperator and wires it into cmd/main.go where the previous "TODO(jreese) validate the config" lived. Today only Connector.Iroh is checked; future cross-field rules can extend the same dispatch. Validation only fires when DNSEnabled is true, so existing deployments are unaffected. No controller behavior is registered yet — that lands in a follow-up.
Replace the IrohDownstreamClusterConfig / IrohKubeconfigSecretRef
nesting with a single DownstreamKubeconfigPath field on
IrohConnectorConfig, matching the existing DiscoveryConfig pattern
(DiscoveryKubeconfigPath / ProjectKubeconfigPath). Empty path falls
back to the operator's own in-cluster config — supports single-cluster
deployments with no extra knobs.
Adds a DownstreamRestConfig() helper that builds the rest.Config the
upcoming controller will use, mirroring DiscoveryConfig.DiscoveryRestConfig.
Validation no longer flags missing kubeconfig fields since the empty
fallback is intentional.
Regenerated zz_generated.{deepcopy,defaults}.go via make generate.
scotwells
approved these changes
Apr 30, 2026
Contributor
scotwells
left a comment
scotwells
left a comment
There was a problem hiding this comment.
Think it would make more sense to invert the dependency here? Probably cleaner to have a component that's Iroh specific that understands how to discover iroh connectors and publish DNS information instead of the network services operator knowing those details.
Contributor
Author
|
@scotwells mind elaborating more on what you mean here? |
Contributor
|
I just mean that this doesn't seem like it should be network operators concern long term since it's specific to iroh |
Contributor
Author
|
hmmm. its connector implementation specifically for iroh but def worth thinking about how this grows when other providers are there in the future. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
connector.irohconfiguration inNetworkServicesOperator. WhendnsEnabledis true the (upcoming) iroh DNS discovery controller will publish<recordPrefix>.<z32-endpoint-id>.<baseDomain>TXT records into a downstreamDNSZonefor every Connector whose ConnectorClass is routed to iroh.dnsEnabled(defaultfalse)downstreamKubeconfigPath— path to a kubeconfig file pointing at the cluster where DNSRecordSets are written. Empty falls back to the operator's own in-cluster config (matches existingDiscoveryKubeconfigPath/ProjectKubeconfigPathpattern).dnsZoneRef(namespace,name)recordPrefix(default"_iroh")baseDomain(required whendnsEnabledis true)ttlSeconds(default30)IrohConnectorConfig.DownstreamRestConfig()helper builds the rest.Config for the downstream cluster, mirroringDiscoveryConfig.DiscoveryRestConfig.Validate()entrypoint onNetworkServicesOperatorand wires it intocmd/main.gowhere the previousTODO(jreese) validate the configlived. OnlyConnector.Irohis checked today; future rules can extend the same dispatch. Validation only fires whendnsEnabledis true, so existing deployments are unaffected.zz_generated.deepcopy.goandzz_generated.defaults.goviamake generate.Test plan
go test ./internal/config/...— passes (defaulting + every required-field-missing case + aggregated-error case + iroh-disabled no-op + path-optional fallback).go build ./...— clean.go vet ./...— clean.gofmt -l— no diff.connectors.<type>.*pattern we agreed on for future siblings.