datum-cloud · zachsmith1 · May 1, 2026 · Apr 30, 2026 · May 1, 2026 · May 1, 2026
diff --git a/cmd/main.go b/cmd/main.go
@@ -421,6 +421,29 @@ func main() {
 		os.Exit(1)
 	}
 
+	var irohDownstream cluster.Cluster
+	if serverConfig.Connector.Iroh.DNSEnabled {
+		irohRestCfg, err := serverConfig.Connector.Iroh.DownstreamRestConfig()
+		if err != nil {
+			setupLog.Error(err, "unable to load iroh dns downstream kubeconfig")
+			os.Exit(1)
+		}
+		irohDownstream, err = cluster.New(irohRestCfg, func(o *cluster.Options) {
+			o.Scheme = scheme
+		})
+		if err != nil {
+			setupLog.Error(err, "unable to build iroh dns downstream cluster")
+			os.Exit(1)
+		}
+		if err := (&controller.IrohDNSReconciler{
+			Config:     serverConfig,
+			Downstream: irohDownstream,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "IrohDNS")
+			os.Exit(1)
+		}
+	}
+
 	if serverConfig.Gateway.ShouldDeleteErroredChallenges() {
 		if err := (&controller.ChallengeReconciler{
 			Config:            serverConfig,
@@ -521,6 +544,12 @@ func main() {
 		return ignoreCanceled(downstreamCluster.Start(ctx))
 	})
 
+	if irohDownstream != nil {
+		g.Go(func() error {
+			return ignoreCanceled(irohDownstream.Start(ctx))
+		})
+	}
+
 	setupLog.Info("starting multicluster manager")
 	g.Go(func() error {
 		return ignoreCanceled(mgr.Start(ctx))

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -177,18 +177,23 @@ type IrohConnectorConfig struct {
 	DownstreamKubeconfigPath string `json:"downstreamKubeconfigPath,omitempty"`
 
 	// DNSZoneRef references the DNSZone (in the downstream cluster) that
-	// owns the names this controller manages.
+	// owns the names this controller manages. The actual DNS origin used
+	// for the FQDN is the zone's spec.domainName, not its metadata.name —
+	// the two need not agree.
 	DNSZoneRef IrohDNSZoneRef `json:"dnsZoneRef,omitempty"`
 
-	// RecordPrefix is the leading DNS label of the discovery name.
-	// iroh uses "_iroh" by convention.
+	// RecordPrefix is the leading DNS label of the discovery name. iroh
+	// requires "_iroh" by convention.
 	//
 	// +default="_iroh"
 	RecordPrefix string `json:"recordPrefix,omitempty"`
 
-	// BaseDomain is the suffix appended to the prefix and z32 EndpointId
-	// to form the full lookup name "<recordPrefix>.<z32>.<baseDomain>".
-	BaseDomain string `json:"baseDomain,omitempty"`
+	// RecordSuffix is appended after the z32 EndpointId, before the zone
+	// origin. Use it to nest discovery records under additional labels
+	// (e.g. set "connectors" with a zone for "example.com" to publish at
+	// "_iroh.<z32>.connectors.example.com"). Empty means the records sit
+	// directly under the zone root.
+	RecordSuffix string `json:"recordSuffix,omitempty"`
 
 	// TTLSeconds is the TTL written on each TXT record.
 	//
@@ -1108,9 +1113,6 @@ func (c *IrohConnectorConfig) validate() error {
 		return nil
 	}
 	var errs []error
-	if c.BaseDomain == "" {
-		errs = append(errs, errors.New("baseDomain is required when dnsEnabled is true"))
-	}
 	if c.DNSZoneRef.Name == "" {
 		errs = append(errs, errors.New("dnsZoneRef.name is required when dnsEnabled is true"))
 	}

diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -17,7 +17,6 @@ func TestNetworkServicesOperator_Validate_IrohDisabled(t *testing.T) {
 func TestNetworkServicesOperator_Validate_IrohEnabled(t *testing.T) {
 	full := IrohConnectorConfig{
 		DNSEnabled: true,
-		BaseDomain: "datumconnect.net",
 		DNSZoneRef: IrohDNSZoneRef{Namespace: "datum-dns", Name: "datumconnect-net"},
 	}
 
@@ -27,11 +26,6 @@ func TestNetworkServicesOperator_Validate_IrohEnabled(t *testing.T) {
 		wantSub string
 	}{
 		{name: "all required fields set"},
-		{
-			name:    "missing baseDomain",
-			mutate:  func(c *IrohConnectorConfig) { c.BaseDomain = "" },
-			wantSub: "baseDomain is required",
-		},
 		{
 			name:    "missing dnsZoneRef.name",
 			mutate:  func(c *IrohConnectorConfig) { c.DNSZoneRef.Name = "" },
@@ -48,6 +42,10 @@ func TestNetworkServicesOperator_Validate_IrohEnabled(t *testing.T) {
 				c.DownstreamKubeconfigPath = ""
 			},
 		},
+		{
+			name:   "recordSuffix is optional (records sit under zone root)",
+			mutate: func(c *IrohConnectorConfig) { c.RecordSuffix = "" },
+		},
 	}
 
 	for _, tt := range tests {
@@ -82,10 +80,9 @@ func TestNetworkServicesOperator_Validate_IrohEnabledAggregatesErrors(t *testing
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
-	// errors.Join joins distinct messages with newlines; all five required
+	// errors.Join joins distinct messages with newlines; both required
 	// fields should be surfaced.
 	for _, want := range []string{
-		"baseDomain is required",
 		"dnsZoneRef.name is required",
 		"dnsZoneRef.namespace is required",
 	} {