Skip to content

feat: pass TENANT_ID to Linseed for internal ES and add tenant suffix control#4584

Open
tianfeng92 wants to merge 1 commit intotigera:masterfrom
tianfeng92:EV-6486-linseed-tenant-suffix-env
Open

feat: pass TENANT_ID to Linseed for internal ES and add tenant suffix control#4584
tianfeng92 wants to merge 1 commit intotigera:masterfrom
tianfeng92:EV-6486-linseed-tenant-suffix-env

Conversation

@tianfeng92
Copy link
Contributor

@tianfeng92 tianfeng92 commented Mar 23, 2026
edited
Loading

Summary

  • Always set LINSEED_EXPECTED_TENANT_ID when a tenant is configured, not just for external Elasticsearch. This ensures tenant isolation via the x-tenant-id header for all indices including the shared calico_policy_activity index.
  • Set ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED=false for internal Elasticsearch environments where existing multi-index indices were created without tenant ID in the name.
  • Companion to calico-private PR: https://github.com/tigera/calico-private/pull/11230

Test plan

  • Existing "multi-tenant environment variables" test passes (external ES, tenant suffix not disabled)
  • "single-tenant with external elastic" test verifies ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED is NOT set
  • "single-tenant with internal elastic" test verifies both LINSEED_EXPECTED_TENANT_ID and ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED=false are set
  • Full linseed render test suite passes

🤖 Generated with Claude Code

Linseed now always receives the tenant ID when a tenant is configured, ensuring tenant isolation via the `x-tenant-id` header for all Elasticsearch backends including internal ES.

@tianfeng92 @claude
feat: always pass TENANT_ID to Linseed and add ELASTIC_MULTI_INDEX_TE…
5c3524f 
…NANT_SUFFIX_ENABLED

Previously LINSEED_EXPECTED_TENANT_ID was only set when external
Elasticsearch was configured. Now it is always set when a tenant
exists, ensuring tenant isolation via the x-tenant-id header for
all indices including the shared calico_policy_activity index.

For internal Elasticsearch environments, set
ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED=false so that multi-index
routing omits tenant ID from index names, preserving backward
compatibility with existing indices that were created without tenant
ID in the name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Mar 23, 2026
@tianfeng92 tianfeng92 marked this pull request as ready for review March 23, 2026 20:57
@tianfeng92 tianfeng92 requested a review from a team as a code owner March 23, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tianfeng92 @rene-dekker @marvin-tigera