feat: pass TENANT_ID to Linseed for internal ES and add tenant suffix control

pkg/render/logstorage/linseed/linseed.go

@@ -377,9 +377,16 @@ func (l *linseed) linseedDeployment() *appsv1.Deployment {
 
 	replicas := l.cfg.Installation.ControlPlaneReplicas
 	if l.cfg.Tenant != nil {
-		if l.cfg.ExternalElastic {
-			// If a tenant was provided, set the expected tenant ID and enable the shared index backend.
-			envVars = append(envVars, corev1.EnvVar{Name: "LINSEED_EXPECTED_TENANT_ID", Value: l.cfg.Tenant.Spec.ID})
+		// Always set the expected tenant ID when a tenant is configured, regardless of
+		// whether Elasticsearch is internal or external. This ensures tenant isolation
+		// via the x-tenant-id header for all indices including shared single indices.
+		envVars = append(envVars, corev1.EnvVar{Name: "LINSEED_EXPECTED_TENANT_ID", Value: l.cfg.Tenant.Spec.ID})
+
+		if !l.cfg.ExternalElastic {
+			// For internal Elasticsearch, existing multi-index indices were created without
+			// tenant ID in the name. Disable tenant suffix in index names to preserve
+			// backward compatibility while still enforcing tenant isolation at the query level.
+			envVars = append(envVars, corev1.EnvVar{Name: "ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED", Value: "false"})
 		}
 
 		if l.cfg.Tenant.MultiTenant() {

pkg/render/logstorage/linseed/linseed_test.go

@@ -807,11 +807,12 @@ var _ = Describe("Linseed rendering tests", func() {
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "MANAGEMENT_OPERATOR_NS", Value: "tigera-operator"}))
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_EXPECTED_TENANT_ID", Value: cfg.Tenant.Spec.ID}))
 
-			// These are only set for multi-tenant clusters. Make sure they aren't set here.
+			// These are only set for multi-tenant clusters or internal ES. Make sure they aren't set here.
 			for _, env := range envs {
 				Expect(env.Name).NotTo(Equal("LINSEED_MULTI_CLUSTER_FORWARDING_ENDPOINT"))
 				Expect(env.Name).NotTo(Equal("LINSEED_TENANT_NAMESPACE"))
 				Expect(env.Name).NotTo(Equal("BACKEND"))
+				Expect(env.Name).NotTo(Equal("ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED"))
 			}
 		})
 
@@ -825,6 +826,12 @@ var _ = Describe("Linseed rendering tests", func() {
 			envs := d.Spec.Template.Spec.Containers[0].Env
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "MANAGEMENT_OPERATOR_NS", Value: "tigera-operator"}))
 
+			// Tenant ID is always set when a tenant is configured.
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_EXPECTED_TENANT_ID", Value: cfg.Tenant.Spec.ID}))
+
+			// For internal ES, tenant suffix is disabled in multi-index names for backward compatibility.
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "ELASTIC_MULTI_INDEX_TENANT_SUFFIX_ENABLED", Value: "false"}))
+
 			// These are only set for multi-tenant clusters. Make sure they aren't set here.
 			for _, env := range envs {
 				Expect(env.Name).NotTo(Equal("LINSEED_MULTI_CLUSTER_FORWARDING_ENDPOINT"))