Set tenant ID for intrusion detection

pkg/controller/intrusiondetection/intrusiondetection_controller.go

@@ -466,6 +466,7 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec
 		Namespace:                    helper.InstallNamespace(),
 		BindNamespaces:               namespaces,
 		Tenant:                       tenant,
+		ExternalElastic:              r.elasticExternal,
 	}
 	intrusionDetectionComponent := render.IntrusionDetection(intrusionDetectionCfg)
 

pkg/render/intrusion_detection.go

@@ -108,9 +108,10 @@ type IntrusionDetectionConfiguration struct {
 	TrustedCertBundle            certificatemanagement.TrustedBundleRO
 	IntrusionDetectionCertSecret certificatemanagement.KeyPairInterface
 
-	Namespace      string
-	BindNamespaces []string
-	Tenant         *operatorv1.Tenant
+	Namespace       string
+	BindNamespaces  []string
+	Tenant          *operatorv1.Tenant
+	ExternalElastic bool
 }
 
 type intrusionDetectionComponent struct {
@@ -605,7 +606,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co
 		},
 		{
 			Name:  "LINSEED_URL",
-			Value: relasticsearch.LinseedEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace),
+			Value: relasticsearch.LinseedEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, LinseedNamespace(c.cfg.Tenant)),
 		},
 		{
 			Name:  "LINSEED_CA",
@@ -625,6 +626,18 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co
 		},
 	}
 
+	if c.cfg.Tenant != nil {
+		// Configure the tenant id in order to read /write linseed data using the correct tenant ID
+		// Multi-tenant and single tenant with external elastic needs this variable set
+		if c.cfg.ExternalElastic {
+			envs = append(envs, corev1.EnvVar{Name: "TENANT_ID", Value: c.cfg.Tenant.Spec.ID})
+		}
+
+		if c.cfg.Tenant.MultiTenant() {
+			envs = append(envs, corev1.EnvVar{Name: "TENANT_NAMESPACE", Value: c.cfg.Tenant.Namespace})
+			envs = append(envs, corev1.EnvVar{Name: "MULTI_CLUSTER_FORWARDING_ENDPOINT", Value: ManagerService(c.cfg.Tenant)})
+		}
+	}
 	sc := securitycontext.NewNonRootContext()
 
 	// If syslog forwarding is enabled then set the necessary ENV var and volume mount to

pkg/render/intrusion_detection_test.go

@@ -619,11 +619,14 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
 			// Configure a tenant.
 			tenantA = &operatorv1.Tenant{
 				ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: tenantANamespace},
-				Spec:       operatorv1.TenantSpec{},
+				Spec: operatorv1.TenantSpec{
+					ID: "tenant-a",
+				},
 			}
 			cfg.Namespace = tenantANamespace
 			cfg.BindNamespaces = []string{tenantANamespace, tenantBNamespace}
 			cfg.Tenant = tenantA
+			cfg.ExternalElastic = true
 		})
 
 		It("should render multi-tenant resources", func() {
@@ -687,6 +690,21 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
 			}
 			Expect(netpol.Spec.Egress).To(ConsistOf(expectedEgressRules))
 		})
+
+		It("should render multi-tenant environment variables", func() {
+			component := render.IntrusionDetection(cfg)
+			toCreate, _ := component.Objects()
+
+			deployment, err := rtest.GetResourceOfType[*appsv1.Deployment](toCreate, render.IntrusionDetectionName, tenantANamespace)
+			Expect(err).NotTo(HaveOccurred())
+
+			envs := deployment.Spec.Template.Spec.Containers[0].Env
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "TENANT_NAMESPACE", Value: tenantANamespace}))
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "TENANT_ID", Value: "tenant-a"}))
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_URL", Value: fmt.Sprintf("https://tigera-linseed.%s.svc", tenantANamespace)}))
+			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "MULTI_CLUSTER_FORWARDING_ENDPOINT", Value: fmt.Sprintf("https://tigera-manager.%s.svc", tenantANamespace)}))
+
+		})
 	})
 })