feat: implement multi-tenant search support#72
Conversation
…are indexing, querying, and deletion.
…resource filtering based on tenant type.
…nant-search-support
scotwells
left a comment
scotwells
left a comment
There was a problem hiding this comment.
Looks great! Just some feedback around failure scenarios to make sure we retry appropriately.
| // The baseline filterable attributes ensure that _tenant and _tenant_type are always | ||
| // present so multi-tenant filter queries work regardless of policy field configuration. | ||
| baseFilterableAttributes := []string{"uid", "metadata.name", "metadata.namespace", "_tenant", "_tenant_type"} |
There was a problem hiding this comment.
Thoughts on automatically indexing metadata.annotations["kubernetes.io/display-name"] and metadata.annotations["kubernetes.io/description"] since we're standardizing on those for human-readable display names and descriptions? Maybe this is also worth moving into a configuration file so we can dynamically change it?
There was a problem hiding this comment.
hmmm, but our ResourceIndexPolicySpec already allows to configure with annotations we want to index.
We can already use the ResourceIndex to configure that, and is functionality that is already in place, and working
There was a problem hiding this comment.
Maybe I'm confused on what baseFilterableAttributes is being used for. Based on the name, I assumed these were fields within the resource that would always be indexed, regardless of the policy configuration.
|
@scotwells I left to conversations open (not resolved). Will be waiting for your reply in order to continue. |
github-project-automation
bot
moved this from Backlog
to Ready
in Searching Resources in Milo
github-project-automation
bot
moved this from Ready
to Done
in Searching Resources in Milo
2 participants
feat: implement multi-tenant search support
Summary
The search service previously indexed only platform cluster resources, with no awareness of project control planes. This adds multi-tenant support so resources from any Milo project can be discovered and searched alongside platform resources, with full tenant attribution on every result.
When
--multi-tenant=true, the controller-manager watchesresourcemanager.miloapis.com/v1alpha1/projectsand maintains a per-project dynamic client (proxied through the platform API server — no separate credentials needed). On policy reconcile, it publishes reindex messages for platform resources and each active project's resources. When a project is deleted, its documents are removed from Meilisearch viaDeleteDocumentsByFilter. The audit event consumer extracts tenant identity fromuser.extraIAM fields and skips non-platform events in single-tenant mode to prevent misclassification.Key behaviours:
--multi-tenantdefaults tofalse— single-tenant deployments are completely unaffected_tenantand_tenant_typeas filterable attributes;SearchResultexposes aTenantInfoobject withnameandtype--project-label-selectorallows scoping which projects are indexed without code changes