diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go
index 9cc21b1ab..9bb4895fa 100644
--- a/agent/proxycfg/state_test.go
+++ b/agent/proxycfg/state_test.go
@@ -1870,7 +1870,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 								SNI: connect.ServiceSNI("db", "", structs.IntentionDefaultNamespace, snap.Datacenter, snap.Roots.TrustDomain),
 								SpiffeID: connect.SpiffeIDService{
 									Host:       snap.Roots.TrustDomain,
-									Namespace:  structs.IntentionDefaultNamespace,
+									Namespace:  db.NamespaceOrDefault(),
+									Partition:  db.PartitionOrDefault(),
 									Datacenter: snap.Datacenter,
 									Service:    "db",
 								},
diff --git a/agent/proxycfg/upstreams.go b/agent/proxycfg/upstreams.go
index d3557e527..f634cf0a7 100644
--- a/agent/proxycfg/upstreams.go
+++ b/agent/proxycfg/upstreams.go
@@ -96,7 +96,7 @@ func (s *handlerUpstreams) handleUpdateUpstreams(ctx context.Context, u cache.Up
 
 				spiffeID := connect.SpiffeIDService{
 					Host:       snap.Roots.TrustDomain,
-					Partition:  "",
+					Partition:  svc.PartitionOrDefault(),
 					Namespace:  svc.NamespaceOrDefault(),
 					Datacenter: snap.Datacenter,
 					Service:    svc.Name,
diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go
index fbd428d70..c07b275c0 100644
--- a/agent/xds/clusters.go
+++ b/agent/xds/clusters.go
@@ -540,6 +540,8 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
 		Namespace:  upstream.DestinationNamespace,
 		Datacenter: dc,
 		Service:    upstream.DestinationName,
+
+		// TODO(partitions) Store partition
 	}
 
 	// Enable TLS upstream with the configured client certificate.
@@ -623,6 +625,8 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
 			Namespace:  target.Namespace,
 			Datacenter: target.Datacenter,
 			Service:    target.Service,
+
+			// TODO(partitions) Store partition
 		}
 
 		if failoverThroughMeshGateway {
@@ -658,6 +662,8 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
 					Namespace:  target.Namespace,
 					Datacenter: target.Datacenter,
 					Service:    target.Service,
+
+					// TODO(partitions) Store partition
 				}
 
 				// Failover targets might be subsets of the same service, so these are deduplicated.