From fc87c755866339600418d1438e6dad8c807a14a9 Mon Sep 17 00:00:00 2001
From: Bence Csati <bence.csati@axoflow.com>
Date: Mon, 20 Jan 2025 15:56:17 +0100
Subject: [PATCH 1/2] feat: protected cluster outputs

Signed-off-by: Bence Csati <bence.csati@axoflow.com>
---
 content/docs/configuration/output.md | 41 ++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/content/docs/configuration/output.md b/content/docs/configuration/output.md
index 37e35cb83..cb96154f8 100644
--- a/content/docs/configuration/output.md
+++ b/content/docs/configuration/output.md
@@ -97,3 +97,44 @@ spec:
 - For the details of the supported output plugins, see {{% xref "/docs/configuration/plugins/syslog-ng-outputs/_index.md" %}}.
 - For the details of `SyslogNGOutput` custom resource, see {{% xref "/docs/configuration/crds/v1beta1/syslogng_output_types.md" %}}.
 - For the details of `SyslogNGClusterOutput` custom resource, see {{% xref "/docs/configuration/crds/v1beta1/syslogng_clusteroutput_types.md" %}}.
+
+## protected flag cluster outputs
+
+Since versions:
+
+- 4.7 for Fluentd
+- 5.0 for Syslog-ng
+
+You can set the `protected` flag on a `ClusterOutput` and `SyslogNGClusterOutput`. This prevents namespaced `Flows` and `SyslogNGFlows` from sending logs to these outputs and only allows `ClusterFlows` and `SyslogNGClusterFlows` to reference it.
+
+By default, `ClusterOutputs` can be referenced by any `Flow`. Setting the `protected` flag restricts this access to `ClusterFlows` only.
+
+```yaml
+apiVersion: logging.banzaicloud.io/v1beta1
+kind: ClusterOutput
+metadata:
+  name: protected-cluster-output
+  namespace: infra
+spec:
+  protected: true
+  s3:
+    aws_key_id:
+      valueFrom:
+        secretKeyRef:
+          name: s3-secret
+          key: awsAccessKeyId
+          namespace: default
+    aws_sec_key:
+      valueFrom:
+        secretKeyRef:
+          name: s3-secret
+          key: awsSecretAccessKey
+          namespace: default
+    s3_bucket: example-logging-bucket
+    s3_region: eu-west-1
+    path: logs/${tag}/%Y/%m/%d/
+    buffer:
+      timekey: 1m
+      timekey_wait: 10s
+      timekey_use_utc: true
+```

From 00df905971eb21ce07b253e3f780b5bdcf8d8b8c Mon Sep 17 00:00:00 2001
From: Bence Csati <bence.csati@axoflow.com>
Date: Mon, 20 Jan 2025 17:18:30 +0100
Subject: [PATCH 2/2] chore: secretKeyRef does not have a namespace field

Signed-off-by: Bence Csati <bence.csati@axoflow.com>
---
 content/docs/configuration/output.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/content/docs/configuration/output.md b/content/docs/configuration/output.md
index cb96154f8..ca791275d 100644
--- a/content/docs/configuration/output.md
+++ b/content/docs/configuration/output.md
@@ -33,13 +33,11 @@ spec:
         secretKeyRef:
           name: s3-secret
           key: awsAccessKeyId
-          namespace: default
     aws_sec_key:
       valueFrom:
         secretKeyRef:
           name: s3-secret
           key: awsSecretAccessKey
-          namespace: default
     s3_bucket: example-logging-bucket
     s3_region: eu-west-1
     path: logs/${tag}/%Y/%m/%d/
@@ -123,13 +121,11 @@ spec:
         secretKeyRef:
           name: s3-secret
           key: awsAccessKeyId
-          namespace: default
     aws_sec_key:
       valueFrom:
         secretKeyRef:
           name: s3-secret
           key: awsSecretAccessKey
-          namespace: default
     s3_bucket: example-logging-bucket
     s3_region: eu-west-1
     path: logs/${tag}/%Y/%m/%d/