ISSUE

Following the documentation for "Forwarding logs using the Fluentd forward protocol" [1], it was implemented that it's possible to use now a passphrase for the secret like:

spec:
outputs:

• name: fluentd-server-secure
  type: fluentdForward
  url: 'tls://fluentdserver.security.example.com:24224'
  secret:
  name: fluentd-secret
  passphrase: phrase

When setting a config like this:

$ cat clf.yaml
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
disableDefaultForwarding: true
outputs:

• name: fluentd
  type: fluentdForward
  url: tls://localhost:24224
  secret:
  name: fluentd-secret
  passphrase: testpass
  pipelines:
• name: container-logs
  inputRefs:
• application
• audit
  outputRefs:
• fluentd

$ oc create -f clf.yaml

The result is that it's not taken into consideration the passphrase in the current configuration:

spec:
outputs:

• name: fluentd
  secret:
  name: fluentd-secret
  type: fluentdForward
  url: tls://localhost:24224
  pipelines:
• inputRefs:
• application
• audit
  name: container-logs
  outputRefs:
• fluentd

Also, reviewing the crd for the clusterlogforwarder [2] is not visible the option passphrase, then, it seems that this feature is missing currently and not available like the documentation is saying.

ENV

$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
cluster-logging.5.2.2-21 Red Hat OpenShift Logging 5.2.2-21 Succeeded
elasticsearch-operator.5.2.2-21 OpenShift Elasticsearch Operator 5.2.2-21 Succeeded

[1] https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-external.html#cluster-logging-collector-log-forward-fluentd_cluster-logging-external
[2] https://github.com/openshift/cluster-logging-operator/blob/release-5.2/manifests/5.2/logging.openshift.io_clusterlogforwarders_crd.yaml