Correct TLS and memory options in tenzir.yaml.example

[Zedoraps]

Mirrors the corrected example configuration from the code repo and fixes the same documented-vs-actual mismatches in the docs, so docs.tenzir.com matches what the node reads. Verified against the source and a running node (v6.2.0).

Example configuration (tenzir.yaml.example):

• tls-require-client-cert → require-client-cert (the prefixed key was ignored, so mTLS was never enforced).
• Document tenzir.tls.password (decrypts an encrypted keyfile).
• Drop tenzir.malloc-trim-interval — read only from TENZIR_ALLOC_TRIM_INTERVAL (default 1min), never the configuration file.
• plugins.platform: drop enable, tls-client-ca, tls-require-client-cert — not honored by the outbound platform connection.
• Reference accept_tcp/to_tcp instead of the removed load_tcp/save_tcp.
• Correct two defaults: retention.metrics (16d) and disk-budget-check-interval (60).

Guides / explanation:

• configure-tls, configuration: correct node-level cipher/version keys to tls-ciphers/tls-min-version, plus the same require-client-cert, password, and plugins.platform corrections.
• transform-data-at-rest: disk-budget-check-interval default 60.

_{⚙️ Code PR: tenzir/tenzir#6365
🎫 References TNZ-728}

[github-actions]

📦 Preview  ·  View →  ·  🟢 Live

_{Verified for c7a93c6  ·  Auto-updates on push}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fab0666c35

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[mavam]

We used to auto-mirror the .example file from tenzir/tenzir into the docs repo via CI. I couldn't find the workflow for this right off the bat, but it's worthwhile figuring this out to avoid any drift by design.

[Zedoraps]

I dug into this and couldn't find a tenzir.yaml.example mirror in either repo's CI — so the drift wasn't by design, the sync is simply missing:

• tenzir/tenzir .github/workflows/tenzir.yaml only references tenzir.yaml.example as a build-trigger path (TENZIR_SOURCES), not a mirror, and has a sync-openapi-to-docs job — but that syncs the OpenAPI spec, not the example.
• tenzir/docs generate-openapi-node.yaml pulls the OpenAPI spec by running the Tenzir Docker image (tenzir 'openapi | write_yaml') and committing it. Again OpenAPI only.

So nothing keeps the example in sync, which is exactly why the two copies diverged (and each had picked up different errors).

Proposed fix — re-establish the mirror modeled on generate-openapi-node.yaml. Two options:

1. Fetch the file from tenzir/tenzir (raw tenzir.yaml.example) on a schedule / repository-dispatch and commit it here.
2. Extract from the Docker image (it's installed as tenzir.yaml), keeping it consistent with what actually ships.

[mavam]

I checked the git history: we did have this mirror before, but lost it on 2025-05-30 in tenzir/tenzir commit cc7bb38d3edafc19ec85fb4e4a02df8ca33baf93 (Fix OpenAPI spec sync). That commit deleted .github/workflows/documentation.yaml, whose job copied:

cp tenzir/tenzir.yaml.example docs/tenzir.yaml.example

and committed it to tenzir/docs. The replacement kept/fixed OpenAPI syncing, but dropped the tenzir.yaml.example part.

Recommendation: restore this as low-friction automation where tenzir/docs owns the write:

• add a workflow in tenzir/docs, triggered by tenzir/tenzir with the source SHA/ref
• serialize it with concurrency
• have it copy tenzir.yaml.example and commit directly to docs main

That avoids cross-repo push races and matches the current OpenAPI ownership model: tenzir/tenzir triggers, tenzir/docs writes.