Skip to content

docs(deploy): demote render.yaml to a reference manifest and fix TLS prose#258

Merged
jsugg merged 2 commits into
mainfrom
docs/render-manifest-and-tls-prose
Jul 15, 2026
Merged

docs(deploy): demote render.yaml to a reference manifest and fix TLS prose#258
jsugg merged 2 commits into
mainfrom
docs/render-manifest-and-tls-prose

Conversation

@jsugg

@jsugg jsugg commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Follows #257, which had to be live before the manifest could drop the
certificate entries. It is: deploy dep-d9bjcdcvikkc73e42vjg is live on
b5fca356c and /api/health returns 200 {"ready":true}.

render.yaml is applied to nothing

DEVELOPMENT.md said the service shape was "versioned in render.yaml".
It is not:

GET /v1/blueprints  ->  []          # no Blueprint exists on the account
service createdAt   ->  2023-03-26  # predates the file
TLS_PORT            ->  8443 in the file | 4443 live

The empty Blueprint list and the TLS_PORT mismatch are jointly conclusive —
if anything were syncing, TLS_PORT could not differ. The service is
dashboard-managed. The file now says so, and names the dashboard as the source
of truth for environment variables.

The service shape does match the file exactly (plan, region, instances,
health check, build, start, runtime, branch, auto-deploy), so that is now
stated rather than left ambiguous. No Blueprint is registered by this PR, and
none should be: a sync would reset TLS_PORT to 8443 and could strip the
provider credentials the service actually runs on.

Manifest vs. live

Added TLS_ENABLED=false — it drives the entire TLS posture and was
undeclared. Removed TLS_PORT — dead (TLS is off) and contradicted.
Removed TLS_KEY/TLS_CERT, which is safe only now that #257 is live: the
service no longer needs them to boot. They are still set on the dashboard;
retiring them there is a separate step.

TLS prose

PORT is pinned to 8080 on the dashboard, not injected by Render. The doc
claimed injected. Anyone standing up a second service from this document would
have inherited a wrong assumption, so the doc now matches the dashboard.

The certificate statements were false when the audit was written and are true
now that #257 is live — they are kept and sharpened rather than rewritten:
when TLS is disabled the credentials are neither required nor loaded, where
the doc previously said only "not loaded", which was the exact ambiguity that
made removing them look safe when it was not.

Verification

render.yaml parses and resolves to TLS_ENABLED=false with no TLS_PORT,
TLS_KEY or TLS_CERT. docs:validate passes. The
#inbound-tls-posture-... anchor still resolves. No live configuration is
touched by this PR.

jsugg added 2 commits July 15, 2026 04:31
…prose

The deployment docs described a service that does not exist. Three fixes,
all now verified against the live API.

render.yaml is applied to nothing. No Blueprint is registered on the account
and the service predates the file, so nothing syncs it; the TLS_PORT mismatch
(8443 in the file, 4443 live) is the proof — a syncing Blueprint could not
leave those different. Calling the file "versioned" implied a source-of-truth
relationship that has never existed, and an operator who believed it would
edit the file and wonder why production ignored them. It is now documented as
a reference manifest, with the dashboard named as the source of truth for
environment variables. The service *shape* genuinely does match the file, so
that is stated explicitly rather than left ambiguous.

Align the manifest with the live service: add TLS_ENABLED=false (undeclared,
though it drives the whole TLS posture) and drop TLS_PORT, which was both dead
and contradicted. TLS_KEY/TLS_CERT are dropped now that the conditional
validation fix is live and healthy in production, so they are no longer needed
to boot. They remain set on the dashboard until they are retired there.

Fix the TLS prose. PORT is pinned explicitly to 8080 on the dashboard, not
injected by Render as claimed, so an operator sizing a second service would
have drawn the wrong conclusion. The certificate statements are now accurate
post-fix and say so precisely: when TLS is disabled the credentials are
neither required nor loaded, rather than merely "not loaded".
renderConfig.test.js asserted that TLS_KEY and TLS_CERT were declared in
render.yaml with `sync: false`, which encoded the old belief that production
depends on them. It does not: TLS terminates at the edge, the app never loads
the certificates, and the validator no longer requires them to boot.

Update the test to the contract the manifest now describes — REPLICATE_API_TOKEN
stays the only secret-bearing entry — and add coverage for what the removal
means, so a future edit cannot quietly reintroduce credentials the service
never reads or resurrect the TLS_PORT value that never matched production.

Quote TLS_ENABLED's value. Bare `false` is a YAML boolean, while config/index.js
keys off the string 'false'; the quoted form says what is meant and the new
assertion holds it there.
@jsugg jsugg merged commit d870b04 into main Jul 15, 2026
21 checks passed
@jsugg jsugg deleted the docs/render-manifest-and-tls-prose branch July 15, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant