You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**HTTP APIs**: The Model Context Protocol (MCP) helps integrate external tools and services into the Spice runtime. MCP tools can be accessed via HTTP APIs for tool integration and orchestration. For details, see the [MCP documentation](../features/large-language-models/mcp).
mTLS (client certificate authentication) is included in the Enterprise distribution of Spice.ai. [Learn more](https://docs.spice.ai/docs/enterprise).
126
+
:::
127
+
128
+
mTLS extends standard TLS by requiring the client to also present a certificate during the TLS handshake. This provides cryptographic authentication of both the server and the client.
129
+
130
+
### Enable mTLS via spicepod.yaml
131
+
132
+
Set `client_auth_mode` to `request` or `required` and provide a CA bundle to verify client certificates:
133
+
134
+
```yaml
135
+
runtime:
136
+
tls:
137
+
enabled: true
138
+
certificate_file: /path/to/server.crt
139
+
key_file: /path/to/server.key
140
+
client_auth_mode: required
141
+
client_auth_ca_file: /path/to/client-ca.pem
142
+
```
143
+
144
+
### Enable mTLS via command line
145
+
146
+
```bash
147
+
spiced --tls-enabled true \
148
+
--tls-certificate-file /path/to/server.crt \
149
+
--tls-key-file /path/to/server.key \
150
+
--tls-client-auth-mode required \
151
+
--tls-client-auth-ca-file /path/to/client-ca.pem
152
+
```
153
+
154
+
### Client auth modes
155
+
156
+
| Mode | Behavior |
157
+
|------|----------|
158
+
| `none` *(default)* | Standard one-way TLS. No client certificate is requested. |
159
+
| `request` | The server requests a client certificate but accepts connections without one. Presented certificates are verified against the CA. Useful for migration or audit-only deployments. |
160
+
| `required` | A valid client certificate is required. The Flight listener rejects no-cert connections at the TLS handshake. The HTTP listener admits no-cert connections so `/health` and `/v1/ready` remain accessible for Kubernetes probes, but all other HTTP endpoints return 401 without a verified client certificate. |
Kubernetes liveness/readiness probes (`/health`, `/v1/ready`) and the metrics endpoint (`/metrics`) are always accessible without a client certificate, even under `client_auth_mode: required`.
182
+
183
+
### Client CA hot-reload
184
+
185
+
When `client_auth_ca_file` is used, the CA bundle is watched for changes and reloaded atomically alongside the server certificate and key. When `client_auth_ca` (inline) is used, the CA is loaded once at startup.
186
+
187
+
For a complete walkthrough, see the [mTLS Cookbook recipe](https://github.com/spiceai/cookbook/tree/trunk/mtls).
| `cayenne_file_path` | Custom path for storing Cayenne data files. Supports local paths or S3 Express One Zone URLs (e.g., `s3://bucket--usw2-az1--x-s3/prefix/`). | - |
50
+
| `cayenne_unsupported_type_action` | Action when an unsupported data type is encountered. Options: `error`, `string`, `warn`, `ignore`. | `error` |
When `cayenne_file_path` is set to an S3 Express One Zone URL (or `cayenne_s3_zone_ids` is configured), the following parameters control S3 connectivity:
Copy file name to clipboardExpand all lines: website/docs/components/data-accelerators/duckdb/index.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,7 +39,7 @@ DuckDB acceleration supports the following optional parameters under `accelerati
39
39
- `duckdb_memory_limit` (string, default: none): Limits DuckDB's memory usage for instance. Acceptable units are KB, MB, GB, TB (decimal: 1000^i) or KiB, MiB, GiB, TiB (binary: 1024^i). See [DuckDB memory limit documentation](https://duckdb.org/docs/stable/configuration/overview).
40
40
- `duckdb_preserve_insertion_order` (boolean, default: `true`): Controls whether DuckDB preserves the insertion order of rows in tables. When set to `true`, rows are returned in the order they were inserted. See [DuckDB preserve insertion order documentation](https://duckdb.org/docs/stable/guides/performance/how_to_tune_workloads#the-preserve_insertion_order-option) and [order preservation documentation](https://duckdb.org/docs/stable/sql/dialect/order_preservation).
41
41
- `connection_pool_size` (integer, default: `10`or the number of datasets sharing the same DuckDB file, whichever is larger): Controls the maximum number of connections to keep open in the connection pool for concurrent query execution.
42
-
- `on_refresh_recompute_statistics` (string, default: `enabled`): Triggers automatic `ANALYZE` execution after data refreshes. This keeps DuckDB optimizer statistics up-to-date for efficient query plans and performance. Set to `disabled` to turn automatic statistics recomputation off. See [DuckDB ANALYZE statement documentation](https://duckdb.org/docs/stable/sql/statements/analyze).
42
+
- `on_refresh_recompute_statistics` (string, default: `enabled`, `disabled` when `refresh_mode` is `changes`): Triggers automatic `ANALYZE` execution after data refreshes. This keeps DuckDB optimizer statistics up-to-date for efficient query plans and performance. Set to `disabled` to turn automatic statistics recomputation off. See [DuckDB ANALYZE statement documentation](https://duckdb.org/docs/stable/sql/statements/analyze).
43
43
- `duckdb_index_scan_percentage` (float, default: `0.001`): Sets the threshold percentage for performing an index scan instead of a table scan. An index scan is used when the number of matching rows is less than the maximum of `duckdb_index_scan_max_count` and `duckdb_index_scan_percentage` multiplied by total row count. Must be between `0.0` and `1.0`.
44
44
- `duckdb_index_scan_max_count` (integer, default: `2048`): Sets the maximum row count threshold for performing an index scan instead of a table scan. An index scan is used when the number of matching rows is less than the maximum of `duckdb_index_scan_max_count` and `duckdb_index_scan_percentage` multiplied by total row count. Must be a non-negative integer.
45
45
- `partition_mode` (string, default: `files`): Controls how partitioned data is stored. Can only be used with `partition_by`. Set to `tables` to store partitions as separate tables within a single DuckDB database, improving resource usage through single shared connection pool for all partitions. Default `files` mode creates separate database files per partition with individual connection pools and generally faster query performance.
If none of these are set the connector will default to using a [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/elasticsearch/index.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -138,7 +138,7 @@ TLS is enabled automatically for `https://` endpoints.
138
138
- Nested object fields are exposed as JSON strings rather than structured columns.
139
139
- `date`and `date_nanos` fields are preserved as strings because Elasticsearch accepts heterogeneous date formats; cast to a timestamp in SQL when numeric comparison is required.
140
140
- `dense_vector`fields without a declared `dims` value fall back to `Utf8` and are not usable as a vector column.
141
-
- The connector issues a single `_search` request per query. The result set is capped at 10,000 hits (the Elasticsearch `index.max_result_window` default). Queries with `LIMIT N` fetch `min(N, 10000)` rows; queries without `LIMIT` return at most 10,000 rows. For larger result sets, accelerate the dataset.
141
+
- For queries with `LIMIT N` where N ≤ 10,000, the connector issues a single `_search` request. For larger result sets or queries without `LIMIT`, the connector automatically paginates using Point-In-Time (PIT) + `search_after`, fetching all matching documents in 10,000-hit batches.
142
142
- Pushdown of SQL predicates to Elasticsearch query DSL is limited; complex filter expressions are evaluated locally by DataFusion after fetching results.
143
143
144
144
Elasticsearch can also be configured as a [Vector Engine](../vectors/elasticsearch) for datasets sourced from other connectors (storing Spice-managed embeddings in Elasticsearch rather than querying an existing index).
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/flightsql.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,10 @@ The dataset name. This will be used as the table name within Spice. The dataset
40
40
| `flightsql_username` | Optional. The username to use in the underlying Apache flight Handshake Request to authenticate to the server (see [reference](https://arrow.apache.org/docs/format/Flight.html#authentication)). |
41
41
| `flightsql_password` | Optional. The password to use in the underlying Apache flight Handshake Request to authenticate to the server. Use the [secret replacement syntax](../secret-stores/) to load the password from a secret store, e.g. `${secrets:my_flightsql_pass}`. |
42
42
| `flightsql_tls_ca_certificate_file` | Optional. Path to a CA certificate file (PEM format) to use for TLS verification instead of system certificates. |
43
+
| `flightsql_tls_client_certificate_file` | Optional. Path to a PEM client certificate chain for mutual TLS (mTLS). Must be set together with `flightsql_tls_client_key_file`. Mutually exclusive with `flightsql_tls_client_certificate`. |
44
+
| `flightsql_tls_client_key_file` | Optional. Path to the PEM private key matching `flightsql_tls_client_certificate_file`. Must be set together with `flightsql_tls_client_certificate_file`. Mutually exclusive with `flightsql_tls_client_key`. |
45
+
| `flightsql_tls_client_certificate` | Optional. Inline PEM client certificate chain for mutual TLS (mTLS). Use the [secret replacement syntax](../secret-stores/) to load from a secret store, e.g. `${secrets:my_cert}`. Must be set together with `flightsql_tls_client_key`. Mutually exclusive with `flightsql_tls_client_certificate_file`. |
46
+
| `flightsql_tls_client_key` | Optional. Inline PEM private key for mutual TLS (mTLS). Use the [secret replacement syntax](../secret-stores/) to load from a secret store, e.g. `${secrets:my_key}`. Must be set together with `flightsql_tls_client_certificate`. Mutually exclusive with `flightsql_tls_client_key_file`. |
0 commit comments