Skip to content

Commit a5916c2

Browse files
claudespicelukekim
claudespice
authored and
lukekim
committed
fix: Correct pg_sslrootcert inline PEM claim and min_idle validation behavior
Remove the undocumented inline PEM content claim from pg_sslrootcert descriptions across both the data connector and data accelerator docs. The runtime code treats the value as a file path only — the inline PEM detection logic was never implemented. Also correct the data connector's min_idle vs pool size documentation: the bb8 connection pool silently caps min_idle at max_size rather than rejecting the configuration at startup (the startup rejection only applies to the accelerator's deadpool pool).
1 parent b3eb37a commit a5916c2

4 files changed

Lines changed: 6 additions & 6 deletions

File tree

website/docs/components/data-accelerators/postgres/deployment.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ The accelerator uses the same Postgres wire-protocol authentication as the [Post
2929
| `pg_user` | Postgres user. Must have `CREATE`, `INSERT`, `UPDATE`, `DELETE`, `SELECT` on the target schema. |
3030
| `pg_pass` | Password. Use `${secrets:...}` to resolve from a configured secret store. |
3131
| `pg_sslmode` | TLS mode: `disable` / `prefer` / `require` / `verify-ca` / `verify-full`. |
32-
| `pg_sslrootcert` | CA bundle path or inline PEM content for `verify-ca` / `verify-full`. |
32+
| `pg_sslrootcert` | CA bundle file path for `verify-ca` / `verify-full`. |
3333

3434
For production, use `pg_sslmode: verify-full` and source passwords from a [secret store](../../secret-stores/). The accelerator sets `application_name` on each connection to the Spice.ai version, which surfaces in `pg_stat_activity` for attribution.
3535

website/docs/components/data-accelerators/postgres/index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ The connection to PostgreSQL can be configured by providing the following `param
3838
- `prefer`: (default) This mode will try to establish a secure TLS connection if possible, but will connect insecurely if the server does not support TLS.
3939
- `disable`: This mode will not attempt to use a TLS connection, even if the server supports it.
4040
- `allow`: This mode will try a non-TLS connection first, then retry with TLS if the server requires it.
41-
- `pg_sslrootcert`: Optional. Path to a custom PEM certificate file, or inline PEM content, that the connector will trust. When the value starts with `-----BEGIN`, it is treated as inline PEM content rather than a file path.
41+
- `pg_sslrootcert`: Optional. Path to a custom PEM certificate file that the connector will trust.
4242
- `pg_connection_pool_min`: Optional. The minimum number of connections to keep open in the pool, lazily created when requested. Default is `5`.
4343
- `connection_pool_size`: Optional. The maximum number of connections created in the connection pool. Default is `10`.
4444

website/docs/components/data-connectors/postgres/deployment.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ TLS is controlled via `pg_sslmode`:
4141
| `verify-ca` | Require TLS and verify the CA chain. |
4242
| `verify-full` | Require TLS, verify CA chain, and verify server hostname. |
4343

44-
For production, use `verify-full` with `pg_sslrootcert` pointing to the CA bundle (file path or inline PEM content).
44+
For production, use `verify-full` with `pg_sslrootcert` pointing to the CA bundle file path.
4545

4646
## Resilience Controls
4747

@@ -54,7 +54,7 @@ The connector maintains a per-dataset connection pool:
5454
| `pg_connection_pool_min_idle` | `1` | Minimum idle connections held by the pool. |
5555
| `connection_pool_size` | `5` | Maximum connections the pool will open. |
5656

57-
`pg_connection_pool_min_idle` must be less than or equal to `connection_pool_size`; conflicting values are rejected as configuration errors at startup.
57+
When `pg_connection_pool_min_idle` exceeds `connection_pool_size`, the pool silently caps idle connections at the pool size.
5858

5959
Size the pool to match concurrent query and refresh load for the dataset. The server's `max_connections` (default 100) is a shared budget across Spice datasets, other clients, and server-side background workers — plan accordingly, or front Postgres with PgBouncer.
6060

@@ -113,7 +113,7 @@ PostgreSQL operations participate in Spice [task history](../../../reference/tas
113113
| -------------------------------------------- | -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
114114
| `FATAL: password authentication failed` | Incorrect credentials. | Verify credentials via the secret store; test with `psql` using the same credentials. |
115115
| `FATAL: too many clients already` | Pool size + other clients exceeds server `max_connections`. | Reduce `connection_pool_size` or raise `max_connections` / front the server with PgBouncer. |
116-
| `pg_connection_pool_min_idle must be <= connection_pool_size` at startup | Misconfiguration. | Correct the values so `pg_connection_pool_min_idle <= connection_pool_size`. |
116+
| Idle connections never exceed `connection_pool_size` despite a higher `pg_connection_pool_min_idle` | The pool silently caps `min_idle` at the pool size. | Set `pg_connection_pool_min_idle` to `connection_pool_size` or lower for clarity. |
117117
| Sustained `active_wait_requests > 0` | Pool saturation. | Increase `connection_pool_size` or reduce concurrent refreshes. |
118118
| `certificate verify failed` | `pg_sslmode: verify-ca` / `verify-full` with wrong CA or hostname. | Verify `pg_sslrootcert` matches the server's issuing CA; with `verify-full` ensure hostname matches SAN. |
119119
| Sessions lingering with the default app name | Multiple Spice instances share the same version-based name. | The `application_name` is auto-set to the Spice.ai version and is not currently configurable. |

website/docs/components/data-connectors/postgres/index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ The connection to PostgreSQL can be configured by providing the following `param
109109
| `pg_user` | The username to connect with. |
110110
| `pg_pass` | The password to connect with. Use the [secret replacement syntax](../../components/secret-stores) to load the password from a secret store, e.g. `${secrets:my_pg_pass}`. |
111111
| `pg_sslmode` | Optional. Specifies the SSL/TLS behavior for the connection, supported values:<br /> <ul><li>`verify-full`: (default) This mode requires an SSL connection, a valid root certificate, and the server host name to match the one specified in the certificate.</li><li>`verify-ca`: This mode requires a TLS connection and a valid root certificate.</li><li>`require`: This mode requires a TLS connection.</li><li>`prefer`: This mode will try to establish a secure TLS connection if possible, but will connect insecurely if the server does not support TLS.</li><li>`disable`: This mode will not attempt to use a TLS connection, even if the server supports it.</li><li>`allow`: This mode will try a non-TLS connection first, then retry with TLS if the server requires it.</li></ul> |
112-
| `pg_sslrootcert` | Optional. Path to a custom PEM certificate file, or inline PEM content, that the connector will trust. When the value starts with `-----BEGIN`, it is treated as inline PEM content rather than a file path. |
112+
| `pg_sslrootcert` | Optional. Path to a custom PEM certificate file that the connector will trust. |
113113
| `pg_connection_pool_min_idle` | Optional. The minimum number of idle connections to keep open in the pool. Default is `1`. |
114114
| `connection_pool_size` | Optional. The maximum number of connections created in the connection pool. Default is `5`. |
115115

0 commit comments

Comments
 (0)