Skip to content

fix: Correct pg_sslrootcert inline PEM claim and min_idle pool behavior #1665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lukekim merged 1 commit into from
May 6, 2026
+6 −6
Merged

fix: Correct pg_sslrootcert inline PEM claim and min_idle pool behavior #1665

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion website/docs/components/data-accelerators/postgres/deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ The accelerator uses the same Postgres wire-protocol authentication as the [Post
| `pg_user` | Postgres user. Must have `CREATE`, `INSERT`, `UPDATE`, `DELETE`, `SELECT` on the target schema. |
| `pg_pass` | Password. Use `${secrets:...}` to resolve from a configured secret store. |
| `pg_sslmode` | TLS mode: `disable` / `prefer` / `require` / `verify-ca` / `verify-full`. |
| `pg_sslrootcert` | CA bundle path or inline PEM content for `verify-ca` / `verify-full`. |
| `pg_sslrootcert` | CA bundle file path for `verify-ca` / `verify-full`. |

For production, use `pg_sslmode: verify-full` and source passwords from a [secret store](../../secret-stores/). The accelerator sets `application_name` on each connection to the Spice.ai version, which surfaces in `pg_stat_activity` for attribution.

Expand Down
2 changes: 1 addition & 1 deletion website/docs/components/data-accelerators/postgres/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The connection to PostgreSQL can be configured by providing the following `param
- `prefer`: (default) This mode will try to establish a secure TLS connection if possible, but will connect insecurely if the server does not support TLS.
- `disable`: This mode will not attempt to use a TLS connection, even if the server supports it.
- `allow`: This mode will try a non-TLS connection first, then retry with TLS if the server requires it.
- `pg_sslrootcert`: Optional. Path to a custom PEM certificate file, or inline PEM content, that the connector will trust. When the value starts with `-----BEGIN`, it is treated as inline PEM content rather than a file path.
- `pg_sslrootcert`: Optional. Path to a custom PEM certificate file that the connector will trust.
- `pg_connection_pool_min`: Optional. The minimum number of connections to keep open in the pool, lazily created when requested. Default is `5`.
- `connection_pool_size`: Optional. The maximum number of connections created in the connection pool. Default is `10`.

Expand Down
6 changes: 3 additions & 3 deletions website/docs/components/data-connectors/postgres/deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ TLS is controlled via `pg_sslmode`:
| `verify-ca` | Require TLS and verify the CA chain. |
| `verify-full` | Require TLS, verify CA chain, and verify server hostname. |

For production, use `verify-full` with `pg_sslrootcert` pointing to the CA bundle (file path or inline PEM content).
For production, use `verify-full` with `pg_sslrootcert` pointing to the CA bundle file path.

## Resilience Controls

Expand All @@ -54,7 +54,7 @@ The connector maintains a per-dataset connection pool:
| `pg_connection_pool_min_idle` | `1` | Minimum idle connections held by the pool. |
| `connection_pool_size` | `5` | Maximum connections the pool will open. |

`pg_connection_pool_min_idle` must be less than or equal to `connection_pool_size`; conflicting values are rejected as configuration errors at startup.
When `pg_connection_pool_min_idle` exceeds `connection_pool_size`, the pool silently caps idle connections at the pool size.

Size the pool to match concurrent query and refresh load for the dataset. The server's `max_connections` (default 100) is a shared budget across Spice datasets, other clients, and server-side background workers — plan accordingly, or front Postgres with PgBouncer.

Expand Down Expand Up @@ -113,7 +113,7 @@ PostgreSQL operations participate in Spice [task history](../../../reference/tas
| -------------------------------------------- | -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| `FATAL: password authentication failed` | Incorrect credentials. | Verify credentials via the secret store; test with `psql` using the same credentials. |
| `FATAL: too many clients already` | Pool size + other clients exceeds server `max_connections`. | Reduce `connection_pool_size` or raise `max_connections` / front the server with PgBouncer. |
| `pg_connection_pool_min_idle must be <= connection_pool_size` at startup | Misconfiguration. | Correct the values so `pg_connection_pool_min_idle <= connection_pool_size`. |
| Idle connections never exceed `connection_pool_size` despite a higher `pg_connection_pool_min_idle` | The pool silently caps `min_idle` at the pool size. | Set `pg_connection_pool_min_idle` to `connection_pool_size` or lower for clarity. |
| Sustained `active_wait_requests > 0` | Pool saturation. | Increase `connection_pool_size` or reduce concurrent refreshes. |
| `certificate verify failed` | `pg_sslmode: verify-ca` / `verify-full` with wrong CA or hostname. | Verify `pg_sslrootcert` matches the server's issuing CA; with `verify-full` ensure hostname matches SAN. |
| Sessions lingering with the default app name | Multiple Spice instances share the same version-based name. | The `application_name` is auto-set to the Spice.ai version and is not currently configurable. |
2 changes: 1 addition & 1 deletion website/docs/components/data-connectors/postgres/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ The connection to PostgreSQL can be configured by providing the following `param
| `pg_user` | The username to connect with. |
| `pg_pass` | The password to connect with. Use the [secret replacement syntax](../../components/secret-stores) to load the password from a secret store, e.g. `${secrets:my_pg_pass}`. |
| `pg_sslmode` | Optional. Specifies the SSL/TLS behavior for the connection, supported values:<br /> <ul><li>`verify-full`: (default) This mode requires an SSL connection, a valid root certificate, and the server host name to match the one specified in the certificate.</li><li>`verify-ca`: This mode requires a TLS connection and a valid root certificate.</li><li>`require`: This mode requires a TLS connection.</li><li>`prefer`: This mode will try to establish a secure TLS connection if possible, but will connect insecurely if the server does not support TLS.</li><li>`disable`: This mode will not attempt to use a TLS connection, even if the server supports it.</li><li>`allow`: This mode will try a non-TLS connection first, then retry with TLS if the server requires it.</li></ul> |
| `pg_sslrootcert` | Optional. Path to a custom PEM certificate file, or inline PEM content, that the connector will trust. When the value starts with `-----BEGIN`, it is treated as inline PEM content rather than a file path. |
| `pg_sslrootcert` | Optional. Path to a custom PEM certificate file that the connector will trust. |
| `pg_connection_pool_min_idle` | Optional. The minimum number of idle connections to keep open in the pool. Default is `1`. |
| `connection_pool_size` | Optional. The maximum number of connections created in the connection pool. Default is `5`. |

Expand Down
Loading