About the Automation Process

Let's review the actions the TimesTen Operator takes when you specify .spec.ttspec.clientTLS and set .spec.ttspec.clientTLS.auto: true in a TimesTenClassic object definition:

The TimesTen Operator runs the TimesTen ttCreateCerts -dir <temporary_directory> utility. The TimesTen Operator may supply additional options to the ttCreateCerts utility depending on the settings you provided in .spec.ttspec.clientTLS.
For more information, see
- About Configuring a TimesTenClassic Object for Automatic Client/Server TLS Encryption
- ttCreateCerts utility in the Oracle TimesTen In-Memory Database Reference
The TimesTen Operator creates two directories that contain Oracle wallets. These wallets contain the self-signed certificates that were created by the ttCreateCerts utility:
- /serverWallet/cwallet.sso: Contains the self-signed certificate for TimesTen servers.
- /clientWallet/cwallet.sso: Contains the self-signed certificate for TimesTen clients.
As an example, let's look at a directory structure for the tt container in a Pod named sampletls-0:
```
[timesten@sampletls-0 /]$ pwd
/
[timesten@sampletls-0 /]$ ls -a serverWallet
.  ..  cwallet.sso
[timesten@sampletls-0 /]$ ls -a clientWallet
.  ..  cwallet.sso
```
Note that the /serverWallet/cwallet.sso and the /clientWallet/cwallet.sso wallets exist. These wallets contain the self-signed certificates required for client/server TLS encryption.
The TimesTen Operator creates two Kubernetes Secrets:
- <name_of_TimesTenClassic_object>-server where <name_of_TimesTenClassic_object> is the name of the TimesTenClassic object: This is the Kubernetes Secret that contains the self-signed certificate that is stored in /serverWallet/cwallet.sso and used for TimesTen servers.
  
  The containers that run TimesTen are configured to mount this Secret. As a result, this file is available in the TimesTen containers.
- <name_of_TimesTenClassic_object>-client where <name_of_TimesTenClassic_object> is the name of the TimesTenClassic object: This is the Kubernetes Secret that contains the self-signed certificate that is stored in /clientWallet/cwallet.sso and used for TimesTen clients.
As an example, let's look at the Kubernetes Secrets created by the TimesTen Operator for a TimesTenClassic object named sampletls.
```
kubectl get secrets
NAME                                     TYPE                             DATA   AGE
sampletls-client                         Opaque                           1      21m
sampletls-server                         Opaque                           1      21m
...
```
The TimesTen Operator checks to see if the /serverWallet directory in the tt container exists. If it does, appropriate Wallet, Ciphersuites, and Encryption entries are added to the sys.odbc.ini file being generated. These entries could be located in the db.ini metadata file or in .spec.ttspec.clientTLS or both. See About Configuring a TimesTenClassic Object for Automatic Client/Server TLS Encryption.

After completing these steps, the TimesTen Operator has automatically configured TimesTen servers for client/server TLS encryption.

For client applications, when you define Pods that run your applications, you can cause the client Secret to be mounted in these Pods. You can also include a wallet entry in your sys.odbc.ini file that directly references the wallet from this Secret. There are steps in the Configure and Deploy the TimesTenClassic Object that show you how to do this.