Create Your Own Oracle Wallet, Certificates, and Kubernetes Secrets

Let's look at an example that shows you how to create your own Oracle Wallet, certificates, and Kubernetes Secrets. The example also shows you how to specify a Kubernetes Secret that contains an Oracle Wallet in a TimesTenClassic object YAML manifest file.

Note:

The steps are the same for a TimesTenScaleout object.

Before You Begin

The TimesTen ttExporter utility is located in the /bin directory of a TimesTen instance. Since the ttExporter utility is located in the TimesTen instance, you are required to create a TimesTen instance on your development host so that you have access to the ttExporter utility. You create a TimesTen instance from a TimesTen installation. A TimesTen installation is created when you unzip the TimesTen distribution.

You must download the TimesTen distribution and unzip it to create a TimesTen installation before beginning these steps. You may have already completed this process if you chose to build the TimesTen container image. See Unpack the TimesTen and the TimesTen Operator Distributions.

If you have not already done so, download and unzip the TimesTen distribution into a directory on your development host.
On your development host from a directory of your choice, create a directory for the TimesTen instance. This example assumes you have previously created the /scratch/ttuser directory. The example creates the /scratch/ttuser/instance1_exporter_dir directory.
```
mkdir /scratch/ttuser/instance1_exporter_dir
```

Create the TimesTen instance located in the TimesTen installation directory. Replace the following:

installation_dir: Name of the TimesTen installation directory. This is the directory where you unzipped the TimesTen distribution.
tt22.1.1.19.0: TimesTen release number in ttdottedrelease format, where dottedrelease is 22.1.1.19.0 in this example.
instance1_exporter: Name of the TimesTen instance.
/scratch/ttuser/instance1_exporter_dir: Location of the TimesTen instance. You created this directory in the previous step.

./installation_dir/tt22.1.1.19.0/bin/ttInstanceCreate -name instance1_exporter -location /scratch/ttuser/instance1_exporter_dir

The output is similar to the following:

Creating instance in /scratch/ttuser/instance1_exporter_dir/instance1_exporter ...

NOTE: The TimesTen daemon startup/shutdown scripts have not been installed.

The startup script is located here :
        '/scratch/ttuser/instance1_exporter_dir/instance1_exporter/startup/tt_instance1_exporter'

Run the 'setuproot' script :
        /scratch/ttuser/instance1_exporter_dir/instance1_exporter/bin/setuproot -install
This will move the TimesTen startup script into its appropriate location.

The 22.1 Release Notes are located here :
  '/scratch/ttuser/installation_dir/tt22.1.1.19.0/README.html'

Instance created successfully.

Set the TIMESTEN_HOME environment variable. You must set this variable before you run the ttExporter utility. This example uses the bash Bourne-type shell.

. /scratch/ttuser/instance1_exporter_dir/instance1_exporter/bin/ttenv.sh

The output is similar to the following, with not all output shown:

LD_LIBRARY_PATH set to ...
...
PATH set to ...
...
CLASSPATH set to ...
TIMESTEN_HOME set to /scratch/ttuser/instance1_exporter_dir/instance1_exporter

You successfully created the TimesTen instance on your development host. You are now ready to use the ttExporter utility to create the certificates.

Create Certificates

There are certificates that are necessary in order to use Transport Layer Security (mutual TLS)/https. They are as follows:

Server certificate: A self-signed certificate that is stored in an Oracle Wallet. This certificate is used by the TimesTen exporter. The name of the Oracle Wallet is cwallet.sso.
Exported server certificate: The self-signed server certificate in PEM format. This certificate is required for your Prometheus configuration.
Client certificate and client private key: The client certificate and the client private key required for your Prometheus configuration.

The following steps show you how to create these certificates:

Check that the TIMESTEN_HOME environment variable is set. You set this environment variable in a previous step. See Before You Begin.
```
echo $TIMESTEN_HOME
```
The output is the following:
```
/scratch/ttuser/instance1_exporter_dir/instance1_exporter
```
On your development host, from a directory of your choice, create a subdirectory to store an Oracle Wallet. This example creates the exportercertdir directory.
```
mkdir -p exportercertdir
```
Create the self-signed server certificate. This certificate is stored as an Oracle Wallet. The name of the file that contains the Oracle Wallet is cwallet.sso. It contains the certificate information required by the TimesTen exporter. Later, you will use a Kubernetes Secret to place the cwallet.sso Oracle Wallet file into the /ttconfig/exporterWallet location of the exporter container.
```
ttExporter -create-server-certificate -certificate-common-name *.samplecertsecret.mynamespace.svc.cluster.local -certificate-alt-names *.samplecertsecret.mynamespace.svc.cluster.local -certificate-directory exportercertdir
```
The -certificate-common-name and -certificate-alt-names ttExporter options are required. For detailed information on these options, see ttExporter in the Oracle TimesTen In-Memory Database Reference.
The -certificate-common-name option is the Common Name (CN) that is included in the certificate. It matches the DNS name where the certificate is installed. This CN can contain only one name. Single-level wildcards are acceptable. In this example, the CN name is *.samplecertsecret.mynamespace.svc.cluster.local, where:
- * is a single level wildcard.
- samplecertsecret is the name of your TimesTenClassic or your TimesTenScaleout object.
- mynamespace is the name of your namespace.
- svc.cluster.local completes the required format for the DNS name.
The -certificate-alt-names option is the Subject Alternative Name (SAN) that is included in the certificate. This name includes the CN mentioned previously as well as any other DNS names that need access to the TimesTen Exporter. Single level wildcards are acceptable. In this example, the SAN name includes only the CN name. Specifically, the SAN name is *.samplecertsecret.mynamespace.svc.cluster.local, where:
- * is a single level wildcard.
- samplecertsecret is the name of your TimesTenClassic or your TimesTenScaleout object.
- mynamespace is the name of your namespace.
- svc.cluster.local completes the required format for the DNS name.
Since these options require you to specify the name of the TimesTenClassic (or the TimesTenScaleout) object and the name of your namespace, you must know these names before completing this step. In addition, you must use these same names when defining your TimesTen Classic or your TimesTenScaleout object.
Export the server certificate.
```
ttExporter -export-server-certificate exportercertdir/server.crt -certificate-directory exportercertdir
```
This command exports the server certificate in PEM format. In this example, the name of the file that contains the certificate is server.crt. Save this file. You need it later when configuring Prometheus.
Create and export the client certificate and the client private key.
```
ttExporter -export-client-certificate exportercertdir/client.crt -export-client-private-key exportercertdir/key.crt -certificate-directory exportercertdir
```
This command creates the client certificate. In this example, the contents of the client certificate is stored in the client.crt file. The example also creates the client private key and stores its contents in the key.crt file. Save these files. You need them later when configuring Prometheus.
(Optional): Verify the certificates are created.
```
ls -a exportercertdir
```
The output is similar to the following:
```
.   client.crt  server.crt
..  key.crt     .ttwallet.BA0F2D86-B6D2-4095-A4D0-CDF1FF89E9BF
```
Verify the ttExporter utility has created the Oracle Wallet.
```
ls -a exportercertdir/.ttwallet*
```
The output is the following:
```
.  ..  cwallet.sso
```

You have successfully created the server certificate, the client certificate, and the client private key. Make a note of these files and their location. You need them later. Specifically, you need to specify the cwallet.sso Oracle Wallet file when you create the Kubernetes Secret. See Create a Kubernetes Secret Containing an Oracle Wallet. In addition, you need to specify the server.crt, the client.crt, and the key.crt files later when you configure Prometheus.

Note:

Configuring Prometheus is outside the scope of this book. For information on configuring Prometheus, see About configuring the TimesTen exporter and Prometheus with client certificate authentication in the Oracle TimesTen In-Memory Database Monitoring and Troubleshooting Guide.

Create a Kubernetes Secret Containing an Oracle Wallet

The following steps show you how to create a Kubernetes Secret for an Oracle Wallet. This Oracle Wallet contains the self-signed server certificate. You created the Oracle Wallet in Create Certificates.

On your development host, from a directory of your choice, create an empty subdirectory for the Oracle Wallet (the cwallet.sso file). This example creates the walletdir subdirectory.
```
mkdir -p walletdir
```
Copy the cwallet.sso Oracle Wallet to the directory.
```
cp exportercertdir/.ttwallet*/cwallet.sso walletdir/cwallet.sso
```
In this example, the Oracle Wallet is located in the exportercertdir/.ttwallet*/cwallet.sso walletdir directory. You created this directory in Create Certificates.
Create the Kubernetes Secret for the Oracle Wallet. Ensure to specify the /exporterWallet directory.
```
kubectl create secret generic prometheuscert --from-file=exporterWallet=walletdir/cwallet.sso
```
The kubectl create generic secret command does the following:
- Creates the prometheuscert Kubernetes Secret.
- Includes the exporterWallet metadata file. This file is required when including the cwallet.sso file in the Secret.
- Defines walletdir as the location for the cwallet.sso file.
- Defines the cwallet.sso file as the name of the Oracle Wallet file.
The output is the following:
```
secret/prometheuscert created
```

You have successfully created the Kubernetes Secret. Make a note of the name of the Secret. You use it later when you create your TimesTenClassic or TimesTenScaleout object.

Define and Deploy a TimesTenClassic Object

Let's define a TimesTenClassic object with the appropriate information such that the TimesTen Operator automatically provisions the TimesTen exporter in a separate container within each Pod that is running TimesTen. Let's use the .spec.ttspec.prometheus.certSecret datum to instruct the TimesTen Operator to use the Oracle Wallet located in the Kubernetes Secret that you previously created. (You created this Secert in Create a Kubernetes Secret Containing an Oracle Wallet).

Define a TimesTenClassic object.

vi samplecertsecret.yaml

apiVersion: timesten.oracle.com/v1
kind: TimesTenClassic
metadata:
  name: samplecertsecret
spec:
  ttspec:
    storageClassName: oci-bv
    storageSize: 250G
    image: container-registry.oracle.com/timesten/timesten:22.1.1.19.0
    imagePullSecret: sekret
    prometheus:
      certSecret: prometheuscert
      port: 7777
    dbConfigMap:
    - samplecertsecret

Note the following:

The .spec.ttspec.prometheus clause is specified. The TimesTen Operator provisions a TimesTen exporter container in each TimesTen Pod.
The .spec.ttspec.prometheus.certSecret datum is specified. The value of this datum is the name of the Kubernetes Secret containing the Oracle Wallet you previously created.
The TimesTen exporter is listening on port 7777.

Create the TimesTenClassic object from the contents of the YAML file.

kubectl create -f samplecertsecret.yaml

The output is the following:

configmap/samplecertsecret created
timestenclassic.timesten.oracle.com/samplecertsecret created

Wait a few minutes then confirm the TimesTenClassic object is in the Normal state. Confirm also that the TimesTen Operator provisioned a TimesTen exporter container in each TimesTen Pod.

kubectl get ttc samplecertsecret

Output.

NAME               STATE    ACTIVE               AGE
samplecertsecret   Normal   samplecertsecret-0   6m19s

Confirm there is a TimesTen exporter container.

kubectl get pods

Output.

NAME                                  READY   STATUS    RESTARTS   AGE
samplecertsecret-0                    3/3     Running   0          2m59s
samplecertsecret-1                    3/3     Running   0          2m59s
timesten-operator-7f77c749fd-lkhtr    1/1     Running   0          60m

The TimesTen Operator provisioned three containers for each TimesTen Pod. One container is running the TimesTen exporter. The TimesTen exporter is listening on port 7777 and functions as an https server.

Your next step is to edit the appropriate Prometheus configuration files to cause Prometheus to scrape TimesTen metrics. For more information about configuring Prometheus, see https://prometheus.io/docs/prometheus/latest/configuration/configuration/.