Overview
Network-as-a-service (NaaS) is a strategic enabler within BT's mobile network architecture, designed to unlock and expose core network capabilities in a reliable and commercially governed manner. NaaS provides centralized API exposure capabilities, allowing BT to publish and manage GSMA CAMARA aligned APIs in a secure, traceable, and programmatic manner. This role ensures the underlying multi-site, resilient, automated, secure infrastructure powering NaaS APIs is engineered, governed and operated to carrier-grade standards. You will design and automate infrastructure for Kubernetes-hosted network APIs, API gateways (Apigee/Kong), identity and consent services, routing and aggregator integrations - with a strong emphasis on PKI, certificate lifecycle automation, secrets management (Vault) and gateway-level security. BT Group was the world\'s first telco and our heritage in the sector is unrivalled. As home to several of the UK\'s most recognised and cherished brands - BT, EE, Openreach and Plusnet, we have always played a critical role in creating the future, and we have reached an inflection point in the transformation of our business.
Responsibilities
* Engineer infrastructure supporting dual-site deployments on BT\'s private cloud ecosystem with active/active or active/standby failover patterns.
* Maintain Kubernetes workloads deployed via Helm charts and environment-specific configuration pipelines used in NaaS delivery.
* Optimise cluster networking, pod-to-pod routing, overlay networks, and VPC connectivity required for NaaS northbound/southbound integration.
* Standardise GitLab-based deployment automation used across NaaS (e.g., templated Helm chart rollouts, environment switching, version promotion).
* Create automated patterns for repetitive run tasks: certificate rotation, namespace creation, resource onboarding and gateway policy application.
* Configure and operate NGINX (Ingress) and Kong API Gateway for internal/external API exposure, including routing, transformations, policies, plugins, and rate limiting.
* Build automation pipelines for dynamic secrets, lease renewal, token lifecycle and secret-rotation using Vault Agents or sidecar models.
* Ensure API services and ingress components follow strict Zero-Trust and mTLS standards.
* Operate Kong API Gateway with automated provisioning of routes, consumers, plugins, certificates, OAuth/OIDC configs, and rate-limit/security policies.
* Instrument NGINX and Kong with structured logging, metrics, gateway tracing and plugin-level observability.
* Validate multi-site GSLB routing for API flows using synthetic probes, ingress/gateway failover testing and API path validation.
* Strong Linux fundamentals and troubleshooting (system performance, networking, storage).
* Practical understanding of L7/L4 load balancing, service mesh, DNS/GSLB, certificate mgmt and API connectivity patterns into telco/core systems.
* Strong understanding of CA hierarchies, mTLS, certificate lifecycle management, CRL/OCSP, key rotation, HSM/KMS.
* Ability to design automated certificate workflows for Kubernetes, gateways, and service mesh.
* Deep configuration experience (ingress rules, SSL termination, upstream configuration, rewrite/redirect rules) on NGINX including performance tuning, rate limiting, mTLS enforcement, header-based routing etc.
* Understanding of service registration, upstream health checks, traffic routing, consumer management etc.
* Expertise with Kong plugins (JWT, ACL, rate limit, key auth, OIDC, mTLS), declarative configs (Kong YAML), and Ingress Controller.
* Access, use, and disclose information only as required for the job; ensure appropriate safeguards and adherence to Information Security policies.
* Familiar to Hashicorp Vault.
* Familiarity with ITIL/incident management and change practices (or equivalent experience).
* Excellent verbal and written communication and interpersonal skills.
Nice to have
* Expertise in automating secret delivery via Vault Agent, Vault Injector or GitLab CI integration.
* Automation mindset: scripting (Python/Bash) + one or more of Terraform/Ansible/Helm/Kustomize/GitOps.
* Experience designing observability for serverless systems (logs/metrics/traces) and implementing distributed tracing and dashboards using open standards and various tooling like Elastic, Grafana etc.
* CAMARA and TMF-931 familiarity; API aggregator marketplace exposure (e.g., AWS/Vonage/NAC listings).
* Experience with network automation (YANG/NETCONF/RESTCONF, Ansible) and telco workloads.
* Kubernetes certification (e.g., CKA/CKAD).
Benefits
* 10% on target bonus
* BT Pension scheme, minimum 5% Employee contribution, BT contribution 10%
* Life Assurance Cover
* Exclusive colleague discounts on our latest and greatest BT broadband packages, BT TV with TNT Sports and NOW Entertainment
* From January 2025, equal family leave: receive 18 weeks at full pay, 8 weeks at half pay and 26 weeks at the statutory rate. It\'s for all parents, no matter how your family is made up.
* Enhanced women\'s health support: including help with menopause symptoms, cancer screenings, period care and more.
* 25 days annual leave (not including bank holidays), increasing with service
* 24/7 private virtual GP appointments for UK colleagues
* 2 weeks carer\'s leave
* World-class training and development opportunities
* Option to join BT Shares Saving schemes
#J-18808-Ljbffr