Infrastructure Engineer

Why this job matters

Network-as-a service (NaaS) is a strategic enabler within BT’s mobile network architecture, designed to unlock and expose core network capabilities in reliable and commercially governed manner. NaaS provides centralized API exposure capabilities, allowing BT to publish and manage GSMA CAMARA aligned APIs in a secure, traceable, and programmatic manner. This role ensures the underlying multi‑site, resilient, automated, secure infrastructure powering NaaS APIs is engineered, governed and operated to carrier‑grade standards.You will design and automate infrastructure for Kubernetes‑hosted network APIs, API gateways (Apigee/Kong), identity and consent services, routing and aggregator integrations — with a strong emphasis on PKI, certificate lifecycle automation, secrets management (Vault) and gateway-level security.

What you’ll be doing

• Design and operate cloud‑native environments hosting NaaS components (API gateway, identity & consent services, aggregator integrations, TMF‑931 APIs).
• Engineer infrastructure supporting dual‑site deployments on BT’s private cloud ecosystem with active/active or active/standby failover patterns.
• Maintain Kubernetes workloads deployed via Helm charts and environment‑specific configuration pipelines used in NaaS delivery.
• Optimise cluster networking, pod‑to‑pod routing, overlay networks, and VPC connectivity required for NaaS northbound/southbound integration.
• Standardise GitLab‑based deployment automation used across NaaS (e.g., templated Helm chart rollouts, environment switching, version promotion).
• Create automated patterns for repetitive run tasks: certificate rotation, namespace creation, resource onboarding and gateway policy application.
• Configure and operate NGINX (Ingress) and Kong API Gateway for internal/external API exposure, including routing, transformations, policies, plugins, and rate limiting.
• Build automation pipelines for dynamic secrets, lease renewal, token lifecycle and secret‑rotation using Vault Agents or sidecar models.
• Ensure API services and ingress components follow strict Zero‑Trust and mTLS standards.
• Operate Kong API Gateway with automated provisioning of routes, consumers, plugins, certificates, OAuth/OIDC configs, and rate‑limit/security policies.
• Instrument NGINX and Kong with structured logging, metrics, gateway tracing and plugin‑level observability.
• Validate multi‑site GSLB routing for API flows using synthetic probes, ingress/gateway failover testing and API path validation.

What you'll bring

MANDATORY

• Strong Linux fundamentals and troubleshooting (system performance, networking, storage).

• Practical understanding of L7/L4 load balancing, service mesh, DNS/GSLB, certificate mgmt and API connectivity patterns into telco/core systems.

• Strong understanding of CA hierarchies, mTLS, certificate lifecycle management, CRL/OCSP, key rotation, HSM/KMS.
• Ability to design automated certificate workflows for Kubernetes, gateways, and service mesh.
• Deep configuration experience (ingress rules, SSL termination, upstream configuration, rewrite/redirect rules) on NGINX including Performance tuning, rate limiting, mTLS enforcement, header-based routing etc.
• Understanding of service registration, upstream health checks, traffic routing, consumer management etc.
• Expertise with Kong plugins (JWT, ACL, rate limit, key auth, OIDC, mTLS), declarative configs (Kong YAML), and Ingress Controller
• Access, use, and disclose information only as required for the job; ensure appropriate safeguards and adherence to Information Security policies.
• Familiar to Hashicorp Vault
• Familiarity with ITIL/incident management and change practices (or equivalent experience).
• Excellent verbal and written communication and interpersonal skills.

NICE TO HAVE

• Expertise in automating secret delivery via Vault Agent, Vault Injector or GitLab CI integration.
• Automation mindset: scripting (Python/Bash) + one or more of Terraform/Ansible/Helm/Kustomize/GitOps.
• Experience designing observability for serverless systems (logs/metrics/traces) and implementing distributed tracing and dashboards using open standards and various tooling like Elastic, Grafana etc.
• CAMARA and TMF‑931 familiarity; API aggregator marketplace exposure (e.g., AWS/Vonage/NAC listings)
• Experience with network automation (YANG/NETCONF/RESTCONF, Ansible) and telco workloads.
• Kubernetes certification (e.g., CKA/CKAD).

What's in it for you

• 10% on target bonus
• BT Pension scheme, minimum 5% Employee contribution, BT contribution 10%
• Life Assurance Cover
• Exclusive colleague discounts on our latest and greatest BT broadband packages, BT TV with TNT Sports and NOW Entertainment
• From January 2025, equal family leave: receive 18 weeks at full pay, 8 weeks at half pay and 26 weeks at the statutory rate. It’s for all parents, no matter how your family is made up.
• Enhanced women’s health support: including help with menopause symptoms, cancer screenings, period care and more.
• 25 days annual leave (not including bank holidays), increasing with service
• 24/7 private virtual GP appointments for UK colleagues
• 2 weeks carer’s leave
• World-class training and development opportunities
• Option to join BT Shares Saving schemes