About the role

Network-as-a service (NaaS) is a strategic enabler within BT’s mobile network architecture, designed to unlock and expose core network capabilities in reliable and commercially governed manner. NaaS provides centralized API exposure capabilities, allowing BT to publish and manage GSMA CAMARA aligned APIs in a secure, traceable, and programmatic manner. This role ensures the underlying multi‑site, resilient, automated, secure infrastructure powering NaaS APIs is engineered, governed and operated to carrier‑grade standards.You will design and automate infrastructure for Kubernetes‑hosted network APIs, API gateways (Apigee/Kong), identity and consent services, routing and aggregator integrations — with a strong emphasis on PKI, certificate lifecycle automation, secrets management (Vault) and gateway-level security.

What you’ll be doing

• Design and operate cloud‑native environments hosting NaaS components (API gateway, identity & consent services, aggregator integrations, TMF‑931 APIs).
• Engineer infrastructure supporting dual‑site deployments on BT’s private cloud ecosystem with active/active or active/standby failover patterns.
• Maintain Kubernetes workloads deployed via Helm charts and environment‑specific configuration pipelines used in NaaS delivery.
• Optimise cluster networking, pod‑to‑pod routing, overlay networks, and VPC connectivity required for NaaS northbound/southbound integration.
• Standardise GitLab‑based deployment automation used across NaaS (e.g., templated Helm chart rollouts, environment switching, version promotion).
• Create automated patterns for repetitive run tasks: certificate rotation, namespace creation, resource onboarding and gateway policy application.
• Configure and operate NGINX (Ingress) and Kong API Gateway for internal/external API exposure, including routing, transformations, policies, plugins, and rate limiting.
• Build automation pipelines for dynamic secrets, lease renewal, token lifecycle and secret‑rotation using Vault Agents or sidecar models.
• Ensure API services and ingress components follow strict Zero‑Trust and mTLS standards.
• Operate Kong API Gateway with automated provisioning of routes, consumers, plugins, certificates, OAuth/OIDC configs, and rate‑limit/security policies.
• Instrument NGINX and Kong with structured logging, metrics, gateway tracing and plugin‑level observability.
• Validate multi‑site GSLB routing for API flows using synthetic probes, ingress/gateway failover testing and API path validation.

Essential Skills / Experience

• Strong Linux fundamentals and troubleshooting (system performance, networking, storage).

• Practical understanding of L7/L4 load balancing, service mesh, DNS/GSLB, certificate mgmt and API connectivity patterns into telco/core systems.

• Strong understanding of CA hierarchies, mTLS, certificate lifecycle management, CRL/OCSP, key rotation, HSM/KMS.
• Ability to design automated certificate workflows for Kubernetes, gateways, and service mesh.
• Deep configuration experience (ingress rules, SSL termination, upstream configuration, rewrite/redirect rules) on NGINX including Performance tuning, rate limiting, mTLS enforcement, header-based routing etc.
• Understanding of service registration, upstream health checks, traffic routing, consumer management etc.
• Expertise with Kong plugins (JWT, ACL, rate limit, key auth, OIDC, mTLS), declarative configs (Kong YAML), and Ingress Controller
• Access, use, and disclose information only as required for the job; ensure appropriate safeguards and adherence to Information Security policies.
• Familiar to Hashicorp Vault
• Familiarity with ITIL/incident management and change practices (or equivalent experience).
• Excellent verbal and written communication and interpersonal skills.

Desirable Skills / Experience

• Experience with Kong API Gateway.
• Expertise in automating secret delivery via Vault Agent, Vault Injector or GitLab CI integration.
• Automation mindset: scripting (Python/Bash) + one or more of Terraform/Ansible/Helm/Kustomize/GitOps.
• Experience designing observability for serverless systems (logs/metrics/traces) and implementing distributed tracing and dashboards using open standards and various tooling like Elastic, Grafana etc.
• CAMARA and TMF‑931 familiarity; API aggregator marketplace exposure (e.g., AWS/Vonage/NAC listings)
• Experience with network automation (YANG/NETCONF/RESTCONF, Ansible) and telco workloads.
• Kubernetes certification (e.g., CKA/CKAD).

Our Package

Tailored benefits make a real difference. That’s why we offer a comprehensive range to support your growth, wellbeing, and everyday life. 
You can design the package to suit you and your lifestyle. Your core benefits include:

• 10% on target annual bonus
• Access to an online private GP 24/7 for you and your immediate family 
• Market-leading paid carers leave with up to 2 weeks off 
• Equalized maternity, paternity, and adoption leave – 18 weeks’ full pay and 8 weeks’ half pay
• Discounted EE and BT products, including mobile and broadband
• Market leading Pension scheme – 5% from you and 10% from us
• Holiday purchase scheme
You can select additional benefits, including healthcare, dental, gym memberships and more when you’re ready.

Ready to connect for good and help shape the future? Apply now