Project Name
100% Public Admin Access Elimination for a SaaS Platform With Zero-Trust Overlay and GitOps
The client is a growth-stage technology company building a distributed workload platform that deploys, activates, and manages remote runtime environments across diverse infrastructure targets.
Operating out of India with a global customer base, the company serves organisations that need controlled execution environments inside their own infrastructure, spanning cloud, virtualised, and hybrid setups.
With a product built on security-first principles and multi-environment portability, the client needed a platform engineering partner who could translate strong design intent into a production-hardened, repeatable operating model that customers could trust at the point of deployment.
The platform had the right design intent. What it lacked was an operating model that could actually deliver it safely at scale.
- Public Administrative Exposure on Every Runtime Node: Every new environment required public SSH and management ports open to the internet. This created an attack surface that grew with every customer onboarded, an existential trust risk for a platform placed inside customer infrastructure.
- Manual, Environment-Specific Provisioning: AWS, ESXi, and Hyper-V each demanded bespoke setup steps with no shared pipeline, producing configuration drift and inconsistency that made every deployment a manual exercise with no repeatability guarantee.
- Uncontrolled External Dependency Fetching: Runtime nodes pulled packages, base images, and artifacts from public registries at boot time, introducing supply-chain risk and making reproducible builds impossible to guarantee.
- Environment-Specific Image Rebuilds: Container images were rebuilt separately per environment, meaning the artifact tested in development was never the exact artifact running in production, removing all confidence in deployment consistency.
- Fragmented Monitoring and Observability Gaps: Host metrics, container health, and log aggregation were implemented inconsistently across nodes, with no unified view of runtime health and no single place to diagnose a platform issue.
- Ad-Hoc Shared Service Management: Registries, monitoring stacks, and DNS were deployed manually or via one-off scripts rather than declarative, version-controlled workflows, making every change a risk and every rollback a manual effort.
Ksolves designed and implemented a layered platform architecture built around six governing principles: zero public exposure for administrative access, immutable runtime appliance images, independent workload lifecycle management, an internalised software supply chain, GitOps-managed shared services, and centralised observability.
- OpenZiti Zero-Trust Overlay: Replaced all public inbound access with outbound-only OpenZiti tunnels, allowing runtime nodes to establish private control and data paths without exposing any management port to the internet. Traefik handles TCP SNI passthrough to OpenZiti services inside Kubernetes, while OPNsense manages edge NAT and firewalling at the perimeter.
- Packer-Based Immutable Appliance PipelineL: Built a standardised Bot Runner appliance image on Ubuntu 22.04 using Packer and QEMU, producing QCOW2, VMDK, OVA, VHDX, and AWS AMI outputs from a single source definition. Every appliance ships with Docker Engine, OpenZiti tunnelling, monitoring agents, and hardening controls pre-installed, identical across every target environment.
- Digest-Based Immutable Workload Promotion: Implemented a container image pipeline through Harbor that promotes the exact same image digest across dev, test, and production, eliminating per-environment rebuilds entirely and guaranteeing that the artifact tested is the artifact deployed.
- Internalised Supply Chain via Nexus and Harbor: Centralised all package, base image, and artifact distribution through GitLab CI/CD, Nexus, and Harbor, removing all runtime dependency on public registries and establishing full internal control over the software supply chain from build to deployment.
- ArgoCD GitOps for Shared Infrastructure Services: Migrated platform services, including Harbor, Grafana, Loki, Vault, CoreDNS, and Prometheus, from manual and script-based deployment to ArgoCD-managed GitOps workflows with environment-specific overlays, creating a declarative, auditable, and repeatable service management model.
- Unified Observability Across Host and Kubernetes Layers: Deployed Prometheus, Grafana, Loki, Alertmanager, Node Exporter, and cAdvisor across both the appliance runtime layer and the Kubernetes platform layer, delivering a single pane of glass for runtime health, container metrics, and log aggregation across every node and service.
Technology Stack
| Category | Technology |
|---|---|
| Security | OpenZiti |
| Platform | GitLab CI/CD + ArgoCD |
| Infrastructure | Nexus + Harbor |
| Processing | Packer + QEMU |
| DevSecOps | Prometheus + Grafana + Loki |
| Integration | Keycloak + Traefik |
Every deployment is now identical, every connection is private, and every artifact is internally controlled, regardless of whether the target is AWS, ESXi, or Hyper-V.
- 100% Elimination of Public Administrative Access: Zero inbound ports are exposed on any runtime node. All connectivity flows through private OpenZiti overlay tunnels, removing the attack surface that grew with every new customer environment onboarded.
- Single-Source Appliance Pipeline Covering 5 Output Formats: One Packer-based pipeline now produces QCOW2, VMDK, OVA, VHDX, and AWS AMI from a single Ubuntu 22.04 definition, eliminating environment-specific build divergence and the manual provisioning steps that caused configuration drift.
- Zero Per-Environment Image Rebuilds: Digest-based promotion through Harbor ensures the identical image artifact moves across dev, test, and production with no rebuilds. The artifact tested is now guaranteed to be the artifact deployed.
- 100% Internal Artifact Sourcing: All packages, images, and artifacts are sourced exclusively from Nexus and Harbor. No runtime node depends on public internet registries. Supply-chain risk is eliminated, and reproducible builds are guaranteed.
- Unified Observability Across Both Platform Layers: Prometheus, Grafana, Loki, and Alertmanager now provide a converged observability stack with standardised dashboards and alerting across all runtime nodes and platform services, replacing the fragmented, inconsistent monitoring that existed before.
This client had a security-first product vision and an operational model that contradicted it at every step. Public ports open on every node, manual provisioning on every deployment, and no guarantee that what was tested matched what was shipped. Ksolves, with its AI-first DevOps Consulting Services, closed that gap entirely. Every node now connects through a private OpenZiti overlay with zero inbound exposure, every appliance is built immutably from a single source, and every shared service is declaratively managed and auditable. The platform no longer just claims to be secure. It operates that way, consistently, across every target environment. With that foundation in place, the client can scale customer onboarding, pursue compliance certifications, and grow without rebuilding what’s already working.
Need to Secure Distributed Workloads Across Multi-Cloud and On-Prem Targets Without Exposing Public Access?
