cat centric_sovereign.md
Centric: Public Sector Azure & Sovereign Cloud
Role: Infrastructure Specialist
[Context] Design, implementation, and management of secure cloud foundations for the Dutch government and municipalities. Currently, the strategic focus lies on developing "digital sovereignty" in response to global geopolitical developments and the reliance on Big Tech.
[Architecture & Operations]
- Government Cloud Infrastructure: Design and deployment of secure Azure landing zones for the public sector. The infrastructure is fully deployed 'as-code' via Bicep. Compliance-by-design is central, strictly architected according to the Microsoft Cloud Adoption Framework (CAF) and national government guidelines.
- Proof of Concept: Sovereign Digital Workplace: Development of a strategic, sovereign alternative to standard Big Tech workspaces (such as Microsoft 365). This initiative facilitates an independent work environment where the government retains 100% ownership and control over its own data.
- Nextcloud on Kubernetes (Ongoing): Leading architectural role in the technical realization of this PoC. By deploying Nextcloud in a highly available setup on a robust Kubernetes foundation, the scalability of modern cloud-native systems is combined with the strict data-residency requirements of the EU.
cat prorail_aks.md
ProRail: Enterprise AKS & Cloud Automation
Role: Cloud Automation Engineer
[Context] Responsible for the operational continuity, scalability, and modernization of mission-critical Azure Kubernetes Service (AKS) clusters. These clusters form the foundation for essential Java applications supporting the national railway infrastructure.
[Architecture & Operations]
- Platform Engineering & CI/CD: Automated management of core cluster components, including Keycloak (IAM) and RabbitMQ (messaging). By optimizing pipelines in Jenkins and Bitbucket, patch management was standardized, enabling monthly component updates to be rolled out with zero downtime.
- Observability & Ingress Migration: Successful execution of a complex architectural transition to improve cluster performance. NGINX was migrated to Traefik as a modern cloud-native API gateway. Additionally, the legacy ELK stack was replaced by the more efficient LGTM stack (Grafana, Loki, Tempo, Mimir). This resulted in faster query times, integrated distributed tracing for the Java applications, and a drastically reduced resource footprint.
- IaC & Security Hardening: Transformation to a strict Infrastructure as Code model using Terraform. Special focus on reducing the attack surface by applying the Cloud Adoption Framework (CAF): permanent 'Global Owner/Contributor' rights were eliminated and replaced with a fine-grained 'Least Privilege' Role-Based Access Control (RBAC) architecture.
mermaid render prorail_architecture.mmd
flowchart TD
Client(["Internet Traffic"])
subgraph Automation ["Platform Engineering"]
Bitbucket["Bitbucket"]
Jenkins["Jenkins CI/CD"]
Terraform["Terraform IaC"]
end
subgraph AKS ["Azure Kubernetes Service"]
Traefik{"Traefik API Gateway"}
JavaApps["Mission Critical Java Apps"]
Keycloak["Keycloak IAM"]
RabbitMQ[("RabbitMQ")]
subgraph LGTM ["LGTM Observability Stack"]
Grafana["Grafana Dashboard"]
Loki["Loki"]
Tempo["Tempo"]
Mimir["Mimir"]
end
end
Client -->|HTTPS| Traefik
Traefik -->|Route| JavaApps
Traefik -->|Admin/Auth| Keycloak
JavaApps -->|Message Queue| RabbitMQ
RabbitMQ -->|Reply| JavaApps
JavaApps -->|Auth Tokens| Keycloak
Keycloak -->|Verify| JavaApps
JavaApps -->|Logs| Loki
JavaApps -->|Traces| Tempo
JavaApps -->|Metrics| Mimir
Grafana --> Loki
Grafana --> Tempo
Grafana --> Mimir
Bitbucket -->|Trigger| Jenkins
Jenkins -.->|Deploy| JavaApps
Jenkins -.->|Updates| Keycloak
Terraform -.->|Provision and RBAC| AKS
classDef default fill:#0d1117,stroke:#21262d,stroke-width:1px,color:#c9d1d9;
classDef highlight fill:#161b22,stroke:#00ff66,stroke-width:2px,color:#00ff66;
classDef db fill:#0d1117,stroke:#58a6ff,stroke-width:2px;
class Traefik,Grafana,Terraform highlight;
class RabbitMQ db;