Confidential client Β· Bucharest, Romania Β· Q3 2025
The exact Vault setup deployed in this engagement β KV v2, AppRole auth, dynamic database credentials, and the Kubernetes Agent Injector.
The identity-first principles and Pomerium + Keycloak pattern used in this fintech deployment β and how to apply them at any scale.
Key-only auth, AllowUsers, fail2ban, and the sshd_config changes applied to every server in this engagement β the last mile of zero-trust access control before your network perimeter.
Headscale on the management server, ACLs restricting admin access to port 22/Vault API β how all privileged access in this engagement flows through WireGuard tunnels.
GDPR was a central driver of this engagement β hardcoded credentials in version control, lack of access audit logs, and unencrypted internal traffic all had GDPR implications.
A Romanian fintech processing sensitive financial data for retail investors had reached a critical inflection point. Their existing cloud setup β spread across three providers with no unified identity layer β was becoming both operationally brittle and legally untenable under tightening GDPR enforcement. Secrets lived in plain-text environment variables committed to private repos. Admin access required no second factor. There was no audit trail for who accessed what, when.
The technical debt compounded the compliance problem: micro-services communicated over unencrypted internal HTTP, database credentials were static and shared across teams, and there was no mechanism to enforce least-privilege access. The CTO estimated they had 60β90 days before their next compliance audit would flag these issues as blockers for a planned Series A raise.
The migration also had to be completed without a single hour of production downtime β they were processing live transactions 24/7.
We started with a two-week discovery phase: full inventory of all 23 services, dependency graph construction, and risk matrix. We identified 14 high-priority items β hardcoded credentials, unencrypted service-to-service traffic, and three services with direct production database access from developer laptops.
The target architecture was a GitOps-managed Kubernetes cluster on dedicated bare-metal hardware co-located in a Bucharest Tier-III data centre. Every deployment is tracked as a Git commit in Argo CD. No kubectl apply commands in production β ever.
We deployed Keycloak (47ID) as the centralized IdP. MFA became mandatory for all admin access on day one. We migrated all service credentials to HashiCorp Vault with dynamic secrets β database passwords now rotate automatically every two hours and are never the same twice.
Pomerium replaced the VPN entirely. All internal services are now identity-aware proxy endpoints β you cannot reach the internal network without a valid JWT from Keycloak. mTLS enforced on all service-to-service communication via Linkerd service mesh. The internet-facing perimeter is a hardened HAProxy cluster with rate limiting and WAF rules.
Services were migrated one by one using blue-green deployments β old service stays live while the new one warms up, traffic shifts 10% at a time, and we maintain instant rollback capability throughout. Kyverno enforces pod security standards and prevents privilege escalation at the cluster level. Prometheus + Loki + Grafana provide full observability. The final week was on-site team training and documentation handover β 47 pages of runbooks, architecture diagrams, and incident response playbooks.
"The 47Network Studio didn't just deploy infrastructure β they transferred knowledge so our team could own and evolve it independently. Three months in, we've deployed six new services without any outside help."
β CTO, Confidential Fintech ClientThree months after handover, the client's engineering team had independently deployed six new services into the GitOps pipeline without any outside assistance β exactly the outcome a knowledge-transfer engagement should produce.
The core of the engagement was a HashiCorp Vault cluster deployed on their primary datacenter nodes, with the Kubernetes Agent Injector pushing dynamic secrets into pods at startup. No service retained long-lived credentials β each pod received a short-lived database token valid for two hours, automatically rotated. The Vault audit log, with cryptographic chaining, became the compliance evidence for every credential access event.
Service-to-service authentication used mTLS via SPIFFE/SPIRE β each workload received a cryptographic identity certificate valid for four hours, eliminating the need for shared secrets between microservices entirely. Pomerium served as the identity-aware proxy for all external developer and admin access, enforcing SSO via their Keycloak deployment (branded as 47ID for their internal users). Every access decision was logged and exportable for the compliance audit.
The migration itself was the hardest part. Twenty-three services had to move from environment-variable secrets to Vault-injected secrets β each one required a code change, a Kubernetes manifest update, and a coordinated deployment window. We built a migration playbook that let their team execute each service migration independently, in any order, with a rollback path that took under five minutes. The full migration ran over six weeks with zero production incidents.