Banking & financial services

Tier-1 retail bank — disconnected OpenShift platform

Greenfield disconnected OpenShift fleet — hub-and-spoke, GitOps, identity, runtime security — delivered to a regulator-facing production posture.

→ Hub + multiple spokes in production, dual-CI delivery path live, full handover completed.

Background

A large retail and commercial bank operating a multi-million customer base required a regulator-grade container platform to host its next generation of customer-facing applications. Existing virtualised infrastructure could not meet the deployment cadence the digital programme demanded, and air-gapped operation was a non-negotiable starting condition.

Challenge

  • Fully disconnected operation — no inbound or outbound internet from cluster nodes.
  • Multi-cluster from day one — separate clusters for production, non-production, and disaster-recovery.
  • Production-grade supply chain — image mirroring, internal CAs, signed manifests, internal GitLab, internal artifact repositories.
  • Identity-fronted everything — no service reachable without going through the bank’s identity layer.
  • Regulator-facing posture — controls traceable to central-bank IT guidance and international standards.

Approach

A hub-and-spoke topology was selected to centralise multi-cluster policy and lifecycle, with Advanced Cluster Management on the hub driving fleet state into the spokes via OpenShift GitOps in pull-mode. Every cluster pulls its desired state from internal GitLab; no external dependencies are introduced at the cluster boundary.

Credential custody was anchored on HashiCorp Vault (VM-hosted for blast-radius isolation from in-cluster workloads), with External Secrets Operator bridging Vault paths to Kubernetes Secrets. RHACS was deployed early for admission policy, runtime detection, and image-risk gates — tuned to the BFSI risk profile rather than the out-of-the-box defaults.

Application delivery used a federated GitLab model: each application team operates their own GitLab group, with the platform team owning two CI build paths — one for application images, one for platform manifests — so build pipelines never carry ambient platform credentials.

Outcome

  • Hub and multiple spoke clusters live in production posture
  • Image supply chain end-to-end via oc-mirror → internal Quay → cluster
  • Identity, secret-custody, runtime-security, and backup all GitOps-managed
  • Dual-CI delivery path running with application teams onboarded
  • Full handover documentation: architecture decisions, runbook set, replay log, install manual

Engagement shape

Approximately 20 weeks of CompTech Lab engineering involvement, sequenced across discovery, platform build, application onboarding, and structured handover. Operations transitioned to the bank’s platform team at the end of the engagement.

Technologies on this engagement

Red Hat OpenShift v4Advanced Cluster ManagementOpenShift GitOpsHashiCorp VaultExternal Secrets OperatorRHACSOADPcert-managerGitLab EnterpriseQuayNexusoc-mirror

Related services

Platforms

Cloud Platforms

OpenShift, AWS, Azure, GCP, and hybrid — designed, deployed, and operationalised for regulated workloads.

Security

End-to-End Security

Shift-left in the pipeline, shift-right at runtime, identity-fronted everywhere — done as engineering work.

Operations

Operations & Managed Services

Day-2 platform operations, SRE practice bring-up, observability, incident response — and optional managed services where you need them.
Other case studies

More from the lab

Insurance

National insurance carrier — agentic claims-triage platform

Identity-fronted agentic AI for first-line claims triage, deployed on OpenShift AI behind WSO2 IS, with full audit and rollback.

Banking & financial services

Retail bank — customer-service modernization

SPA front-end, JBoss EAP-backed customer-service chat, and integrated bank-payment flow — replatformed onto OpenShift with a documented production hardening path.

Telecom

Regional telecom operator — multi-site edge platform

OpenShift on bare-metal at the edge, GitOps-driven across multiple sites, RHACS-monitored, unified observability — bring-up and ongoing upgrade posture.