OpenBao / Vault Operations IAM Engineer (m/w/d) - Remote & Berlin/Frankfurt

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als OpenBao / Vault Operations IAM Engineer (m/w/d). Die Tätigkeit erfolgt Remote und in der Regel eine Woche für ca.1-3 Tage nach Absprache pro Monat vor Ort in Berlin oder Frankfurt . Hintergrund ist ein großes Plattformprojekt im Energiesektor.Objective: OpenBao / Vault Operations (Deep).Tasks:• Management of the cluster lifecycle, including initialisation, unseal operations, upgrade, migration process• Overseeing raft consensus functions such as maintaining quorum, conducting leader election, ensuring anti-affinityplacement, and handling network partition scenarios.• Implementation of procedures for creating and restoring system snapshots, including managing encrypted offsitebackups for disaster recovery.• Consulting on the optimize system performance through fine-tuning connection limits, storage input/outputoperations, and minimizing audit logging overhead.• Coordination of the creation of namespaces, attachment of security policies, and configuration of authenticationmounts.• Administration of audit device management and integrate log pipelines for effective monitoring and compliance.• Investigation and resolving operational issues including seal/unseal failures, instability in Raft leadership, andproblems like token or lease storms.Objective: Infrastructure as Code.Tasks:• Utilization of Terraform or OpenTofu to manage resources in Vault or OpenBao environments.• Deploying of applications to Kubernetes clusters using Helm, as appropriate.• Implementation of GitOps practices for configuration management by leveraging ArgoCD or Flux.Objective: Kubernetes IntegrationTasks:• Setting up and overseeing of the lifecycle of authentication methods within Kubernetes environments.• Conceptualization of design and execute secret injection solutions, leveraging tools like Vault Agent, CSI driver, orExternal Secrets Operator.• Ensuring compatibility and alignment with service mesh technologies, focusing on mutual TLS (mTLS) and SPIFFEidentity integration.Objective: Observability.Tasks:• Gathering of Prometheus metrics from OpenBao for monitoring purposes.• Conceptualization of design and maintain of Grafana dashboards to visualize and track operational Service LevelObjectives (SLOs).• Establishing and management of audit log pipelines, including log collection, indexing, and retention strategies.Objective: PKI Baseline (Cross-Coverage Requirement).Tasks:• Comprehend the core principles of certificate lifecycle management.• Distinguish between PKI OpenBao clusters and Secrets OpenBao clusters, and understand the rationale formaintaining their separation.Objective: Monitoring & Troubleshooting.Tasks:• Ensuring deployments meet reliability, security, and compliance standards by performing both functional tests forPKI and Secrets, as well as integration tests covering IAM federation, CI/CD pipelines, and high availability/disasterrecovery.• Monitor Vault telemetry, logs, and SIEM outputs, and troubleshoot failures involving Vault, PKI, and Keycloak.• Automate and validate repeatable HA/DR failover testing processes.• Extend testing and validation to include multi-tenant setups and Registration Authority (RA) scenarios.Must-have experience• Experience with OpenBao/Hashicorp Vault: cluster lifecycle, Raft consensus, snapshot/restore, namespaceoperations, audit device management• Expertise with Infrastructure as Code: Terraform/OpenTofu, Helm, ArgoCD/Flux• Experience with Policy-as-code: HCL policy authoring, testing, CI validation• Expertise Kubernetes auth method configuration and secret injection patterns (Agent, CSI, ESO)• Strongly skilled with Observability: Prometheus, Grafana, audit log pipelines• Familiar with Tier-1 execution narrative and implement it without line-by-line translation• Experienced with producing clean Tier-3 runbooks that another engineer could follow independently• PKI fundamentals: certificate lifecycle, why PKI and Secrets clusters must remain separate.Must-have language skills:• Language: Fluent English – C1Preferred experience• Experience with reading a Tier-1 execution narrative and implement it without requiring the Programme Architect totranslate every requirement into CLI commands cloud services and their configuration• Knowledge with producing clean Tier-3 runbooks that another engineer could follow• Fluent in German• Working with Scrum and general experience in agile frameworks• Experience with working in a governance-constrained environment where "just do it" is not acceptableOrt: Remote und FFM oder Berlin 1-3 Tage im MonatAuslastung 100%Dauer: 6 Monate + OptionStart: Aprilwir freuen uns auf ihre Bewerbung auf https://www.percision.de/projekt/9224Sebastian LejaTeamleiter Recruitingpercision services GmbH (adesso group)Agrippinawerft 26 (2.Etage)50678 Köln