Automating infrastructure access and provisioning with the Saxo Service Blueprint
At Saxo Bank, teams developing and operating services must manage dependencies that extend beyond Kubernetes itself. While Kubernetes orchestrates containerized workloads, the systems those workloads depend on often live outside the cluster.
To address these challenges, Saxo Bank built the Saxo Service Blueprint on top of Kubernetes and other projects from the Cloud Native Computing Foundation (CNCF) ecosystem, including Prometheus, Envoy, and cert-manager. The platform bridges Kubernetes workloads and external enterprise systems using operators and GitOps workflows, while a service catalog built on Backstage allows developers to declare service requirements.
Over the past 12 months, the platform has executed 1,827 automated operations across infrastructure platforms, triggered by 379 user commits from 121 domain contributors. This represents a 4.8× amplification of developer intent into infrastructure state.
Projects used
By the numbers
1,827
automated infrastructure operations in 12 months
379
commits from 121 contributors triggering platform automation
4.8×
amplification of developer intent into infrastructure state
Managing dependencies beyond Kubernetes
Kubernetes orchestrates containerized workloads, but it cannot operate in isolation. In enterprise environments, containerized services depend on systems that live outside the Kubernetes ecosystem.
At Saxo Bank these dependencies include a material set of services implementing our trading platform hosted on Windows servers, as well as identity providers, data systems, and access control mechanisms.
Identity Provider (Azure Entra ID) runs externally to Kubernetes. Workload identities, service principals, and group memberships must be provisioned and maintained outside the cluster.
Data systems such as Kafka and databases manage access control lists, roles, and permissions using platform-specific tooling.
Support access—granting teams access to namespaces, logs, and dashboards—requires coordination across identity and platform teams.
This creates a fundamental challenge: Kubernetes manages the workload, but not its dependencies. The identity, network access, and permissions a service needs to function are distributed across external systems owned by different teams with their own processes and approval workflows.
Without automation, onboarding a service to Kubernetes involves several steps, including:
- requesting a managed identity from the identity team
- waiting for Active Directory group creation
- manually looking up identity IDs in Azure Portal
- creating pull requests in multiple infrastructure repositories
- coordinating approvals across Kafka, database, and platform teams
- repeating the process for each environment (DEV, TEST, SIM, LIVE)
Each handoff introduces delays, error potential, context switching, and cognitive overhead.
“The objective of the Saxo Blueprint is to take the typical multi-faceted challenges of all enterprise development / operations teams in trying to get applications live and continually maintained: managing identity and access; firewalls; load balancing; among other networking and infrastructure concerns — that exist in both cloud-native and more legacy environments — and to leverage the power of as many standard technologies as possible,” said Simon Rohrer, Global Head of Enterprise Architecture & Ways of Working at Saxo Bank.
“In particular elements of Spotify Backstage and a GitOps approach — to take these challenges from arcane and distributed enterprise knowledge (‘where do I go to get a firewall opened? how do I get permission for this database role’) to a one stop declarative approach: all your service’s needs in a single file.”
“It’s a big aspiration and we were never going to eat the elephant in one bite, but we’ve already radically reduced developer cognitive load, improved security, and increased stability in many areas and we’ll continue to do so as we build out our platform.”
The Saxo Service Blueprint
To address these challenges, Saxo Bank built the Saxo Service Blueprint, which bridges Kubernetes and external enterprise systems using operators and GitOps workflows.
The operating model is simple: developers declare architectural intent, and operators reconcile state.
Service owners update service definitions in a Service Catalog based on Spotify Backstage. Blueprint operators detect these changes and generate infrastructure configurations.
Pull requests are automatically created, validated, and merged so that infrastructure state converges to the declared intent.
A single pull request approval in the Service Catalog triggers all downstream provisioning. No additional tickets or approvals are required for individual environments.
Blueprint automatically:
- provisions workload identities when services declare their Kubernetes namespace
- synchronizes access to Kafka, databases, and other external systems based on declared API dependencies
- manages support access by mapping ownership metadata to AD groups and RBAC policies
- propagates configuration across all environments from a single source of truth
This approach removes ticket-based workflows and replaces manual coordination with automated reconciliation.
Automating infrastructure provisioning
The Saxo Service Blueprint has automated a number of infrastructure operations.
Over the past 12 months, the platform executed 1,827 automated operations across infrastructure platforms, triggered by 379 commits from 121 domain contributors.
Kubernetes namespace provisioning
Provisioning a Kubernetes namespace with ownership, RBAC configuration, Active Directory groups, and platform integrations previously took an average of three weeks.
With Blueprint, namespace provisioning now completes in under 10 minutes, representing a ~99.97% reduction in provisioning time.
For the past 12 months, Blueprint currently:
- manages 79 namespaces, including 10 newly created namespaces
- creates 244 workload identities
- configures 668 network policies (512 Entra ID and 156 Kafka)
Kafka access automation
Kafka access provisioning previously required manual identity lookups in Azure Portal, updating access control files, and creating pull requests for each environment.
With Blueprint, developers declare whether their service consumes or provides Kafka APIs in the Service Catalog.
Blueprint then automatically propagates access configuration across environments. By introducing an abstraction layer, Blueprint decouples developers from direct interaction with vendor systems such as Azure and Kafka repositories, enabling them to declare service intent (for example, “I consume this topic”) instead of configuring specific brokers or identities.
“Digital sovereignty is not where you run. It’s the freedom to change where you run, what you run on, and how it’s connected — without rewriting a single application.” – Jinhong Brejnholt, Saxo Bank
This automation generated 843 automated commits across four environments (DEV, TEST, SIM, LIVE) and 21 topic domains.
Database and observability integration
Blueprint also automates other platform dependencies.
The system has provisioned 204 database access grants through single-file declarations and manages 79 Kibana namespaces with ownership, RBAC, and Active Directory group configuration.
All automated pull requests are validated and merged without human intervention after the initial Service Catalog approval, while maintaining a full audit trail and governance.
Developer visibility with DevReach
Saxo Bank developed DevReach – an internal developer portal built on top of Spotify Backstage, that serves as the frontend interface to the Blueprint platform.
DevReach provides a unified view of the service ecosystem.
Developers can access:
- a Service Catalog listing services with metadata, ownership, and configuration
- Tech Docs with integrated documentation for each service
- a Service Relationship Graph visualizing API dependencies and ownership
- Blueprint Status, showing automation state and operator activity
DevReach also integrates operational dashboards, including:
- Prometheus resource utilization metrics
- Kubernetes cluster and workload visibility
- Sysdig vulnerability scanning results
- SonarQube code quality metrics
- CI/CD pipeline status
- ServiceNow CMDB integration
The portal includes developer tools such as a Network Path Checker and a Sealed Secret Generator for encrypted Kubernetes secrets.
DevReach also includes an AI assistant called Eva, which can access container platform resources and events, Git repositories containing tenant repositories, and documentation indexed in DevReach. Eva can help diagnose deployment failures, identify runtime errors, suggest fixes, and provide contextual guidance based on service configuration.
Looking ahead
Saxo Bank is expanding the Blueprint platform to support services running outside Kubernetes.
Managing dependencies for traditional applications running on virtual machines can require provisioning DNS records, certificates, load balancing, and access controls across multiple infrastructure teams.
Saxo Bank is currently onboarding services through additional automations, including:
- DNS, certificate, and load-balancing automation for gRPC and REST services running on-premises
- creation and onboarding of Group Managed Service Accounts (gMSA) to replace traditional Active Directory service accounts with more secure, auto-rotating identities
The goal is to provide a consistent self-service, GitOps-driven experience for all workloads, regardless of where they run.
Through the Saxo Service Blueprint, Saxo Bank has eliminated weeks of lead time per service, reduced error rates through codified and repeatable processes, and enabled self-service infrastructure provisioning using Kubernetes and other CNCF technologies.
By the Numbers (full list)
- 1,827 automated infrastructure operations in 12 months
- 379 commits from 121 contributors triggering platform automation
- 4.8× amplification of developer intent into infrastructure state
- ~99.97% reduction in Kubernetes namespace provisioning time (3 weeks → <10 minutes)
- 843 Kafka ACL automation commits across 4 environments and 21 topic domains
- 668 network policies configured automatically
- 204 database access grants provisioned through GitOps