Overview
Trimegah Sekuritas is one of Indonesia’s established securities firms. Their infrastructure — a mix of on-premises and cloud — needed modernization to support the reliability, security, and deployment velocity that capital markets operations demand.
I’m currently leading this engagement as technical lead, owning architecture, CI/CD platform design, security hardening, and production cutover execution.
Context
Trimegah’s trading and internal platforms ran on a combination of legacy on-prem infrastructure and partially managed GCP workloads. The goal was to migrate to a modern Kubernetes-based platform — standardizing deployment, improving security posture, and enabling faster delivery — without disrupting trading operations.
Problem Statement
Design and implement a production-grade Kubernetes platform for Trimegah’s ~100 applications while:
- Maintaining zero unplanned downtime during cutover
- Enforcing security standards appropriate for a regulated financial services environment
- Building operational capability within the Trimegah team to run the platform independently post-engagement
Architecture Design
The platform spans two environments:
Nutanix (on-premises): Talos Linux-based Kubernetes clusters for workloads that must remain on-premises for regulatory or latency reasons. Talos was chosen for its immutable, minimal OS design — reducing the attack surface in a regulated environment.
GCP: GKE for cloud-native workloads with access to managed services (Cloud SQL, Secret Manager, Pub/Sub).
Key platform components:
- CI/CD: GitLab CI + ArgoCD (GitOps model) — all deployments are declarative and auditable
- Secrets: GCP Secret Manager + External Secrets Operator (ESO) with a migration path to Vault/VSO for on-prem workloads
- Observability: Prometheus + Grafana for metrics, Wazuh for SIEM and security monitoring
- Safety controls: Dual-approval workflows, environment protection rules, deploy freezes, drift detection, audit logging
Security Hardening (Active)
Currently leading security audit remediation across:
- GitLab CI/CD: Pipeline hardening, runner isolation, secret scanning
- Terraform IaC: Guardrails, policy-as-code, state access controls
- Kubernetes: RBAC audit, network policies, pod security standards enforcement
- IAM: Secrets governance using GCP Secret Manager + ESO; Vault migration for on-prem
Challenges
Talos in a financial services context: Talos Linux is operationally different from standard Kubernetes distributions. Its immutable, API-driven management model required building familiarity across the team and adapting standard playbooks for Talos-specific tooling.
Onboarding 100 applications: Each application had different deployment patterns, config management approaches, and owner teams. Standardization at scale required clear opinionated templates while remaining flexible enough for genuine edge cases.
Regulated environment: Every architectural decision had to account for audit trails, change management, and the ability to demonstrate control effectiveness to external auditors.
Outcomes (In Progress)
- ~100 applications onboarded to Kubernetes with standardized GitLab CI + ArgoCD pipelines
- Zero unplanned downtime through phased cutover with validated rollback at each stage
- Centralized observability stack fully operational
- Security audit remediation in active progress
- Knowledge transfer and SOPs delivered — Trimegah teams operating platform independently
Lessons Learned
Platform teams are enablement teams. The goal isn’t to run Kubernetes — it’s to make ~100 application teams’ lives better. Every design decision needs to be evaluated against: “can the teams who use this operate it without us?”
Security in regulated environments is a continuous conversation. You can’t deliver security as a one-time deliverable. It requires building a governance rhythm — regular reviews, clear ownership, and tooling that makes the right thing the easy thing.