Deutsche Telekom — Open Sovereign Cloud

Engineering an open-source, GAIA-X-aligned sovereign cloud platform for Deutsche Telekom — from MetalStack infrastructure through Gardener-managed Kubernetes to a full Kyma service catalogue, with confidential computing built in.

Motivation and Objectives

Deutsche Telekom, a leading telecommunications and IT services provider in Europe, embarked on an ambitious project to develop a sovereign cloud platform. The aim was to create a secure, compliant, and highly interoperable cloud solution using open-source technologies. This case study outlines the motivations, architecture, and innovative aspects of this project, showcasing its potential benefits for developers and businesses alike.

The project was driven by two primary principles: openness and sovereignty. By leveraging open-source components, the platform ensures transparency and flexibility. Sovereignty is achieved by adhering to the guidelines set by the GAIA-X initiative, which promotes data and operational sovereignty within the European Union. This ensures compliance with EU laws, providing users with freedom of choice and interoperability across multiple cloud providers.

Key Features and Architecture

The cloud platform is structured into three main layers, each with its unique features and capabilities:

Infrastructure Layer

• MetalStack technology — the infrastructure is based on a modern, Kubernetes-native technology called MetalStack. This offers essential infrastructure services like compute resources (virtual machines), storage (using Ceph), and networking (based on SONiC).
• Kubernetes integration — MetalStack leverages Kubernetes for resource management, providing a cloud-native, scalable, and efficient infrastructure solution.

Platform as a Service (PaaS)

• Gardener — this orchestration tool manages Kubernetes clusters, allowing for seamless integration with various infrastructures. It supports multiple Kubernetes versions and offers geo-redundancy through its garden, seed, and shoot cluster architecture.
• Automated management — users can easily create and manage Kubernetes clusters via a user-friendly dashboard or APIs, supporting CI/CD pipelines for automated deployments.

Software as a Service (SaaS)

• Kyma runtime — Kyma enhances Kubernetes with additional tools for serverless functions, an API gateway, service mesh (Istio), and observability (Prometheus, Grafana, Loki, Jaeger).
• Service catalogue — a comprehensive catalogue of ready-made services like PostgreSQL, Kafka, Redis, and more, allowing developers to build applications quickly using these pre-configured components.

Innovation and Security

One of the most innovative aspects of the platform is its support for confidential computing. This technology addresses the challenge of securing in-memory data by encrypting the entire memory context of running containers. Leveraging Intel's SGX technology, the platform ensures that even memory snapshots remain encrypted, preventing unauthorised access to sensitive data. This level of security makes the platform suitable for high-stakes applications in sectors like healthcare and defence.

Development Process and Team Culture

The development of this platform follows agile methodologies, with cross-functional teams working collaboratively across different layers of the stack.

Key technologies and tools used include:

• Programming languages — Go, shell scripting, C (for network acceleration), and Python (for testing).
• Operating systems — a customised Debian-based Linux distribution called Garden Linux.
• Development tools — Git and GitLab for version control, task management, and CI/CD pipelines.

The team's culture emphasises transparency, collaboration, and continuous improvement, with regular sprint reviews and quarterly face-to-face meetings to align on priorities and address challenges.

Conclusion

The open-source and sovereign cloud platform represents a significant advancement in cloud technology, combining compliance, security, and interoperability. By adhering to GAIA-X principles and leveraging cutting-edge technologies, the platform offers a robust solution for businesses seeking a secure and flexible cloud environment. This project not only sets a new standard for cloud services in Europe but also provides a model for future innovations in the industry.

How We Work

Large-scale platform engineering in regulated, sovereignty-sensitive environments is core to what we do — senior engineers who have built this kind of infrastructure, embedded directly in your teams. Explore our services or read more of our case studies.