In-kernel encrypted mesh for Kubernetes.
with eBPF pod traffic steering into secure VPN tunnels
Install in one command
helm install vpblu oci://ghcr.io/lumbrjx/charts/encrypted-vpblu -n vpblu-system --create-namespace
add --set policies.install=true and the mesh forms in seconds — no repo, no build.
One WireGuard tunnel per node-pair. Crypto runs in the kernel module; private keys never leave the node, never hit the wire.
tc programs classify, block and steer pod packets by reading maps. Policy is data — never baked into the BPF.
A leader-elected controller watches CRDs via informers and pushes targeted commands over warm gRPC — snapshot+resync for correctness.
A cron-driven four-phase overlapping key rotation swaps WireGuard keys without dropping a single packet.
One chart installs CRDs, RBAC, the controller and the per-node DaemonSet. Images are pulled from GHCR — you never build.
A built-in web dashboard (with login) plus a kubectl-style meshtop show nodes, tunnels, handshakes and rotation live.
Userspace decides what should be true; the kernel makes it true at packet rate. The only bridge is the daemon writing eBPF maps and configuring WireGuard via netlink.
One Helm command pulls the images from GHCR and deploys the controller + per-node daemon.
A TunnelPolicy{mode:FullMesh} and every node peers every other in seconds.
wg show lists peers; tcpdump shows only encrypted UDP/51820 on the wire.
Open the web dashboard (login) or run meshtop for a live terminal view.