Skip to main content

โ€‹
Overview

Major feature release adding HashiCorp Vault integration for persistent storage of DID keys and Hydra OAuth2 credentials. This solves the critical issue where pod restarts in Kubernetes deployments resulted in new agent identities and orphaned Hydra OAuth clients. Version: 2026.9.4
Date: February 25, 2026
Author: Raahul Dutta

โ€‹
Problem Solved

โ€‹
Before this release

When a pod died and restarted:
  • โŒ New DID keys were generated โ†’ different agent identity
  • โŒ New Hydra OAuth client was registered โ†’ orphaned clients in Hydra
  • โŒ Authentication broke โ†’ clients couldnโ€™t authenticate with new credentials

โ€‹
After this release

With Vault enabled:
  • โœ… DID keys are restored from Vault โ†’ same agent identity
  • โœ… Hydra credentials are reused โ†’ no duplicate clients
  • โœ… Authentication persists โ†’ seamless pod restarts

โ€‹
Breaking Changes

DID setup default changed
  • recreate_keys default changed from True to False
  • Impact: Existing keys are preserved by default
  • Migration: No action needed, this is the desired behavior
  • Override: Set recreate_keys=True to force regeneration

โ€‹
Features

โ€‹
๐Ÿ” Vault Client Module

New bindu/utils/vault_client.py with:
  • Store and retrieve DID private/public keys
  • Store and retrieve Hydra OAuth2 credentials
  • Automatic backup and restore functionality
  • Graceful fallback when Vault is unavailable
  • Reuses existing AsyncHTTPClient for efficiency (no duplicate HTTP clients)
  • Proper async session cleanup to prevent memory leaks

โ€‹
๐Ÿ†” Deterministic Agent Identity

  • Agent ID generated deterministically from SHA256(author:agent_name)
  • Same author + name โ†’ same agent_id โ†’ same DID every time
  • No need to hardcode agent IDs in configuration
  • Automatic persistent identity without manual intervention

โ€‹
๐Ÿ”‘ DID Setup Integration

  • Changed default: recreate_keys=False (was True)
  • Checks Vault for existing keys before generating new ones
  • Automatically backs up newly generated keys to Vault
  • Restores keys from Vault on pod restart
  • Uses correct filenames from settings (private.pem, public.pem)

โ€‹
๐Ÿ”’ Hydra Registration Integration

Priority-based credential lookup:
  1. Priority 1: Check Vault for existing credentials
  2. Priority 2: Check local filesystem
  3. Priority 3: Generate new credentials
Features:
  • Automatic backup of credentials to Vault
  • Reuses client_secret from Vault when recreating clients
  • Proper VaultClient session cleanup in all code paths

โ€‹
โš™๏ธ Configuration

Environment variables: 
# Enable Vault
VAULT__ENABLED=true

# Vault server URL
VAULT__URL=http://vault:8200

# Vault authentication token
VAULT__TOKEN=hvs.CAESIJ...
Alternative names supported:
  • VAULT_ADDR (alternative to VAULT__URL)
  • VAULT_TOKEN (alternative to VAULT__TOKEN)

โ€‹
๐Ÿ“š Documentation

  • Complete guide: docs/VAULT_INTEGRATION.md
  • Example configuration: .env.vault.example
  • Kubernetes deployment examples
  • Vault setup instructions
  • Troubleshooting guide

โ€‹
๐Ÿงช Testing

  • Comprehensive unit tests: tests/unit/test_vault_integration.py
  • Tests for all Vault operations
  • Mock-based testing for CI/CD compatibility
  • Updated tests to use correct DID key filenames

โ€‹
๐Ÿ”ง Type Safety & Code Quality

  • Proper UUID type handling throughout codebase
  • Type-safe agent_id conversion (UUID for internal, str for display)
  • No unclosed aiohttp client sessions
  • Removed unused dependencies (agno, openai, ddgs)

โ€‹
Technical Details

โ€‹
Storage Hierarchy

vault/secret/bindu/
โ”œโ”€โ”€ agents/{agent_id}/did-keys
โ”‚   โ”œโ”€โ”€ private_key (PEM)
โ”‚   โ”œโ”€โ”€ public_key (PEM)
โ”‚   โ””โ”€โ”€ did
โ””โ”€โ”€ hydra/credentials/{did}/
    โ”œโ”€โ”€ client_id
    โ”œโ”€โ”€ client_secret
    โ”œโ”€โ”€ agent_id
    โ”œโ”€โ”€ created_at
    โ””โ”€โ”€ scopes

โ€‹
Agent ID Generation

  1. If no explicit ID in config: SHA256(author:agent_name)[:32] โ†’ UUID
  2. Same author + name = same deterministic agent_id every time
  3. Agent ID used in DID: did:bindu:{author}:{agent_name}:{agent_id}

โ€‹
Startup Flow

  1. Generate deterministic agent_id from author:agent_name
  2. Check Vault for DID keys โ†’ restore if found โ†’ generate if not found
  3. Check Vault for Hydra credentials โ†’ reuse if found โ†’ register if not found
  4. Backup all credentials to Vault
  5. Start agent with persistent identity

โ€‹
Configuration

โ€‹
Environment Variables

# Enable Vault
VAULT__ENABLED=true

# Vault server URL
VAULT__URL=http://vault:8200

# Vault authentication token
VAULT__TOKEN=hvs.CAESIJ...

โ€‹
Kubernetes Example

env:
- name: VAULT__ENABLED
  value: "true"
- name: VAULT__URL
  value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT__TOKEN
  valueFrom:
    secretKeyRef:
      name: bindu-vault-token
      key: token

โ€‹
Migration Guide

โ€‹
For Existing Deployments

1

Enable Vault in configuration

VAULT__ENABLED=true
2

Set Vault URL and token

VAULT__URL=http://vault:8200
VAULT__TOKEN=hvs.CAESIJ...
3

Restart agents

Agents will automatically backup existing keys to Vault
4

Verify keys are in Vault

vault kv get secret/bindu/agents/{agent_id}/did-keys
5

Test by deleting and recreating pods

Verify that agents maintain their identity across restarts

โ€‹
For New Deployments

1

Set up Vault

See docs/VAULT_INTEGRATION.md for complete setup instructions
2

Configure environment variables

VAULT__ENABLED=true
VAULT__URL=http://vault:8200
VAULT__TOKEN=hvs.CAESIJ...
3

Deploy agents

Keys will be automatically stored in Vault

โ€‹
Vault Setup

# Enable KV v2 secrets engine
vault secrets enable -path=secret kv-v2

# Create policy
vault policy write bindu bindu-policy.hcl

# Generate token
vault token create -policy=bindu -ttl=720h

โ€‹
Security Considerations

Production Security Best Practices
  • Use Kubernetes auth instead of static tokens in production
  • Rotate Vault tokens regularly
  • Enable Vault audit logging
  • Use TLS for Vault communication
  • Never commit Vault tokens to git

โ€‹
Performance Impact

  • Startup time: +100-200ms for Vault lookups
  • Network: Requires Vault connectivity
  • Caching: Local files cached after Vault restore
  • Failover: Falls back to local files if Vault unavailable

โ€‹
Testing

Unit tests for VaultClient operations
DID key backup and restore
Hydra credential backup and restore
Graceful degradation when Vault disabled
Error handling for network failures
All existing tests passing

โ€‹
Files Changed

โ€‹
New Files

  • bindu/utils/vault_client.py - VaultClient implementation
  • docs/VAULT_INTEGRATION.md - Comprehensive integration guide
  • .env.vault.example - Example Vault configuration
  • tests/unit/test_vault_integration.py - Unit tests

โ€‹
Modified Files

  • bindu/penguin/did_setup.py - Vault restore/backup integration
  • bindu/penguin/bindufy.py - Deterministic agent_id, Vault config loading
  • bindu/auth/hydra/registration.py - Vault credential restore/backup, session cleanup
  • bindu/settings.py - VaultSettings documentation
  • bindu/penguin/config_validator.py - recreate_keys default changed to False
  • bindu/utils/config_loader.py - Vault config loading from environment
  • examples/beginner/.env - DATABASE_URL SSL fix
  • examples/beginner/.env.example - Vault configuration example
  • pyproject.toml - Removed unused dependencies (agno, openai, ddgs)

โ€‹
Benefits

โ€‹
๐ŸŽฏ Persistent Identity

  • Agents maintain the same DID across pod restarts
  • No more orphaned OAuth clients in Hydra
  • Seamless authentication across deployments

โ€‹
๐Ÿ”„ Simplified Operations

  • Automatic credential backup and restore
  • No manual key management required
  • Deterministic agent IDs from configuration

โ€‹
๐Ÿš€ Production Ready

  • Kubernetes-native integration
  • Graceful degradation when Vault unavailable
  • Proper error handling and logging

โ€‹
๐Ÿงน Code Quality

  • Removed unused dependencies
  • Improved type safety
  • No resource leaks (proper session cleanup)

โ€‹
References