By Sagar Shankaran, Founder of CallSphere
Compare Vault, Doppler, Infisical for AI agent secrets. Wire ExternalSecrets Operator on k3s, rotate OpenAI keys without restarts, and keep CI keyless via OIDC.
Key takeaways
TL;DR — In 2026, dynamic short-lived credentials are the standard. Vault for enterprise dynamic secrets, Doppler for fastest team onboarding, Infisical for open-source control. All three integrate with External Secrets Operator on Kubernetes — pick on team fit.
A k3s cluster running an AI voice agent that pulls its OpenAI key, Postgres password, and LiveKit API secret from a chosen secrets backend via External Secrets Operator. Rotation triggers a rolling restart automatically.
flowchart LR
CHOICE{Backend} --> VAULT[Vault]
CHOICE --> DOP[Doppler]
CHOICE --> INF[Infisical]
VAULT --> ESO[ExternalSecretsOperator]
DOP --> ESO
INF --> ESO
ESO --> SEC[K8s Secret]
SEC --> POD[Voice Agent Pod]
ESO -->|refresh 60s| ESO
```bash helm repo add external-secrets https://charts.external-secrets.io helm install external-secrets external-secrets/external-secrets \ -n external-secrets --create-namespace ```
ESO is the universal adapter. You write ExternalSecret CRDs; it syncs from any backend into native Secret objects.
```yaml apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: { name: vault-backend, namespace: voice } spec: provider: vault: server: https://vault.example.com path: secret version: v2 auth: kubernetes: mountPath: kubernetes role: voice-agent ```
Set up the Kubernetes auth method in Vault once: vault write auth/kubernetes/role/voice-agent bound_service_account_names=voice-agent bound_service_account_namespaces=voice policies=voice ttl=1h. Pods authenticate via their projected SA token — no static credentials anywhere.
```yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: { name: doppler } spec: provider: doppler: auth: { secretRef: { dopplerToken: { name: doppler-token, key: token, namespace: external-secrets }}} project: voice-agent config: prd ```
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
Doppler is the simplest of the three: a single service token, point at project+config, done. Minutes to first sync.
```yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: { name: infisical } spec: provider: infisical: hostAPI: https://app.infisical.com/api auth: universalAuthCredentials: clientId: { name: inf-client, key: id, namespace: external-secrets } clientSecret: { name: inf-client, key: secret, namespace: external-secrets } secretsScope: projectSlug: voice-agent environmentSlug: prod ```
Self-hosted Infisical on the same cluster gives you the cheapest dollar-per-secret cost; SaaS for hands-off.
```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: { name: voice-secrets, namespace: voice } spec: refreshInterval: 60s secretStoreRef: { name: vault-backend, kind: SecretStore } target: name: voice-secrets template: type: Opaque data: OPENAI_API_KEY: "{{ .openai }}" DATABASE_URL: "postgres://voice:{{ .pg }}@db:5432/voice" LIVEKIT_API_SECRET: "{{ .livekit }}" data: - secretKey: openai remoteRef: { key: secret/data/voice, property: openai_key } - secretKey: pg remoteRef: { key: secret/data/voice, property: postgres_password } - secretKey: livekit remoteRef: { key: secret/data/voice, property: livekit_secret } ```
refreshInterval: 60s keeps the K8s Secret close to live. Rotation in Vault propagates within a minute.
Add a checksum annotation to the Deployment via Reloader or a Helm sha256sum template:
```yaml spec: template: metadata: annotations: reloader.stakater.com/auto: "true" ```
Install Stakater Reloader: now any Secret change triggers a rolling restart, and the agent picks up the rotated OpenAI key with zero ops.
```bash vault write database/config/voice-pg \ plugin_name=postgresql-database-plugin \ connection_url="postgresql://{{ user }}:{{ password }}@db:5432/voice" \ allowed_roles=voice-agent username=vault password=...
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
vault write database/roles/voice-agent \ db_name=voice-pg default_ttl=1h max_ttl=24h \ creation_statements="CREATE ROLE "{{ name }}" WITH LOGIN PASSWORD '{{ password }}'; GRANT voice_app TO "{{ name }}";" ```
Now every pod gets a 1h Postgres credential. A leaked credential dies in an hour. ESO refreshes it in time.
Quarterly: rotate every static key (OpenAI, LiveKit) in the backend, watch ESO sync, watch Reloader roll, verify smoke test passes, archive audit log. Document the runbook.
Vault, Doppler, and Infisical all support GitHub OIDC trust now. CI never holds a backend token; it exchanges its OIDC JWT for a short-lived backend session.
get,watch on Secrets cluster-wide, not just list, or it'll silently miss updates.CallSphere uses Infisical (self-hosted) for the primary stack and Vault for HIPAA-segregated tenants. ESO syncs OpenAI keys, LiveKit secrets, Postgres passwords, and 90+ tool API keys into per-namespace Secrets. Reloader rolls 37 agents on rotation. Postgres at 72.62.162.83 uses dynamic Vault-issued credentials with 1-hour TTL. $149/$499/$1499, 14-day trial, 22% affiliate.
Q: Vault, Doppler, or Infisical? Vault for enterprise + dynamic credentials at scale. Doppler for fastest team start. Infisical for open-source-first teams that want to self-host.
Q: How do I rotate the OpenAI key without dropping calls? Stakater Reloader does a rolling restart with PDB. Active calls drain on the old pod; new calls hit pods with the new key. Drop-rate ~0.
Q: Sealed Secrets vs ESO? Sealed Secrets is git-native (encrypted in repo). ESO pulls from a live backend. Use ESO if your secrets rotate; Sealed Secrets if they don't.
Q: Can I keep model API keys in cloud KMS instead? Yes — ESO supports AWS Secrets Manager, GCP Secret Manager, Azure Key Vault. Same CRD pattern.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Haystack 2.7's Agent component plus an Ollama-served Llama 3.2 gives you tool-calling RAG with citations. Here's a complete pipeline against your own document store.
Run STT, LLM, and TTS entirely on Cloudflare's edge — no OpenAI, no ElevenLabs. Real working code with Whisper, Llama 3.3 70B, and Deepgram Aura.
Version your prompts in git, run a 50-case eval suite on every PR, block merges below threshold, and ship a new agent prompt with confidence — full GitHub Actions tutorial.
Replace expensive outbound SDR tooling with a self-hosted dialer that runs OpenAI Realtime agents at 100 concurrent calls. Full architecture and code.
HVAC companies miss 40–60% of inbound. Build a 4-agent dispatch (intake, scheduling, parts, emergency) that integrates with ServiceTitan in 600 lines.
LangChain v1 + LangGraph v1 in JS, paired with Ollama, gives you a fully local chat agent with tools, memory, and structured output. No OpenAI key required.
© 2026 CallSphere LLC. All rights reserved.
Watch how CallSphere handles real customer calls, schedules appointments, and processes payments — live.
Try Live DemoBook a DemoCalculate Your ROI