Skip to main content
Porter integrates with Infisical so you can manage secrets in Infisical and have them automatically synced into your Porter applications. Each Infisical environment is exposed in Porter as a read-only environment group that can be attached to any application in the cluster. Under the hood, Porter installs the Infisical Kubernetes operator on your cluster, which uses a machine identity to pull secrets directly from Infisical. Secret values never persist in Porter’s infrastructure.

Enabling the Infisical integration

The Infisical integration is enabled per cluster.
  1. From the Porter dashboard, navigate to the Integrations tab.
  2. Find Infisical in the list and toggle it on.
Porter installs the Infisical operator on the selected cluster. Once enabled, you can begin adding Infisical environment groups.

Adding an Infisical environment group

Each environment group corresponds to a path within a specific environment of an Infisical project.

Create a machine identity in Infisical

Porter authenticates with Infisical using a machine identity. In your Infisical project:
  1. Create a machine identity and assign it the Viewer role on the project.
  2. Generate a Client ID and Client Secret for the identity.
Keep both values handy — you’ll paste them into Porter in the next step.

Create the environment group in Porter

Infisical environment groups are created from the same form as any other Porter environment group.
  1. From the Porter dashboard, navigate to the Env Groups tab and click New Env Group.
  2. Enter a Name — the name you’ll use to reference this environment group inside Porter (e.g. production-infisical).
  3. For Type, select Infisical. (This option only appears once the Infisical integration is enabled on at least one cluster.)
  4. Fill in the Infisical configuration:
    • Project slug — the slug of the Infisical project to sync from.
    • Env slug — the environment to pull from (e.g. dev, staging, prod).
    • Env path — the secret path within the environment. Defaults to /.
    • Service URL — the Infisical API URL. Defaults to https://app.infisical.com/api. Set this to your self-hosted Infisical URL if you’re not using Infisical Cloud.
    • Client ID — the client ID of the machine identity you created.
    • Client Secret — the client secret of the machine identity.
  5. Select the Target cluster to sync the secrets into. If only one cluster has Infisical enabled, it’s preselected.
  6. Click Create environment group.
You can also start from the Infisical integration page and click Create an Infisical environment group to deep-link into the create form with Infisical preselected.
Add a new Infisical integration modal in the Porter dashboard
The new environment group will appear alongside your other environment groups in the Env Groups tab.

Syncing to an application

Infisical environment groups work like any other Porter environment group. You can sync them to an application:
  • From the dashboard, on the application’s Env Groups tab, add the Infisical group and click Update app.
  • From porter.yaml, add the group’s name to the envGroups field:
version: v2
name: my-app

envGroups:
  - production-infisical

services:
  - name: web
    type: web
    run: npm start
    port: 3000
For more on syncing, see Environment groups.
Infisical environment groups are read-only in Porter. Values are fetched from Infisical and cannot be edited from the Porter dashboard. To change a secret’s value, update it in Infisical — the change will propagate to your cluster automatically.

Deleting an Infisical environment group

To stop syncing an Infisical environment:
  1. Open the environment group in Porter.
  2. Go to the Settings tab and click Delete.
You cannot delete an environment group that is synced to an application. Remove it from all synced applications first.
Deleting the environment group removes the synced Kubernetes resources from your cluster. It does not delete the underlying secrets in Infisical.