env to Kubernetes ConfigMap / Secret

Turn a .env file into a ready-to-apply Kubernetes ConfigMap or Secret manifest. Runs entirely in your browser — secrets never leave your machine.

Try:
YAML manifest

About this tool

env to ConfigMap / Secret turns a .env file into a ready-to-apply Kubernetes manifest. Paste your KEY=value lines and get back clean YAML:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DB_HOST: localhost
  DB_PORT: "5432"
  LOG_LEVEL: info

Worked example

Input (a Secret):

API_TOKEN=s3cr3t
DB_PASSWORD=hunter2

Output with kind = Secret, name = app-secrets:

apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  API_TOKEN: czNjcjN0
  DB_PASSWORD: aHVudGVyMg==

Privacy

Everything runs in your browser via WebAssembly — your .env file, including any secrets, is never uploaded. Also available from the gizza CLI and in chat.

Common uses

FAQ

Why are some values wrapped in quotes?

In a ConfigMap or a stringData Secret, every value must be a string. YAML would otherwise read PORT: 5432 as an integer and DEBUG: true as a boolean, and kubectl apply rejects those with a "cannot convert" error. So any value that looks like a number, boolean (true/false/yes/no/on/off), or null is double-quoted to keep it a string. Plain identifiers like localhost are left unquoted.

What's the difference between data and stringData for a Secret?

Both end up identical in the cluster. data stores each value base64-encoded — that's how Kubernetes persists Secrets and what kubectl get secret -o yaml shows. stringData is a write-only convenience field: you provide plaintext and Kubernetes base64-encodes it on apply, which keeps your committed manifests readable. Base64 is not encryption — anyone who can read the Secret can decode it.

How are comments, quotes and duplicates handled?

Lines starting with # and blank lines are skipped, and a leading export is dropped. A value wrapped in single or double quotes is unquoted (double quotes also interpret \n, \t, \\ and \"), and an unquoted trailing # comment is removed. If a key appears more than once, the last value wins.

Does this cover Docker-registry, TLS or basic-auth Secrets?

No — this tool produces Opaque Secrets, the direct equivalent of kubectl create secret generic --from-env-file. The typed Secrets (kubernetes.io/dockerconfigjson, kubernetes.io/tls, kubernetes.io/basic-auth) expect specific fixed keys and file contents rather than a flat .env, so they're out of scope here.

Can I set a namespace and labels?

Yes. Fill the optional Namespace field to add metadata.namespace (leave it blank to omit it and apply to your current namespace). Add labels as comma-separated key=value pairs, e.g. app=web,tier=backend, and they're emitted under metadata.labels.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool env-to-configmap "DB_HOST=localhost
DB_PORT=5432
API_TOKEN=s3cr3t"

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/env-to-configmap/?env=DB_HOST%3Dlocalhost%0ADB_PORT%3D5432%0AAPI_TOKEN%3Ds3cr3t&kind=configmap&name=app-config&namespace=default&secret_encoding=data&labels=app%3Dweb%2Ctier%3Dbackend

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.