DevBolt
Processed in your browser. Your data never leaves your device.

How do I convert a .env file to Docker Compose or Kubernetes YAML?

Paste your .env file and select an output format: Docker Compose inline environment, Docker Compose env_file reference, Kubernetes ConfigMap, Kubernetes Secret (base64 or stringData), or docker run -e flags. The tool parses KEY=VALUE pairs, strips quotes, detects sensitive keys (passwords, tokens, API keys), and generates valid YAML or shell commands. Everything runs in your browser — your secrets never leave your device.

Convert .env to Docker Compose
Input
DATABASE_URL=postgres://localhost/db
REDIS_URL=redis://localhost:6379
API_KEY=sk-abc123
PORT=3000
Output
# docker-compose.yml
services:
  app:
    environment:
      - DATABASE_URL=postgres://localhost/db
      - REDIS_URL=redis://localhost:6379
      - API_KEY=sk-abc123
      - PORT=3000

.env to Docker/K8s Converter

Convert .env files to Docker Compose environment blocks, Kubernetes ConfigMaps, Secrets, or docker run flags. Sensitive keys are detected automatically. Validate your .env first →

Samples:
Ctrl+Enter

Output Format Reference

FormatUse CaseSensitive Data?
Docker Compose (inline)Variables directly in docker-compose.ymlNot recommended — values visible in file
Docker Compose (env_file)Reference .env file from composeBetter — .env excluded from VCS via .gitignore
K8s ConfigMapNon-sensitive config in KubernetesNot for secrets — data is plain text
K8s Secret (base64)Standard K8s secrets (base64 encoded)Base64 is encoding, not encryption — use RBAC + encryption at rest
K8s Secret (stringData)Human-readable secrets (auto-encoded by K8s)Same security as data: — encoded on apply
docker run -eOne-off container runs with env varsVisible in process list — avoid for secrets
Related:.env Validator·Docker Compose Validator·Kubernetes Validator·Dockerfile Validator·YAML Formatter

Tips & Best Practices

Pro Tip

Docker Compose env_file and environment behave differently

env_file loads a .env file at container start. environment sets vars directly in the compose file. env_file values can be overridden by environment. Use env_file for defaults and environment for per-service overrides.

Common Pitfall

Kubernetes ConfigMaps are not for secrets — use Secrets instead

ConfigMaps are stored in plain text in etcd and visible to anyone with cluster read access. Use Kubernetes Secrets for credentials, API keys, and certificates. Even better: use a secrets manager like Vault, AWS Secrets Manager, or sealed-secrets.

Real-World Example

Generate Kubernetes ConfigMap YAML from .env for fast deployments

Instead of manually creating ConfigMap YAML, convert your .env file directly. Split sensitive vars into a Secret and non-sensitive vars into a ConfigMap. This ensures your K8s manifests stay in sync with your local dev environment.

Security Note

Base64 encoding in K8s Secrets is not encryption

Kubernetes Secrets are just Base64-encoded — anyone with kubectl access can decode them instantly. Enable etcd encryption at rest, use RBAC to limit Secret access, and consider external secrets managers for production workloads.

Frequently Asked Questions

How do I convert a .env file to a Kubernetes ConfigMap?
Paste your .env file, select 'Kubernetes ConfigMap' as the output format, set the resource name and optional namespace, then click Convert. The tool parses all KEY=VALUE pairs and generates a valid ConfigMap YAML with apiVersion, kind, metadata, and data fields. Sensitive keys (passwords, secrets, tokens) are flagged with a comment suggesting you use a Kubernetes Secret instead.
What is the difference between Kubernetes Secret data and stringData?
The 'data' field requires values to be base64-encoded (the format Kubernetes stores internally). The 'stringData' field accepts plain text values that Kubernetes automatically base64-encodes when the manifest is applied. Both are equivalent at runtime. Use stringData for readability during development and data for CI/CD pipelines that pre-encode values. Note that base64 is encoding, not encryption — always enable encryption at rest for production Secrets.
Does the tool detect sensitive environment variables?
Yes. The converter scans key names against 20+ patterns including PASSWORD, SECRET, TOKEN, API_KEY, PRIVATE_KEY, DATABASE_URL, JWT_SECRET, STRIPE_KEY, and AWS_SECRET. When you use the ConfigMap format, detected sensitive keys are flagged in a comment block suggesting migration to a Secret. A count of sensitive keys appears in the stats bar after conversion.
Can I use the output directly in my Docker Compose or Kubernetes project?
Yes. The generated YAML and shell commands are valid and ready to paste into your project files. Docker Compose output includes the services: block structure. Kubernetes output includes apiVersion, kind, and metadata fields. The docker run output generates a complete command with -e flags. You may need to adjust the service name, resource name, namespace, or image name to match your project.

Related Convert Tools

CSV

CSV ↔ JSON Converter

Convert between CSV and JSON formats with custom delimiters

%20

URL Encoder & Decoder

Encode and decode URLs with encodeURIComponent and encodeURI

YML

JSON ↔ YAML Converter

Convert between JSON and YAML for Kubernetes, Docker, and CI/CD configs

&;

HTML Entity Encoder

Encode and decode HTML entities, special characters, and symbols