Managing Environment Configurations

Overview

Manage application configurations across development, staging, and production environments using .env files, Kubernetes ConfigMaps/Secrets, SSM Parameter Store, and cloud-native configuration services. Enforce consistency, prevent configuration drift, and implement safe promotion workflows between environments.

Prerequisites

• Access to all target environments (dev, staging, production)
• Configuration management tool or pattern identified (dotenv, ConfigMaps, SSM, Consul)
• Version control for configuration files (separate repo or encrypted in application repo)
• Encryption tool for sensitive values (sops, age, sealed-secrets, or cloud KMS)
• Understanding of which values differ between environments vs. which are shared

Instructions

1. Audit existing configuration: scan for .env files, config/ directories, Kubernetes ConfigMaps, and hardcoded values in source code
2. Classify each configuration value: public (non-sensitive, varies per env), secret (credentials, API keys), and static (same across all envs)
3. Extract hardcoded values into externalized configuration with a clear naming convention (APP_DATABASE_HOST, APP_REDIS_URL)
4. Create environment-specific configuration files: .env.development, .env.staging, .env.production
5. Encrypt sensitive values using sops with cloud KMS or sealed-secrets for Kubernetes
6. Generate Kubernetes ConfigMaps and Secrets from environment files for cluster-based deployments
7. Set up configuration validation: schema checks to ensure all required variables are present before deployment
8. Implement promotion workflow: changes go to dev first, then promote to staging after testing, then to production with approval
9. Add configuration drift detection: compare running environment against source-of-truth on a schedule

Output

• Environment-specific configuration files (.env.*, config/*.yaml)
• Kubernetes ConfigMap and Secret manifests per environment
• Configuration schema/validation script to catch missing variables
• SOPS-encrypted secret files with .sops.yaml rules
• CI/CD pipeline steps for configuration validation and deployment

Error Handling

Error	Cause	Solution
Missing required environment variable	Variable defined in schema but absent from .env file	Add the variable to the environment file; run validation script before deploy
SOPS decryption failed	Wrong KMS key or expired credentials	Verify KMS key ARN in .sops.yaml; refresh cloud credentials
ConfigMap too large	Kubernetes 1MB ConfigMap size limit exceeded	Split into multiple ConfigMaps or mount as files from a volume
Configuration drift detected	Manual changes made directly to running environment	Re-apply configuration from source-of-truth; block direct environment edits
Secret exposed in logs	Application logging sensitive config values at startup	Mask secrets in logging output; audit code for accidental secret printing

Examples

• "Create an environment configuration system using .env files for a Node.js app with SOPS encryption for secrets and validation that all required vars are set."
• "Generate Kubernetes ConfigMaps and Secrets from environment files for dev, staging, and production namespaces."
• "Set up a configuration promotion workflow: edit in dev, validate in CI, promote to staging via PR, deploy to production with approval gate."

Resources

• 12-Factor App config: https://12factor.net/config
• SOPS encryption: https://github.com/getsops/sops
• Kubernetes ConfigMaps: https://kubernetes.io/docs/concepts/configuration/configmap/
• Sealed Secrets: https://github.com/bitnami-labs/sealed-secrets
• Consul KV: https://developer.hashicorp.com/consul/docs/dynamic-app-config/kv