Copy Vault Data from a Vault to another Vault on k8s

we have a use case where we need to copy vault data from one vault instance to secondary vault instance

1)we have secrets data --we can try options listed here Hashicorp vault - export key from one vault, import into another vault - Stack Overflow

2)we have a PKI secrets engine and for this we have a ROOT CA private key and have an Intermediate CA also which issues all of our certs

Questions:

  1. Is there a method to copy the PKI secrets engine and setup an an exact clone after copying from one vault instance to another?

2)shall the certificates also be copied over?

3)assuming that the clone method exists,shall the copied certificates issued by original vault work when we use them against the the intermediate CA of the new vault?

I will preface this by saying the enterprise version supports not what you ask, but the end goal of having a Disaster Recovery or a Performance secondary, but it is a jump in price. You can also do a “snapshot” and “restore”, but this does the entire storage, but comes with its own challenges. All of these methods copy “The whole cluster” - and is not really piece by piece.

You mention two things here - copying KV stores and Copying PKI.

The simpler of course is copying the KV values over - yes this works, you read in one and write in the other. You need to implement the logic depending on your use case - copy one way being the easiest. The question is what are you trying to achieve, more than anything - a backup ? a local copy etc.

For PKI things are different - the PKI engine cannot be copied like the kv store, but because of the way PKI is used, that may not be necessary. In the PKI engine, you cannot export the keys except when they get created ( the exportable flag ), this means any read / write will be incomplete. If you have the keys, there is an API call to import the full PEM bundle and replace the existing one :

But this is more a way to set the CA / Issuers at the start, and not really for ongoing “management” - at least not in the way you seem to be mentioning it (I’m guessing). You cannot keep these as seperate CA’s ( or Roots ) still managing the certificates underneath, since, if they are on two active vaults, they are independent, each have their own certificates, CRL, ocsp , etc. But the way certificates are used, this does not really matter in most usecases, except very specific ones.