Migrate vault workload to a new k8s cluster


I would like to migrate a vault community workload running in one GKE cluster to another GKE cluster.

Here are some details of the current vault setup:

  • Installed with the helm chart
  • Using only a K/V 2 secret engine mount
  • Using Cloud Storage as the storage backend. I have admin access to this bucket.
  • Using auto-unseal with CloudKMS managing seal keys. I have admin access to the keys in CloudKMS.
  • I have access to the root key
  • I do not have access to the recovery keys
  • Not using HA

I would like to preserve the keys stored in the current vault.

Ideally, I would like to continue using the current Cloud KMS keyring/keys and the current Cloud Storage bucket. But if there is no other way, I can regenerate these if needed.

What are my options here?

Thanks in advance

I ended up exporting all secrets and importing them in the new vault instance (I used this cli), so I no longer need an answer.

It took almost two weeks for this post to stop being hidden (it was considered spam)… not very likely to come back to these community forums because of that.