website: homepage, intro

This commit is contained in:
Mitchell Hashimoto 2015-04-06 18:35:00 -07:00
parent a8d4319ad5
commit a08664a8c0
5 changed files with 68 additions and 169 deletions

View file

@ -2,7 +2,7 @@
# Configure Middleman
#-------------------------------------------------------------------------
set :base_url, "https://www.vault.io/"
set :base_url, "https://www.vaultproject.io/"
activate :hashicorp do |h|
h.version = ENV['VAULT_VERSION']

View file

@ -18,12 +18,13 @@
<span></span>
</div>
</div>
<h2 id="tag-line">A tool for storing and retrieving secrets.</h2>
<h2 id="tag-line">A tool for managing secrets.</h2>
<div>
<a class="v-btn blue lrg" href="/intro">Get Started</a>
</div>
<div id="diagram"></div>
<p><span class="strong">Vault</span> secures, stores and tightly controls access to tokens, passwords, certificates and other secrets in modern computing. Vault presents a unified access in front of multiple backends, with logical support for HSMs, IAM, Postgres and more.</p>
<p><span class="strong">Vault</span> secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.
</p>
</div>
</div>
</div>
@ -39,9 +40,9 @@
<div id="crud" class="feature">
<div class="graphic"></div>
<h3 class="">CRUD</h2>
<h3 class="">Secret Storage</h3>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas et purus at orci cursus mattis. Maecenas ullamcorper dictum elit. Vivamus sit amet nisi eu lacus lacinia iaculis. Nulla non massa ultricies, placerat lectus vel, mattis mauris. Nullam urna risus, volutpat quis viverra in, convallis at magna.
Vault encrypts and provides access to any secrets. Leases can be associated with secrets, and Vault will automatically revoke secrets after the lease period ends. Access control policies provide strict control over who can access what secrets.
</p>
<div class="feature-footer">
<a class="v-btn black sml" href="/intro">Learn more</a>
@ -50,9 +51,9 @@
<div id="key" class="feature">
<div class="graphic"></div>
<h3 class="">Key Rolling</h2>
<h3 class="">Key Rolling</h3>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas et purus at orci cursus mattis. Maecenas ullamcorper dictum elit. Vivamus sit amet nisi eu lacus lacinia iaculis. Nulla non massa ultricies, placerat lectus vel, mattis mauris. Nullam urna risus, volutpat quis viverra in, convallis at magna.
Every secret in Vault is associated with a lease. Clients must renew their secret within the lease period, or request a new secret. Key rolling is as simple as storing a new secret and revoking existing secrets or waiting for the lease period to expire.
<div class="feature-footer">
<a class="v-btn black sml" href="/intro">Learn more</a>
<a class="v-btn black sml terminal" href="/#/demo/crud">Launch Interactive Terminal</a>
@ -62,9 +63,9 @@
<div id="audit" class="feature">
<div class="graphic"></div>
<h3 class="">Audit Logs</h2>
<h3 class="">Audit Logs</h3>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas et purus at orci cursus mattis. Maecenas ullamcorper dictum elit. Vivamus sit amet nisi eu lacus lacinia iaculis. Nulla non massa ultricies, placerat lectus vel, mattis mauris. Nullam urna risus, volutpat quis viverra in, convallis at magna.
Vault stores a detailed audit log of every interaction: authentication, token creation, secret access, secret revocation, and more. Audit logs can be sent to multiple backends to ensure redundant copies. Paired with Vault's strict leasing policies, operators can easily trace back to the source of any secret.
<div class="feature-footer">
<a class="v-btn black sml" href="/intro">Learn more</a>
</div>
@ -77,9 +78,9 @@
<div class="row">
<div class="col-sm-offset-1 col-sm-10 col-xs-12">
<div id="cta">
<a class="v-btn black sml" href="/intro/index.html">Try Vault Free</a>
<p class="cta-black">Maecenas ullamcorper dictum elit.</p>
<p class="cta-gray">Vivamus venenatis augue.</p>
<a class="v-btn black sml" href="/intro/index.html">Get Started with Vault</a>
<p class="cta-black">Completely free and open source.</p>
<!--<p class="cta-gray">Vivamus venenatis augue.</p>-->
</div><!-- #cta -->
</div> <!-- .col -->
</div> <!-- .row -->

View file

@ -19,49 +19,46 @@ guide for all available features as well as internals.
## What is Vault?
Vault is a tool for building, changing, and versioning infrastructure
safely and efficiently. Vault can manage existing and popular service
providers as well as custom in-house solutions.
Vault is a tool for securely accessing _secrets_. A secret is anything
that you want to tightly control access to, such as API keys, passwords,
certificates, and more. Vault provides a unified interface to any
secret, while providing tight access control and recording a detailed
audit log.
Configuration files describe to Vault the components needed to
run a single application or your entire datacenter.
Vault generates an execution plan describing
what it will do to reach the desired state, and then executes it to build the
described infrastructure. As the configuration changes, Vault is able
to determine what changed and create incremental execution plans which
can be applied.
The infrastructure Vault can manage includes
low-level components such as
compute instances, storage, and networking, as well as high-level
components such as DNS entries, SaaS features, etc.
A modern system requires access to a multitude of secrets: database
credentials, API keys for external services, credentials for
service-oriented architecture communication, etc. Understanding who is
accessing what secrets is already very difficult and platform-specific.
Adding on key rolling, secure storage, and detailed audit logs is almost
impossible without a custom solution. This is where Vault steps in.
Examples work best to showcase Vault. Please see the
[use cases](/intro/use-cases.html).
The key features of Vault are:
* **Infrastructure as Code**: Infrastructure is described using a high-level
configuration syntax. This allows a blueprint of your datacenter to be
versioned and treated as you would any other code. Additionally,
infrastructure can be shared and re-used.
* **Secure Secret Storage**: Arbitrary key/value secrets can be stored
in Vault. Vault encrypts these secrets prior to writing them to persistent
storage, so gaining access to the raw storage isn't enough to access
your secrets. Vault can write to disk, [Consul](http://www.consul.io),
and more.
* **Execution Plans**: Vault has a "planning" step where it generates
an _execution plan_. The execution plan shows what Vault will do when
you call apply. This lets you avoid any surprises when Vault
manipulates infrastructure.
* **Dynamic Secrets**: Vault can generate secrets on-demand for some
systems, such as AWS or SQL databases. For example, when an application
needs to access an S3 bucket, it asks Vault for credentials, and Vault
will generate an AWS keypair with valid permissions on demand. After
creating these dynamic secrets, Vault will also automatically revoke them
after the lease is up.
* **Resource Graph**: Vault builds a graph of all your resources,
and parallelizes the creation and modification of any non-dependent
resources. Because of this, Vault builds infrastructure as efficiently
as possible, and operators get insight into dependencies in their
infrastructure.
* **Leasing and Renewal**: All secrets in Vault have a _lease_ associated
with it. At the end of the lease, Vault will automatically revoke that
secret. Clients are able to renew leases via built-in renew APIs.
* **Change Automation**: Complex changesets can be applied to
your infrastructure with minimal human interaction.
With the previously mentioned execution
plan and resource graph, you know exactly what Vault will change
and in what order, avoiding many possible human errors.
* **Revocation**: Vault has built-in support for secret revocation. Vault
can revoke not only single secrets, but a tree of secrets, for example
all secrets read by a specific user, or all secrets of a particular type.
Revocation assists in key rolling as well as locking down systems in the
case of an intrusion.
## Next Steps
@ -70,4 +67,4 @@ multiple ways Vault can be used. Then see
[how Vault compares to other software](/intro/vs/index.html)
to see how it fits into your existing infrastructure. Finally, continue onwards with
the [getting started guide](/intro/getting-started/install.html) to use
Vault to manage real infrastructure and to see how it works.
Vault to read, write, and create real secrets and see how it works in practice.

View file

@ -3,119 +3,41 @@ layout: "intro"
page_title: "Use Cases"
sidebar_current: "use-cases"
description: |-
Before understanding use cases, it's useful to know what Vault is. This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover. Due to its extensible nature, providers and provisioners can be added to further extend Vault's ability to manipulate resources.
This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover.
---
# Use Cases
Before understanding use cases, it's useful to know [what Vault is](/intro/index.html).
This page lists some concrete use cases for Vault, but the possible use cases are
much broader than what we cover. Due to its extensible nature, providers and provisioners
can be added to further extend Vault's ability to manipulate resources.
much broader than what we cover.
#### Heroku App Setup
#### General Secret Storage
Heroku is a popular PaaS for hosting web apps. Developers create an app, and then
attach add-ons, such as a database, or email provider. One of the best features is
the ability to elastically scale the number of dynos or workers. However, most
non-trivial applications quickly need many add-ons and external services.
At a bare minimum, Vault can be used for the storage of any secrets. For
example, Vault would be a fantastic way to store sensitive environment variables,
database credentials, API keys, etc.
Vault can be used to codify the setup required for a Heroku application, ensuring
that all the required add-ons are available, but it can go even further: configuring
DNSimple to set a CNAME, or setting up CloudFlare as a CDN for the
app. Best of all, Vault can do all of this in under 30 seconds without
using a web interface.
Compare this with the current way to store these which might be
plaintext in files, configuration management, a database, etc. It would be
much safer to query these using `vault read` or the API. This protects
the plaintext version of these secrets as well as records access in the Vault
audit log.
#### Multi-Tier Applications
#### Employee Credential Storage
A very common pattern is the N-tier architecture. The most common 2-tier architecture is
a pool of web servers that use a database tier. Additional tiers get added for API servers,
caching servers, routing meshes, etc. This pattern is used because the tiers can be scaled
independently and provide a separation of concerns.
While this overlaps with "General Secret Storage", Vault is a good mechanism
for storing credentials that employees share to access web services. The
audit log mechanism lets you know what secrets an employee accessed and
when an employee leaves, it is easier to roll keys and understand which keys
have and haven't been rolled.
Vault is an ideal tool for building and managing these infrastructures. Each tier can
be described as a collection of resources, and the dependencies between each tier are handled
automatically; Vault will ensure the database tier is available before the web servers
are started and that the load balancers are aware of the web nodes. Each tier can then be
scaled easily using Vault by modifying a single `count` configuration value. Because
the creation and provisioning of a resource is codified and automated, elastically scaling
with load becomes trivial.
#### API Key Generation for Scripts
#### Self-Service Clusters
At a certain organizational size, it becomes very challenging for a centralized
operations team to manage a large and growing infrastructure. Instead it becomes
more attractive to make "self-serve" infrastructure, allowing product teams to
manage their own infrastructure using tooling provided by the central operations team.
Using Vault, the knowledge of how to build and scale a service can be codified
in a configuration. Vault configurations can be shared within an organization
enabling customer teams to use the configuration as a black box and use Vault as
a tool to manage their services.
#### Software Demos
Modern software is increasingly networked and distributed. Although tools like
[Vagrant](https://www.vagrantup.com/) exist to build virtualized environments
for demos, it is still very challenging to demo software on real infrastructure
which more closely matches production environments.
Software writers can provide a Vault configuration to create, provision and
bootstrap a demo on cloud providers like AWS. This allows end users to easily demo
the software on their own infrastructure, and even enables tweaking parameters like
cluster size to more rigorously test tools at any scale.
#### Disposable Environments
It is common practice to have both a production and staging or QA environment.
These environments are smaller clones of their production counterpart, but are
used to test new applications before releasing in production. As the production
environment grows larger and more complex, it becomes increasingly onerous to
maintain an up-to-date staging environment.
Using Vault, the production environment can be codified and then shared with
staging, QA or dev. These configurations can be used to rapidly spin up new
environments to test in, and then be easily disposed of. Vault can help tame
the difficulty of maintaining parallel environments, and makes it practical
to elastically create and destroy them.
#### Software Defined Networking
Software Defined Networking (SDN) is becoming increasingly prevalent in the
datacenter, as it provides more control to operators and developers and
allows the network to better support the applications running on top. Most SDN
implementations have a control layer and infrastructure layer.
Vault can be used to codify the configuration for software defined networks.
This configuration can then be used by Vault to automatically setup and modify
settings by interfacing with the control layer. This allows configuration to be
versioned and changes to be automated. As an example, [AWS VPC](http://aws.amazon.com/vpc/)
is one of the most commonly used SDN implementations, and [can be configured by
Vault](/docs/providers/aws/r/vpc.html).
#### Resource Schedulers
In large-scale infrastructures, static assignment of applications to machines
becomes increasingly challenging. To solve that problem, there are a number
of schedulers like Borg, Mesos, YARN, and Kubernetes. These can be used to
dynamically schedule Docker containers, Hadoop, Spark, and many other software
tools.
Vault is not limited to physical providers like AWS. Resource schedulers
can be treated as a provider, enabling Vault to request resources from them.
This allows Vault to be used in layers: to setup the physical infrastructure
running the schedulers as well as provisioning onto the scheduled grid.
#### Multi-Cloud Deployment
It's often attractive to spread infrastructure across multiple clouds to increase
fault-tolerance. By using only a single region or cloud provider, fault tolerance
is limited by the availability of that provider. Having a multi-cloud deployment
allows for more graceful recovery of the loss of a region or entire provider.
Realizing multi-cloud deployments can be very challenging as many existing tools
for infrastructure management are cloud-specific. Vault is cloud-agnostic
and allows a single configuration to be used to manage multiple providers, and
to even handle cross-cloud dependencies. This simplifies management and orchestration,
helping operators build large-scale multi-cloud infrastructures.
The "dynamic secrets" feature of Vault is ideal for scripts: an AWS
access key can be generated for the duration of a script, then revoked.
The keypair will not exist before or after the script runs, and the
creation of the keys are completely logged.
This is an improvement over using something like Amazon IAM but still
effectively hardcoding limited-access access tokens in various places.

View file

@ -75,27 +75,6 @@
</li>
</ul>
</li>
<li<%= sidebar_current("examples") %>>
<a href="/intro/examples/index.html">Example Configurations</a>
<ul class="nav">
<li<%= sidebar_current("examples-aws") %>>
<a href="/intro/examples/aws.html">Basic Two-Tier AWS Architecture</a>
</li>
<li<%= sidebar_current("examples-cross-provider") %>>
<a href="/intro/examples/cross-provider.html">Cross Provider</a>
</li>
<li<%= sidebar_current("examples-count") %>>
<a href="/intro/examples/count.html">Count Parameter</a>
</li>
<li<%= sidebar_current("examples-consul") %>>
<a href="/intro/examples/consul.html">Consul</a>
</li>
</ul>
</li>
</ul>
</div>
<% end %>