From 62380cc24a65eb4a707eb45354666ac79e12c074 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 4 Jun 2020 13:37:31 -0400
Subject: [PATCH] Add note to config about sensitive configs (#323)

* Add note to config about sensitive configs

* Update README.md

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 README.md   |  4 ++++
 values.yaml | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/README.md b/README.md
index bbc9de3..29db848 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # Vault Helm Chart
 
+> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
+you believe you have found a security issue in Vault Helm, _please responsibly disclose_ 
+by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
+
 This repository contains the official HashiCorp Helm chart for installing
 and configuring Vault on Kubernetes. This chart supports multiple use
 cases of Vault on Kubernetes depending on the values provided.
diff --git a/values.yaml b/values.yaml
index 8c6e4a3..65ced07 100644
--- a/values.yaml
+++ b/values.yaml
@@ -341,6 +341,11 @@ server:
     # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
     # and store data there. This is only used when using a Replica count of 1, and
     # using a stateful set. This should be HCL.
+
+    # Note: Configuration files are stored in ConfigMaps so sensitive data 
+    # such as passwords should be either mounted through extraSecretEnvironmentVars
+    # or through a Kube secret.  For more information see: 
+    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
     config: |
       ui = true
 
@@ -382,6 +387,11 @@ server:
       enabled: false
       # Set the Node Raft ID to the name of the pod
       setNodeId: false
+    
+      # Note: Configuration files are stored in ConfigMaps so sensitive data 
+      # such as passwords should be either mounted through extraSecretEnvironmentVars
+      # or through a Kube secret.  For more information see: 
+      # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
       config: |
         ui = true
 
@@ -396,9 +406,15 @@ server:
         }
 
         service_registration "kubernetes" {}
+   
     # config is a raw string of default configuration when using a Stateful
     # deployment. Default is to use a Consul for its HA storage backend.
     # This should be HCL.
+    
+    # Note: Configuration files are stored in ConfigMaps so sensitive data 
+    # such as passwords should be either mounted through extraSecretEnvironmentVars
+    # or through a Kube secret.  For more information see: 
+    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
     config: |
       ui = true