sensu-agent with vault support

sensu-go-agent-patch.diff

diff --git a/agent/agent.go b/agent/agent.go
index 3b8cb897..3e00ed65 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -35,12 +35,15 @@ import (
 	"github.com/sensu/sensu-go/util/retry"
 	utilstrings "github.com/sensu/sensu-go/util/strings"
 	"github.com/sirupsen/logrus"
+	"github.com/anatolijd/vaultservice/vaultservice"
 )
 
 const (
 	// Time to wait for the entity config from agentd before sending the first
 	// keepalive
 	entityConfigGracePeriod = 10 * time.Second
+	//
+	vaultTimerPeriod 	= 600 * time.Second
 )
 
 // GetDefaultAgentName returns the default agent name
@@ -80,6 +83,7 @@ type Agent struct {
 	apiQueue          queue
 	marshal           agentd.MarshalFunc
 	unmarshal         agentd.UnmarshalFunc
+	Vault             *vaultservice.VaultService
 
 	// ProcessGetter gets information about local agent processes.
 	ProcessGetter process.Getter
@@ -117,6 +121,7 @@ func NewAgentContext(ctx context.Context, config *Config) (*Agent, error) {
 	}
 
 	agent.statsdServer = NewStatsdServer(agent)
+	agent.Vault 	     = vaultservice.NewVaultService(vaultTimerPeriod)
 	agent.handler.AddHandler(transport.MessageTypeEntityConfig, agent.handleEntityConfig)
 
 	// We don't check for errors here and let the agent get created regardless
@@ -237,6 +242,9 @@ func (a *Agent) Run(ctx context.Context) error {
 	defer cancel()
 	a.header = a.buildTransportHeaderMap()
 
+	//
+	go a.Vault.Run()
+
 	// Fail the agent after startup if the id is invalid
 	logger.Debug("validating agent name")
 	if err := corev2.ValidateName(a.config.AgentName); err != nil {
@@ -319,6 +327,9 @@ func (a *Agent) Run(ctx context.Context) error {
 		cancel()
 	}
 
+	//
+	a.Vault.Shutdown()
+
 	// Wait for all goroutines to gracefully shutdown, but not too long
 	done := make(chan struct{})
 	go func() {
diff --git a/agent/check_handler.go b/agent/check_handler.go
index 7f77b75b..c7f2aacb 100644
--- a/agent/check_handler.go
+++ b/agent/check_handler.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sensu/sensu-go/transport"
 	"github.com/sensu/sensu-go/util/environment"
 	"github.com/sirupsen/logrus"
+	"github.com/anatolijd/vaultservice/vaultservice"
 )
 
 const (
@@ -94,6 +95,19 @@ func checkKey(request *corev2.CheckRequest) string {
 	return strings.Join(parts, "/")
 }
 
+//
+func (a *Agent) getVaultSecrets(c *corev2.CheckConfig) []string {
+	var res	[]string
+	for _, s := range c.Secrets {
+		s_val 	:= a.Vault.ReadVaultPath(s.Secret)
+		res	= append(res, fmt.Sprintf("%s=%s", s.Name, s_val))
+	}
+	return res
+}
+
 func (a *Agent) addInProgress(request *corev2.CheckRequest) {
 	a.inProgressMu.Lock()
 	a.inProgress[checkKey(request)] = request.Config
@@ -184,11 +198,15 @@ func (a *Agent) executeCheck(ctx context.Context, request *corev2.CheckRequest,
 
 	// Prepare environment variables
 	var env []string
+	//
+	var vaultSecrets []string
+	vaultSecrets = a.getVaultSecrets(checkConfig)
+
 	if match && !matchedEntry.EnableEnv {
 		logger.WithFields(fields).Debug("disabling check env vars per the agent allow list")
-		env = environment.MergeEnvironments(os.Environ(), assets.Env(), secrets)
+		env = environment.MergeEnvironments(os.Environ(), assets.Env(), secrets, vaultSecrets)
 	} else {
-		env = environment.MergeEnvironments(os.Environ(), assets.Env(), secrets, checkConfig.EnvVars)
+		env = environment.MergeEnvironments(os.Environ(), assets.Env(), secrets, checkConfig.EnvVars, vaultSecrets)
 	}
 
 	// Verify sha against the allow list