From 05cbc8b038490f0c9a5f0b50097e58cc77b656cd Mon Sep 17 00:00:00 2001
From: Allison Larson <allisonlarson91@gmail.com>
Date: Mon, 8 Jun 2026 15:50:22 -0700
Subject: [PATCH] vault: clone the client and set headers

---
 client/vaultclient/vaultclient.go | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/client/vaultclient/vaultclient.go b/client/vaultclient/vaultclient.go
index 71370d8ccca..e7dc22399ec 100644
--- a/client/vaultclient/vaultclient.go
+++ b/client/vaultclient/vaultclient.go
@@ -119,9 +119,24 @@ func NewVaultClient(config *config.VaultConfig, logger hclog.Logger) (*vaultClie
 	return c, nil
 }
 
+// Clone returns a cloned vaultapi.Client with the same headers that we have set on our main client. The vault API config exposes a setting for cloning the client with headers, but we always want these headers to be set and to not be configurable.
+func (c *vaultClient) Clone() (*vaultapi.Client, error) {
+	cc, err := c.client.Clone()
+	if err != nil {
+		return nil, err
+	}
+	useragent.SetHeaders(cc)
+
+	if c.config.Namespace != "" {
+		cc.SetNamespace(c.config.Namespace)
+	}
+
+	return cc, nil
+}
+
 // DeriveTokenWithJWT returns a Vault ACL token using the JWT login endpoint.
 func (c *vaultClient) DeriveTokenWithJWT(ctx context.Context, req JWTLoginRequest) (string, bool, int, error) {
-	cc, err := c.client.Clone()
+	cc, err := c.Clone()
 	if err != nil {
 		return "", false, 0, err
 	}
@@ -158,7 +173,7 @@ func (c *vaultClient) DeriveTokenWithJWT(ctx context.Context, req JWTLoginReques
 }
 
 func (c *vaultClient) Renew(ctx context.Context, token string, lease int) (duration time.Duration, err error) {
-	cc, err := c.client.Clone()
+	cc, err := c.Clone()
 	if err != nil {
 		return 0, err
 	}