Fix duplicate headers in bao agent re-authentication (#2373)

Bao agent adds the headers to the client on every authentication run,
this causes the Kerberos authentication method to fail due to a
duplicated authentication header. Headers are also added on indefinitely
leading to increasing memory usage on each re-authentication run

Signed-off-by: Nikos Tsipinakis <nikos.tsipinakis@cern.ch>

changelog/2373.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent/auth: Fix token reissue error with kerberos method
+```

command/agentproxyshared/auth/auth.go

@@ -180,6 +180,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 		}
 		headers.Set("User-Agent", ah.userAgent)
 		ah.client.SetHeaders(headers)
+		ah.client.SetCloneHeaders(true)
 	}
 
 	var watcher *api.LifetimeWatcher
@@ -261,21 +262,21 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			}
 		}
 
-		if ah.wrapTTL > 0 {
-			wrapClient, err := clientToUse.Clone()
-			if err != nil {
-				ah.logger.Error("error creating client for wrapped call", "error", err, "backoff", backoffCfg)
-				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+		// Clone client as we don't want to persist the authentication headers set below
+		clientToUse, err = clientToUse.Clone()
+		if err != nil {
+			ah.logger.Error("error creating client for authentication call", "error", err, "backoff", backoffCfg)
+			metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
 
-				if backoff(ctx, backoffCfg) {
-					continue
-				}
-				return err
+			if backoff(ctx, backoffCfg) {
+				continue
 			}
-			wrapClient.SetWrappingLookupFunc(func(string, string) string {
+			return err
+		}
+		if ah.wrapTTL > 0 {
+			clientToUse.SetWrappingLookupFunc(func(string, string) string {
 				return ah.wrapTTL.String()
 			})
-			clientToUse = wrapClient
 		}
 		for key, values := range header {
 			for _, value := range values {