rebase: bump github.com/hashicorp/vault/api

Bumps the github-dependencies group with 1 update: [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault).


Updates `github.com/hashicorp/vault/api` from 1.14.0 to 1.15.0
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

vendor/github.com/hashicorp/vault/api/client.go

@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
@@ -41,6 +42,7 @@ const (
 	EnvVaultClientCert       = "VAULT_CLIENT_CERT"
 	EnvVaultClientKey        = "VAULT_CLIENT_KEY"
 	EnvVaultClientTimeout    = "VAULT_CLIENT_TIMEOUT"
+	EnvVaultHeaders          = "VAULT_HEADERS"
 	EnvVaultSRVLookup        = "VAULT_SRV_LOOKUP"
 	EnvVaultSkipVerify       = "VAULT_SKIP_VERIFY"
 	EnvVaultNamespace        = "VAULT_NAMESPACE"
@@ -665,6 +667,30 @@ func NewClient(c *Config) (*Client, error) {
 		client.setNamespace(namespace)
 	}
 
+	if envHeaders := os.Getenv(EnvVaultHeaders); envHeaders != "" {
+		var result map[string]any
+		err := json.Unmarshal([]byte(envHeaders), &result)
+		if err != nil {
+			return nil, fmt.Errorf("could not unmarshal environment-supplied headers")
+		}
+		var forbiddenHeaders []string
+		for key, value := range result {
+			if strings.HasPrefix(key, "X-Vault-") {
+				forbiddenHeaders = append(forbiddenHeaders, key)
+				continue
+			}
+
+			value, ok := value.(string)
+			if !ok {
+				return nil, fmt.Errorf("environment-supplied headers include non-string values")
+			}
+			client.AddHeader(key, value)
+		}
+		if len(forbiddenHeaders) > 0 {
+			return nil, fmt.Errorf("failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only", strings.Join(forbiddenHeaders, ", "))
+		}
+	}
+
 	return client, nil
 }
 
@@ -705,7 +731,7 @@ func (c *Client) SetAddress(addr string) error {
 
 	parsedAddr, err := c.config.ParseAddress(addr)
 	if err != nil {
-		return errwrap.Wrapf("failed to set address: {{err}}", err)
+		return fmt.Errorf("failed to set address: %w", err)
 	}
 
 	c.addr = parsedAddr

vendor/github.com/hashicorp/vault/api/lifetime_watcher.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/cenkalti/backoff/v3"
+	"github.com/cenkalti/backoff/v4"
 )
 
 var (

vendor/github.com/hashicorp/vault/api/request.go

@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 
@@ -77,13 +76,13 @@ func (r *Request) ToHTTP() (*http.Request, error) {
 		// No body
 
 	case r.BodyBytes != nil:
-		req.Request.Body = ioutil.NopCloser(bytes.NewReader(r.BodyBytes))
+		req.Request.Body = io.NopCloser(bytes.NewReader(r.BodyBytes))
 
 	default:
 		if c, ok := r.Body.(io.ReadCloser); ok {
 			req.Request.Body = c
 		} else {
-			req.Request.Body = ioutil.NopCloser(r.Body)
+			req.Request.Body = io.NopCloser(r.Body)
 		}
 	}
 

vendor/github.com/hashicorp/vault/api/response.go

@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 )
 
@@ -44,7 +43,7 @@ func (r *Response) Error() error {
 	}
 
 	r.Body.Close()
-	r.Body = ioutil.NopCloser(bodyBuf)
+	r.Body = io.NopCloser(bodyBuf)
 	ns := r.Header.Get(NamespaceHeaderName)
 
 	// Build up the error object

vendor/github.com/hashicorp/vault/api/secret.go

@@ -159,6 +159,10 @@ TOKEN_DONE:
 			goto DONE
 		}
 
+		if s.Data["identity_policies"] == nil {
+			goto DONE
+		}
+
 		sList, ok := s.Data["identity_policies"].([]string)
 		if ok {
 			identityPolicies = sList

vendor/github.com/hashicorp/vault/api/sudo_paths.go

@@ -28,6 +28,7 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/config/ui/headers":                        regexp.MustCompile(`^/sys/config/ui/headers/?$`),
 	"/sys/config/ui/headers/{header}":               regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
 	"/sys/internal/inspect/router/{tag}":            regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
+	"/sys/internal/counters/activity/export":        regexp.MustCompile(`^/sys/internal/counters/activity/export$`),
 	"/sys/leases":                                   regexp.MustCompile(`^/sys/leases$`),
 	// This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing
 	// slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate

vendor/github.com/hashicorp/vault/api/sys_raft.go

@@ -264,7 +264,7 @@ func (c *Sys) RaftSnapshotWithContext(ctx context.Context, snapWriter io.Writer)
 				continue
 			}
 			var b []byte
-			b, err = ioutil.ReadAll(t)
+			b, err = io.ReadAll(t)
 			if err != nil || len(b) == 0 {
 				return
 			}