feat(observability): propagate W3C trace context across nico-api's network boundaries

[adnandnv]

Implements W3C Trace Context propagation for nico-api so a request traced upstream keeps one trace as
it passes through nico-api and into the services it calls.

• Propagator: install the standard W3C TraceContextPropagator at startup (the OTel default is no-op).
• Ingress (REST + gRPC): one shared per-request layer extracts the inbound traceparent/tracestate
  and parents the request span to it; no valid inbound context → fresh root.
• Egress: gRPC clients are wrapped in a tower TraceInjectService; reqwest clients go through
  reqwest-tracing's middleware; the two OAuth2 token providers inject manually (the oauth2 crate
  builds their requests).
• Enable flag unchanged: the local tracing-enabled switch stays the master control — an inbound
  sampled flag can't force local recording.

Per-client details and how to add a new client are in docs/observability/tracing.md.

Related issues

#2438

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

• Scope is the nico-api process. bmc-proxy and hardware-health are intentionally not instrumented:
  they build no span exporter, so injecting there would be dead code. docs/observability/tracing.md §1.7
  documents how to add propagation to a new client if that changes.
• New crate trace-propagation holds the shared glue + tower middleware.
• tracing.md marker references are a doc-staleness fix, not part of this feature. The doc still
  described the sampler's old code.namespace marker; fix: Fixes for OTLP tracing #2268 replaced it with carbide.trace_root
  without updating the doc. The code.namespace→carbide.trace_root doc edits just correct that.
  (The doc's ParentBased mention is also updated, since this PR unwraps the sampler.)
• Dependencies added: opentelemetry-http 0.31, reqwest-middleware 0.5, reqwest-tracing 0.7.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c892501b-f444-4850-adeb-ae6344a88562

📥 Commits

Reviewing files that changed from the base of the PR and between 1b188f7 and 8537205.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• Cargo.toml
• crates/firmware/Cargo.toml
• crates/firmware/src/downloader.rs

💤 Files with no reviewable changes (1)

• Cargo.toml

🚧 Files skipped from review as they are similar to previous changes (2)

• crates/firmware/Cargo.toml
• crates/firmware/src/downloader.rs

---

Summary by CodeRabbit

• New Features

  • Added end-to-end W3C traceparent/tracestate propagation across REST and gRPC boundaries, including middleware-based HTTP tracing and trace-injecting gRPC transports.
  • Outbound HTTP/gRPC calls now forward trace context consistently, even when span recording is disabled.

• Bug Fixes

  • Improved span parenting and sampling decisions using inbound context validity and the carbide.trace_root marker, with correct tracestate handling.

• Documentation

  • Expanded tracing guidance for propagation, sampling semantics, and troubleshooting/limitations.

• Tests

  • Added coverage for propagation when no global propagator is configured and updated sampling expectations.

Walkthrough

Adds a new trace-propagation crate and wires W3C trace context through logging, gRPC, HTTP, OAuth2, and observability documentation. It also installs a global TraceContextPropagator, updates CarbideSpanSampler, and refreshes tracing guidance.

Changes

W3C Trace Context Propagation

Layer / File(s)	Summary
New trace-propagation crate: primitives, TraceInjectService, and tests Cargo.toml, crates/trace-propagation/Cargo.toml, crates/trace-propagation/src/lib.rs, crates/trace-propagation/tests/no_global_propagator.rs	Creates the trace-propagation crate with ingress and egress header helpers, a TraceInjectService<S> wrapper, and tests covering extraction, injection, propagation, tracestate handling, and no-global-propagator behavior.
Global TraceContextPropagator installation and CarbideSpanSampler rewrite crates/api-core/Cargo.toml, crates/api-core/src/logging/setup.rs	setup_logging installs TraceContextPropagator globally. CarbideSpanSampler::should_sample now reads parent_context, inherits from valid in-process parents, records only carbide.trace_root-marked spans, and propagates parent tracestate.
Ingress: span parent adoption from inbound W3C headers crates/api-core/src/logging/api_logs.rs	LogService::call applies set_span_parent_from_headers to inbound request headers after creating the request span.
gRPC egress: TraceInjectService wiring across component-manager, libnmxc, and rpc crates/component-manager/Cargo.toml, crates/component-manager/src/tls.rs, crates/component-manager/src/nsm.rs, crates/component-manager/src/psm.rs, crates/libnmxc/Cargo.toml, crates/libnmxc/src/lib.rs, crates/libnmxc/src/nmxc_api.rs, crates/rpc/Cargo.toml, crates/rpc/src/forge_tls_client.rs	build_channel returns TraceInjectService<Channel>, and that traced service type propagates through NsmSwitchBackend, PsmPowerShelfBackend, NmxcApi, and both ForgeTlsClient build paths.
HTTP egress: reqwest-middleware + TracingMiddleware across all HTTP clients crates/api-core/Cargo.toml, crates/api-core/src/handlers/redfish.rs, crates/api-core/src/machine_identity/token_exchange.rs, crates/firmware/Cargo.toml, crates/firmware/src/downloader.rs, crates/libmlx/Cargo.toml, crates/libmlx/src/firmware/source.rs, crates/libnmxm/Cargo.toml, crates/libnmxm/src/lib.rs, crates/nras/Cargo.toml, crates/nras/src/client.rs, crates/nras/src/lib.rs	Workspace and crate manifests add reqwest tracing dependencies, and updated HTTP clients now build ClientWithMiddleware with TracingMiddleware; affected return types, field types, error conversions, and tests move to middleware types.
OAuth2 manual trace header injection crates/api-web/Cargo.toml, crates/api-web/src/auth.rs, crates/mqttea/Cargo.toml, crates/mqttea/src/auth/oauth2_provider.rs	api-web and mqttea now mutate outgoing OAuth2 requests and inject the current trace context before the HTTP exchange.
Observability documentation update docs/observability/tracing.md	docs/observability/tracing.md is expanded to describe W3C trace context propagation, CarbideSpanSampler behavior, forwarding versus recording, the exporter limitation, and client integration guidance.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title concisely and accurately summarizes the main change: W3C trace context propagation across nico-api network boundaries.
Description check	✅ Passed	The description is directly related to the changeset and matches the implemented tracing propagation work.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-2700.docs.buildwithfern.com/infra-controller

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/nras/src/client.rs`:
- Around line 52-57: The HTTP client created in the new_with_config method lacks
timeout configuration, which can cause indefinite blocking during network issues
or NRAS service outages. Add a timeout field to the Config struct to make it
configurable, then apply this timeout to the reqwest client builder by calling
the .timeout() method on the ClientBuilder chain before calling .build(). Ensure
the timeout value is propagated from Config and applied either at the client
level in new_with_config or on individual requests made through methods like
attest_gpu to enforce bounded wait times for external service calls.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 931e99d9-7c3a-48f6-9587-76664d251c90

📥 Commits

Reviewing files that changed from the base of the PR and between 47e42bc and 426cd76.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (32)

• Cargo.toml
• crates/api-core/Cargo.toml
• crates/api-core/src/handlers/redfish.rs
• crates/api-core/src/logging/api_logs.rs
• crates/api-core/src/logging/setup.rs
• crates/api-core/src/machine_identity/token_exchange.rs
• crates/api-web/Cargo.toml
• crates/api-web/src/auth.rs
• crates/component-manager/Cargo.toml
• crates/component-manager/src/nsm.rs
• crates/component-manager/src/psm.rs
• crates/component-manager/src/tls.rs
• crates/firmware/Cargo.toml
• crates/firmware/src/downloader.rs
• crates/libmlx/Cargo.toml
• crates/libmlx/src/firmware/source.rs
• crates/libnmxc/Cargo.toml
• crates/libnmxc/src/lib.rs
• crates/libnmxc/src/nmxc_api.rs
• crates/libnmxm/Cargo.toml
• crates/libnmxm/src/lib.rs
• crates/mqttea/Cargo.toml
• crates/mqttea/src/auth/oauth2_provider.rs
• crates/nras/Cargo.toml
• crates/nras/src/client.rs
• crates/nras/src/lib.rs
• crates/rpc/Cargo.toml
• crates/rpc/src/forge_tls_client.rs
• crates/trace-propagation/Cargo.toml
• crates/trace-propagation/src/lib.rs
• crates/trace-propagation/tests/no_global_propagator.rs
• docs/observability/tracing.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify timeout configuration on the NRAS egress path.
rg -n "NrasVerifierClient|Client::new\\(|Client::builder\\(|connect_timeout\\(|\\.timeout\\(" crates/nras/src/client.rs -C3

Repository: NVIDIA/infra-controller

Length of output: 1072

---

🏁 Script executed:

#!/bin/bash
# Search for Config definition and any timeout fields
rg -n "struct Config|timeout|Timeout" crates/nras/src/ -A2 -B2 | head -100

Repository: NVIDIA/infra-controller

Length of output: 329

---

🏁 Script executed:

#!/bin/bash
# Search for attest_gpu implementation and how the http_client is used
rg -n "async fn attest_gpu" crates/nras/src/client.rs -A 30

Repository: NVIDIA/infra-controller

Length of output: 2719

---

🏁 Script executed:

#!/bin/bash
# Check if reqwest::Client has any builder methods or default timeout behavior
fd -e rs -e toml . crates/nras/ | xargs rg -l "reqwest" | head -5

Repository: NVIDIA/infra-controller

Length of output: 167

---

🏁 Script executed:

#!/bin/bash
# Get the full Config struct definition
rg -n "pub struct Config" crates/nras/src/lib.rs -A 20

Repository: NVIDIA/infra-controller

Length of output: 699

---

🏁 Script executed:

#!/bin/bash
# Search across all crates for any timeout configuration patterns for reqwest clients
rg -n "\.timeout\(|connect_timeout\(" --type rs crates/ | grep -i "nras\|http_client" | head -20

Repository: NVIDIA/infra-controller

Length of output: 94

---

🏁 Script executed:

#!/bin/bash
# Check Cargo.toml for reqwest version and any timeout-related dependencies
cat crates/nras/Cargo.toml

Repository: NVIDIA/infra-controller

Length of output: 1427

---

🏁 Script executed:

#!/bin/bash
# Verify reqwest default timeout behavior and check if any global timeout patterns exist elsewhere
rg -n "timeout\(" crates/nras/ -i

Repository: NVIDIA/infra-controller

Length of output: 49

---

Configure explicit timeout bounds on the NRAS HTTP client.

The reqwest::Client::new() at line 55 lacks any timeout configuration, permitting indefinite blocking during NRAS outages or network degradation. The Config struct contains no timeout fields, and individual requests in attest_gpu (line 81) are not wrapped with timeout constraints. Propagate a configurable timeout through Config and apply it via .timeout() on the client or per-request to ensure bounded wait times during external service calls.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/nras/src/client.rs` around lines 52 - 57, The HTTP client created in
the new_with_config method lacks timeout configuration, which can cause
indefinite blocking during network issues or NRAS service outages. Add a timeout
field to the Config struct to make it configurable, then apply this timeout to
the reqwest client builder by calling the .timeout() method on the ClientBuilder
chain before calling .build(). Ensure the timeout value is propagated from
Config and applied either at the client level in new_with_config or on
individual requests made through methods like attest_gpu to enforce bounded wait
times for external service calls.

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	288	6	26	105	7	144
machine-validation-runner	751	30	190	274	36	221
machine_validation	751	30	190	274	36	221
machine_validation-aarch64	751	30	190	274	36	221
nvmetal-carbide	751	30	190	274	36	221
TOTAL	3298	126	786	1207	151	1028

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[ajf]

@akorobkov-nvda do you want to take a look at this?

[FrankSpitulski]

LGTM

[polarweasel]

Sent you a replacement for tracing.md in Slack, @adnandnv. Drop it in and this should be good to go, docs-wise.

[adnandnv]

Sent you a replacement for tracing.md in Slack, @adnandnv. Drop it in and this should be good to go, docs-wise.

Thanks @polarweasel! Done.