From bfd82ae97636b09c5a5fb817553db60db6481e5f Mon Sep 17 00:00:00 2001
From: Thomas Flament <thomas.flament@scality.com>
Date: Wed, 15 Apr 2026 17:01:13 +0200
Subject: [PATCH] nginx-ingress: strip inbound traceparent/tracestate headers

Both ingress controllers sit at the trust boundary between the
customer/internet side and internal cluster services. Forwarding
client-supplied W3C OpenTelemetry trace context to OTEL-instrumented
backends (cloudserver, vault, backbeat, pensieve-api, scuba...) lets
a hostile caller spoof trace IDs, force sampled=1 to DoS-amplify the
tracing backend, or correlate user requests to internal span
structure.

Add a location-snippet that unsets traceparent and tracestate before
proxying upstream. Internal pod-to-pod traffic uses .svc.cluster.local
and bypasses nginx entirely, so legitimate internal trace propagation
is unaffected.
---
 .../config/ingress-controller.yaml.j2                          | 3 +++
 .../addons/nginx-ingress/config/ingress-controller.yaml.j2     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2 b/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2
index a5ba9c93ed..c164418e16 100644
--- a/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2
+++ b/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2
@@ -10,3 +10,6 @@ spec:
     hide-headers: 'Server,X-Powered-By'
     ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
     ssl-protocols: 'TLSv1.2 TLSv1.3'
+    location-snippet: |
+      proxy_set_header traceparent "";
+      proxy_set_header tracestate "";
diff --git a/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 b/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
index a5ba9c93ed..c164418e16 100644
--- a/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
+++ b/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
@@ -10,3 +10,6 @@ spec:
     hide-headers: 'Server,X-Powered-By'
     ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
     ssl-protocols: 'TLSv1.2 TLSv1.3'
+    location-snippet: |
+      proxy_set_header traceparent "";
+      proxy_set_header tracestate "";