fix: propagate traceparent/tracestate headers from controller to agent pods

The A2A server deserializes incoming HTTP requests into JSON-RPC params,
discarding the original HTTP headers. When the controller forwards
requests to agent pods via the A2A client, trace context headers
(traceparent, tracestate) are lost, breaking distributed tracing.

Fix: capture W3C trace context headers from the incoming request into
the Go context in the A2A auth middleware, then inject them into
outgoing requests in the A2ARequestHandler. This closes the gap
between the A2A server (which strips headers) and the A2A client
(which constructs new HTTP requests).

Also update the agent_with_passthrough golden test (added in #1327)
to include the appProtocol field.

Signed-off-by: Simon Zhu <simon.zhu@mongodb.com>

Author: syn-zhu

go/internal/controller/translator/agent/testdata/outputs/agent_with_passthrough.json

@@ -262,6 +262,7 @@
       "spec": {
         "ports": [
           {
+            "appProtocol": "kgateway.dev/a2a",
             "name": "http",
             "port": 8080,
             "targetPort": 8080

go/internal/httpserver/auth/authn.go

@@ -70,7 +70,21 @@ type A2AAuthenticator struct {
 }
 
 func (p *A2AAuthenticator) Wrap(next http.Handler) http.Handler {
-	return auth.AuthnMiddleware(p.provider)(next)
+	authn := auth.AuthnMiddleware(p.provider)(next)
+	// Capture W3C trace context headers from the incoming request into the
+	// context before the A2A server strips the *http.Request. These headers
+	// are later injected into outgoing requests by A2ARequestHandler.
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if tp := r.Header.Get("Traceparent"); tp != "" {
+			traceHeaders := make(http.Header, 2)
+			traceHeaders.Set("Traceparent", tp)
+			if ts := r.Header.Get("Tracestate"); ts != "" {
+				traceHeaders.Set("Tracestate", ts)
+			}
+			r = r.WithContext(auth.TraceHeadersTo(r.Context(), traceHeaders))
+		}
+		authn.ServeHTTP(w, r)
+	})
 }
 
 type handler func(ctx context.Context, client *http.Client, req *http.Request) (*http.Response, error)
@@ -107,6 +121,15 @@ func A2ARequestHandler(authProvider auth.AuthProvider, agentNns types.Namespaced
 			}
 		}
 
+		// Propagate W3C trace context headers captured from the incoming request.
+		if traceHeaders, ok := auth.TraceHeadersFrom(ctx); ok {
+			for key, values := range traceHeaders {
+				for _, v := range values {
+					req.Header.Set(key, v)
+				}
+			}
+		}
+
 		resp, err = client.Do(req)
 		if err != nil {
 			return nil, fmt.Errorf("a2aClient.httpRequestHandler: http request failed: %w", err)

go/pkg/auth/auth.go

@@ -58,9 +58,11 @@ type Authorizer interface {
 // context utils
 
 type sessionKeyType struct{}
+type traceHeadersKeyType struct{}
 
 var (
-	sessionKey = sessionKeyType{}
+	sessionKey      = sessionKeyType{}
+	traceHeadersKey = traceHeadersKeyType{}
 )
 
 func AuthSessionFrom(ctx context.Context) (Session, bool) {
@@ -72,6 +74,19 @@ func AuthSessionTo(ctx context.Context, session Session) context.Context {
 	return context.WithValue(ctx, sessionKey, session)
 }
 
+// TraceHeadersFrom retrieves W3C trace context headers (traceparent, tracestate)
+// that were captured from an incoming request.
+func TraceHeadersFrom(ctx context.Context) (http.Header, bool) {
+	v, ok := ctx.Value(traceHeadersKey).(http.Header)
+	return v, ok && v != nil
+}
+
+// TraceHeadersTo stores W3C trace context headers in the context so they can
+// be propagated to outgoing requests (e.g., from the controller to agent pods).
+func TraceHeadersTo(ctx context.Context, headers http.Header) context.Context {
+	return context.WithValue(ctx, traceHeadersKey, headers)
+}
+
 func AuthnMiddleware(authn AuthProvider) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {