chore(deps): bump OpenTelemetry SDK to v1.44.0 / v0.20.0

[nickytd]

How to categorize this PR?

/kind cleanup
/area logging
/area open-source

What this PR does / why we need it:

Bumps the OpenTelemetry Go SDK family from v1.43.0/v0.19.0 to v1.44.0/v0.20.0 (single upstream release v1.44.0/v0.66.0/v0.20.0, published 2026-05-27).

Modules upgraded:

Module	From	To
go.opentelemetry.io/otel	v1.43.0	v1.44.0
go.opentelemetry.io/otel/sdk	v1.43.0	v1.44.0
go.opentelemetry.io/otel/sdk/metric	v1.43.0	v1.44.0
go.opentelemetry.io/otel/trace	v1.43.0	v1.44.0
go.opentelemetry.io/otel/log	v0.19.0	v0.20.0
go.opentelemetry.io/otel/sdk/log	v0.19.0	v0.20.0
go.opentelemetry.io/otel/sdk/log/logtest	v0.19.0	v0.20.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc	v0.19.0	v0.20.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.19.0	v0.20.0
go.opentelemetry.io/otel/exporters/prometheus	v0.65.0	v0.66.0

The bump is API-compatible — only go.mod and go.sum change.

Notable upstream fixes pulled in (full changelog):

• Memory leak fix — otlploghttp and otlpmetrichttp now correctly replay gzipped request bodies on HTTP redirects. The previous behavior could leak pooled gzip writer buffers per redirected request under sustained load behind a redirecting proxy/ingress. This plugin enables gzip by default, so the fix directly applies.
• GC improvements in semconv — pooled slices and cached objects are now cleared after release so they can be garbage collected.
• Prometheus exporter — fix concurrent Collect data race when WithResourceAsConstantLabels is configured (not triggered by current usage, but a relevant hardening since we use the Prometheus exporter for OTLP metrics passthrough).
• All OTLP exporters gain a new WithMaxRequestSize option, defaulted to 64 MiB. Oversized requests are non-retryable.
• Security advisories addressed upstream: GHSA-995v-fvrw-c78m (schema file descriptor leak) and GHSA-5wrp-cwcj-q835 (baggage extraction log flooding).

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Heads-up — not triggered by current usage, but worth knowing for future work:

• sdk/metric in v1.44.0 applies a default cardinality limit of 2000 per instrument (previously unlimited). Attribute sets beyond the limit are folded into a synthetic set tagged otel.metric.overflow=true. If we ever produce per-shoot/per-namespace label combinations exceeding 2000 on a single meter, set WithCardinalityLimit(0) on the meter provider in pkg/client/otlp/metrics_setup.go to restore the old behavior.
• attribute.Value.Emit() is deprecated in favor of Value.String(). We don't currently call it.

Verified locally:

go build ./...

passes clean. No source changes were necessary.

Release note:

Bump OpenTelemetry Go SDK to v1.44.0 / v0.20.0, picking up a memory-leak fix in the OTLP/HTTP exporter (gzip body replay on redirect), GC improvements in semconv, and a Prometheus exporter data-race fix.

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dnaeon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment