Introduce v1 OTLP based output plugin"

.github/workflows/build.yaml

@@ -33,9 +33,9 @@ jobs:
     strategy:
       matrix:
         args:
-          - name: fluent-bit-to-vali
+          - name: fluent-bit-plugin
             target: fluent-bit-plugin
-            oci-repository: gardener/fluent-bit-to-vali
+            oci-repository: gardener/fluent-bit-plugin
             ocm-labels:
               name: gardener.cloud/cve-categorisation
               value:
@@ -46,33 +46,6 @@ jobs:
                 integrity_requirement: none
                 availability_requirement: none
                 comment: no data is stored of processed by the installer
-          - name: vali-curator
-            target: curator
-            oci-repository: gardener/vali-curator
-            ocm-labels:
-              name: gardener.cloud/cve-categorisation
-              value:
-                network_exposure: private
-                authentication_enforced: false
-                user_interaction: gardener-operator
-                confidentiality_requirement: none
-                integrity_requirement: high
-                availability_requirement: low
-          - name: telegraf-iptables
-            target: telegraf
-            oci-repository: gardener/telegraf-iptables
-            ocm-labels:
-              name: gardener.cloud/cve-categorisation
-              value:
-                network_exposure: private
-                authentication_enforced: false
-                user_interaction: gardener-operator
-                confidentiality_requirement: none
-                integrity_requirement: none
-                availability_requirement: none
-                comment: >-
-                  telegraf is not accessible from outside the seed-cluster and does not
-                  interact with confidential data
           - name: event-logger
             target: event-logger
             oci-repository: gardener/event-logger

.gitignore

@@ -13,3 +13,5 @@ bin
 kubeconfig
 *~
 gosec-report.sarif
+fluent-bit-output-plugin
+

.golangci.yaml

@@ -47,4 +47,4 @@ formatters:
       sections:
         - standard
         - default
-        - prefix(github.com/gardener/logging)
+        - prefix(github.com/gardener/logging/v1)

.hyperspace/pull_request_bot.json

@@ -11,7 +11,7 @@
     },
     "review": {
       "auto_generate_review": false,
-      "use_custom_review_focus": false
+      "use_custom_review_focus": true
     }
   }
 }

.hyperspace/pull_request_bot_review_focus.md

@@ -0,0 +1,94 @@
+# Review Philosophy
+
+- Comment only when there is **high confidence (>80%)** that an issue, risk, or meaningful improvement exists. Avoid speculative or low-impact feedback.
+- Prioritize **signal over noise**. If a comment does not clearly improve correctness, readability, performance, security, or maintainability, do not leave it.
+- Be **concise and direct**. Prefer a single, well-phrased sentence per comment whenever possible.
+- Focus on **actionable feedback**. Each comment should either explain *what* is wrong, *why* it matters, or *how* to improve it.
+- Avoid restating what the code already does. Assume the author can read the code.
+- When reviewing text or documentation:
+  - Comment only if the wording is **genuinely ambiguous, misleading, or likely to cause incorrect usage**.
+  - Do not suggest stylistic or subjective wording changes unless they materially improve clarity or prevent misunderstanding.
+- Treat every review as if the code will be **maintained by someone else six months from now**.
+
+## Priority Areas (Review These First)
+
+Focus review effort on the areas below, in order of **risk and long-term impact**.
+Deprioritize minor style or preference-based issues unless they materially affect maintainability.
+
+---
+
+### Security & Safety
+
+- Unsafe code blocks **without clear justification, scope, or documented invariants**.
+- Command injection risks involving shell execution, dynamic commands, or unsanitized user input.
+- Path traversal vulnerabilities when handling file paths, URLs, or external input.
+- Credential exposure, hardcoded secrets, tokens, API keys, or sensitive configuration values.
+- Missing or insufficient input validation on **external or untrusted data sources**.
+- Improper error handling that could **leak sensitive information** through logs, error messages, or responses.
+- Security-sensitive behavior that is implicit, undocumented, or relies on assumptions not enforced in code.
+
+---
+
+### Correctness Issues
+
+- Logic errors that could lead to panics, crashes, undefined behavior, or incorrect results.
+- Race conditions, shared-state issues, or unsafe access patterns in concurrent or async code.
+- Resource leaks involving files, network connections, locks, or memory.
+- Boundary issues such as off-by-one errors, empty states, or unhandled edge cases.
+- Incorrect error propagation
+- Optional types used where a value is guaranteed or required, adding unnecessary complexity.
+- Error context that does not meaningfully improve debuggability or understanding.
+- Overly defensive code that adds checks without realistic failure modes.
+- Comments that restate obvious behavior instead of explaining **why** something exists.
+
+---
+
+### Architecture & Patterns
+
+- Code that violates established patterns, conventions, or architectural decisions in the codebase.
+- Missing or inconsistent error handling where a standard approach is already used
+- Misuse of async/await, including blocking operations inside async contexts.
+- Improper or incomplete trait implementations that break expectations or contracts.
+- Abstractions that increase complexity without reducing duplication or improving clarity.
+- Public APIs that expose unnecessary surface area or leak internal implementation details.
+
+## Skip These (Low Value)
+
+Do **not** leave review comments for the following, unless they directly impact
+correctness, security, or long-term maintainability:
+
+- Style or formatting concerns handled by automated tools (`go fmt`, Prettier).
+- Minor naming preferences that do not materially improve clarity or correctness.
+- Suggestions to add comments when the code is already self-explanatory.
+- Refactoring proposals unless they fix a real bug, remove duplicated logic, or significantly reduce complexity.
+- Logging suggestions unless they are required for **security, auditing, or critical observability gaps**.
+- Pedantic wording or text accuracy nitpicks unless misunderstanding could lead to incorrect usage or bugs.
+
+When in doubt, **err on the side of silence**.
+
+## Response Format
+
+Use the following structure for every review comment.
+Do not deviate unless brevity clearly improves clarity.
+
+1. **State the problem**
+   - One clear sentence describing the concrete issue.
+   - Avoid speculation or vague phrasing.
+
+2. **Why it matters** (optional)
+   - One sentence explaining impact (correctness, safety, maintainability, or developer experience).
+   - Omit this step if the impact is obvious.
+
+3. **Suggested fix**
+   - Provide a specific action, code snippet, or alternative approach.
+   - Prefer minimal, localized changes over broad refactors.
+
+## When to Stay Silent
+
+- If you are **not confident** that something is an actual issue, do not comment.
+- Do not speculate or ask hypothetical questions disguised as feedback.
+- Silence is preferred over low-confidence, low-impact, or opinion-based comments.
+- If an issue depends on missing context and cannot be verified from the diff, assume the author has context and stay silent.
+- Only break silence when uncertainty itself creates a **real risk** (e.g., potential security, data loss, or correctness issues).
+
+Default to restraint. A good review is measured by **impact**, not comment count.

Dockerfile

@@ -5,7 +5,7 @@ WORKDIR /go/src/github.com/gardener/logging
 
 COPY . .
 RUN go mod download
-RUN make plugin copy curator event-logger
+RUN make plugin copy event-logger
 
 ############# distroless-static
 FROM gcr.io/distroless/static-debian12:nonroot AS distroless-static
@@ -29,16 +29,6 @@ WORKDIR /
 
 CMD ["-e", "/fluent-bit/plugins/output_plugin.so", "-c", "/fluent-bit/config/fluent-bit.conf"]
 
-#############      curator       #############
-FROM distroless-static AS curator
-
-COPY --from=builder /go/src/github.com/gardener/logging/build/curator /curator
-
-WORKDIR /
-EXPOSE 2718
-
-ENTRYPOINT [ "/curator" ]
-
 #############      eventlogger       #############
 FROM distroless-static AS event-logger
 
@@ -48,58 +38,6 @@ WORKDIR /
 
 ENTRYPOINT [ "/event-logger" ]
 
-#############      telegraf-builder       #############
-FROM golang:1.25.5 AS telegraf-builder
-RUN git clone --depth 1 --branch v1.26.0 https://github.com/influxdata/telegraf.git
-WORKDIR /go/telegraf
-ARG TARGETOS
-ARG TARGETARCH
-RUN --mount=type=cache,target="/root/.cache/go-build" CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} make build
-
-#############      iptables-builder       #############
-FROM alpine:3.23.2 AS iptables-builder
-
-RUN apk add --update bash sudo iptables ncurses-libs libmnl && \
-    rm -rf /var/cache/apk/*
-
-WORKDIR /volume
-
-RUN mkdir -p ./bin ./sbin ./lib ./usr/bin ./usr/sbin ./usr/lib ./usr/lib/xtables ./usr/lib/bash ./tmp ./run ./etc/bash ./etc/openvpn ./usr/lib/openvpn/plugins ./etc/iproute2 ./etc/terminfo ./etc/logrotate.d ./etc/network/if-up.d ./usr/share/udhcpc ./etc/ssl/misc ./usr/lib/engines-1.1 ./run ./usr/lib/sudo \
-    && cp -d /lib/ld-musl-* ./lib                                           && echo "package musl" \
-    && cp -d /lib/libc.musl-* ./lib                                         && echo "package musl" \
-    && cp -d -r /etc/terminfo/* ./etc/terminfo                              && echo "package ncurses-terminfo-base" \
-    && cp -d /usr/lib/libformw.so.* ./usr/lib                               && echo "package ncurses-libs" \
-    && cp -d /usr/lib/libmenuw.so.* ./usr/lib                               && echo "package ncurses-libs" \
-    && cp -d /usr/lib/libncursesw.so.* ./usr/lib                            && echo "package ncurses-libs" \
-    && cp -d /usr/lib/libpanelw.so.* ./usr/lib                              && echo "package ncurses-libs" \
-    && cp -d /usr/lib/libreadline.so.* ./usr/lib                            && echo "package readline" \
-    && cp -d /etc/inputrc ./etc                                             && echo "package readline" \
-    && cp -d /bin/bash ./bin                                                && echo "package bash" \
-    && cp -d /etc/bash/bashrc ./etc/bash                                    && echo "package bash" \
-    && cp -d /usr/lib/bash/* ./usr/lib/bash                                 && echo "package bash" \
-    && cp -d /usr/lib/libz.* ./lib                                          && echo "package zlib" \
-    && cp -d /usr/lib/libmnl.* ./usr/lib                                    && echo "package libmnl" \
-    && cp -d /usr/lib/libnftnl* ./usr/lib                                   && echo "package libnftnl" \
-    && cp -d /etc/ethertypes ./etc                                          && echo "package iptables" \
-    && cp -d /usr/sbin/iptables* ./sbin                                     && echo "package iptables" \
-    && cp -d /usr/sbin/xtables* ./sbin                                      && echo "package iptables" \
-    && cp -d /usr/lib/libxtables* ./usr/lib                                 && echo "package iptables" \
-    && cp -d /usr/lib/xtables/* ./usr/lib/xtables                           && echo "package iptables" \
-    && cp -d /usr/lib/sudo/* ./usr/lib/sudo                                 && echo "package sudo" \
-    && cp -d /etc/sudoers ./etc                                             && echo "package sudo" \
-    && cp -d /etc/passwd ./etc                                              && echo "package sudo" \
-    && cp -d /usr/bin/sudo ./usr/sbin                                       && echo "package sudo" \
-    && touch ./run/xtables.lock                                             && echo "create /run/xtables.lock"
-
-#############      telegraf       #############
-FROM scratch AS telegraf
-
-COPY --from=iptables-builder /volume /
-
-COPY --from=telegraf-builder /go/telegraf/telegraf /usr/bin/telegraf
-
-CMD [ "/usr/bin/telegraf"]
-
 #############      tune2fs-builder       #############
 FROM alpine:3.23.2 AS tune2fs-builder
 

Makefile

@@ -5,10 +5,8 @@
 REPO_ROOT                                  := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 VERSION                                    := $(shell cat VERSION)
 REGISTRY                                   ?= europe-docker.pkg.dev/gardener-project/snapshots/gardener
-FLUENT_BIT_TO_VALI_IMAGE_REPOSITORY        := $(REGISTRY)/fluent-bit-to-vali
-FLUENT_BIT_VALI_IMAGE_REPOSITORY           := $(REGISTRY)/fluent-bit-vali
-VALI_CURATOR_IMAGE_REPOSITORY              := $(REGISTRY)/vali-curator
-TELEGRAF_IMAGE_REPOSITORY                  := $(REGISTRY)/telegraf-iptables
+FLUENT_BIT_PLUGIN_IMAGE_REPOSITORY         := $(REGISTRY)/fluent-bit-plugin
+FLUENT_BIT_OUTPUT_IMAGE_REPOSITORY         := $(REGISTRY)/fluent-bit-output
 TUNE2FS_IMAGE_REPOSITORY                   := $(REGISTRY)/tune2fs
 EVENT_LOGGER_IMAGE_REPOSITORY              := $(REGISTRY)/event-logger
 EFFECTIVE_VERSION                          := $(VERSION)-$(shell git rev-parse --short HEAD)
@@ -30,7 +28,7 @@ include hack/tools.mk
 export PATH := $(abspath $(TOOLS_DIR)):$(PATH)
 
 .DEFAULT_GOAL := all
-all: verify plugin curator event-logger
+all: tidy fmt gci plugin event-logger lint
 
 #################################################################
 # Build targets                                                 #
@@ -46,18 +44,6 @@ plugin: tidy
 	  	-ldflags="$(LD_FLAGS)" \
 		./cmd/fluent-bit-output-plugin
 
-.PHONY: curator
-curator: tidy
-	@echo "building $@ for $(BUILD_PLATFORM)/$(BUILD_ARCH)"
-	@GOOS=$(BUILD_PLATFORM) \
-		GOARCH=$(BUILD_ARCH) \
-		CGO_ENABLED=0 \
-		GO111MODULE=on \
-		go build \
-		-o $(REPO_ROOT)/build/curator \
-		-ldflags="$(LD_FLAGS)" \
-		./cmd/vali-curator
-
 .PHONY: event-logger
 event-logger: tidy
 	@echo "building $@ for $(BUILD_PLATFORM)/$(BUILD_ARCH)"
@@ -87,19 +73,11 @@ copy: tidy
 docker-images:
 	@BUILD_ARCH=$(BUILD_ARCH) \
 		$(REPO_ROOT)/hack/docker-image-build.sh "fluent-bit-plugin" \
-		$(FLUENT_BIT_TO_VALI_IMAGE_REPOSITORY) $(IMAGE_TAG)
+		$(FLUENT_BIT_PLUGIN_IMAGE_REPOSITORY) $(IMAGE_TAG)
 
 	@BUILD_ARCH=$(BUILD_ARCH) \
 		$(REPO_ROOT)/hack/docker-image-build.sh "fluent-bit-output" \
-		$(FLUENT_BIT_VALI_IMAGE_REPOSITORY) $(IMAGE_TAG)
-
-	@BUILD_ARCH=$(BUILD_ARCH) \
-		$(REPO_ROOT)/hack/docker-image-build.sh "curator" \
-		$(VALI_CURATOR_IMAGE_REPOSITORY) $(IMAGE_TAG)
-
-	@BUILD_ARCH=$(BUILD_ARCH) \
-		$(REPO_ROOT)/hack/docker-image-build.sh "telegraf" \
-		$(TELEGRAF_IMAGE_REPOSITORY) $(IMAGE_TAG)
+		$(FLUENT_BIT_OUTPUT_IMAGE_REPOSITORY) $(IMAGE_TAG)
 
 	@BUILD_ARCH=$(BUILD_ARCH) \
 		$(REPO_ROOT)/hack/docker-image-build.sh "event-logger" \
@@ -112,13 +90,7 @@ docker-images:
 .PHONY: docker-push
 docker-push:
 	@$(REPO_ROOT)/hack/docker-image-push.sh "fluent-bit-plugin" \
-	$(FLUENT_BIT_TO_VALI_IMAGE_REPOSITORY) $(IMAGE_TAG)
-
-	@$(REPO_ROOT)/hack/docker-image-push.sh "curator" \
-	$(VALI_CURATOR_IMAGE_REPOSITORY) $(IMAGE_TAG)
-
-	@$(REPO_ROOT)/hack/docker-image-push.sh "telegraf" \
-	$(TELEGRAF_IMAGE_REPOSITORY) $(IMAGE_TAG)
+	$(FLUENT_BIT_PLUGIN_IMAGE_REPOSITORY) $(IMAGE_TAG)
 
 	@$(REPO_ROOT)/hack/docker-image-push.sh "event-logger" \
 	$(EVENT_LOGGER_IMAGE_REPOSITORY) $(IMAGE_TAG) $(EFFECTIVE_VERSION)
@@ -135,7 +107,7 @@ tidy:
 	@go mod tidy
 
 .PHONY: check
-check: tidy fmt gci lint
+check: tidy fmt gci
 
 .PHONY: fmt
 fmt: tidy
@@ -150,7 +122,7 @@ gci: tidy
 	@go tool gci write $(GCI_OPT) $(SRC_DIRS)
 
 .PHONY: lint
-check: tidy
+lint: tidy
 	@echo "Running lint..."
 	 @go tool golangci-lint run \
 	 	--config=$(REPO_ROOT)/.golangci.yaml \
@@ -184,24 +156,3 @@ add-license-headers: tidy
 .PHONY: clean
 clean:
 	@rm -rf $(REPO_ROOT)/build
-
-#########################################
-# Tools                                 #
-#########################################
-.PHONY: kind-up
-kind-up: tidy $(KUBECTL)
-	@$(REPO_ROOT)/hack/kind-up.sh
-
-#########################################
-# skaffold pipeline scenarios           #
-#########################################
-skaffold-%: export KUBECONFIG = $(REPO_ROOT)/example/kind/kubeconfig
-
-.PHONY: skaffold-run
-skaffold-run: $(SKAFFOLD)
-	@$(SKAFFOLD) run --kubeconfig=$(KUBECONFIG)
-
-# skaffold-dev target requires that skaffold run has been run
-.PHONY: skaffold-dev
-skaffold-dev: $(SKAFFOLD)
-	@$(SKAFFOLD) dev --kubeconfig=$(KUBECONFIG)